|
|
|
|
|
|
by SEJeff
3498 days ago
|
|
|
So FWIW, I asked about how Redhat signs their packages some time ago (about 6-7 years ago!) and was introduced to Fedora's "Signing Server" service, which is entirely open source. The email in full is: Hi Jeff, good to hear from you.
There's really two parts to our signing server; the first is the
separation of signing to a separate machine with the associated
client/server and ACL controls, and the second is the interface to the
nCipher HSM. The first part we've not made open because it's quite
specific to Red Hat internal build systems and our kerberos setup.
The second part is mostly straightforward use of nCipher utilities but
includes a patch to GNUpg which I was originally going to make public
but came into difficulty because it requires headers from the nCipher
developer kit, and linking to it, and it's under a very non-compatible
license. Given the cost of nCipher HSM units we didn't think other
projects would want that solution either.
So I'd actually prefer to point you to the work that has been done on
a signing server for Fedora, which is open. See
http://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer
The Fedora folks looked into various hardware solutions too which were
cheaper and didn't have the proprietary API issues, I can't find a
link to that at the moment but Jesse Keating
should be able to give you more info.
Hope that's a good starting point...
If anyone is interested, the project is actually named Sigul and is located at:https://fedorahosted.org/sigul/ |
|
|
https://blog.mozilla.org/security/2013/02/13/using-cryptosti...