Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add (yubi)key authenticity validation #1364

Open
jku opened this issue Sep 5, 2024 · 1 comment
Open

Add (yubi)key authenticity validation #1364

jku opened this issue Sep 5, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@jku
Copy link
Member

jku commented Sep 5, 2024
edited
Loading

As part of the tuf-on-ci migration we're removing the "authenticity verification scripts" that prove that a cryptographic key is on an actual Yubikey (instead of being a non-hw key or a non-yubikey hardware key).

The feature might still make sense (even if I'm not fully convinced we should only ever require Yubikeys) so let's evaluate options:

  • we could write new code like the "verify key" command in the legacy root-signing -- note that this had the flaw that it did not actually verify that the keys in metadata were authentic, user had to compare private keys manually for that
  • more useful would be some level of integration into signing event:
    • If we want to enforce Yubikeys, then a workflow in the signing event should fail if a "authenticity proof" is missing for a key
    • accepting an invitation to become a signer should somehow include the authenticity proof -- even if it's just a request to add a file into the PR manually
  • There are two levels of possible integration I see:
    • the authenticity proof could be included in metadata: support PIV attestation secure-systems-lab/securesystemslib#623 (comment) -- this way the repository could always verify the authenticity easily and we would not have to maintain extra files that will inevitably go stale. The signers would not have to do anything, new keys would just automatically include the proof
    • or we could dump the authenticity proofs elsewhere -- separate directory in git like they used to be, or even just as a comment in the signing event. This means we make the verification just part of "new signer" process documentation, not part of automated tooling
  • yubico provides a web page https://www.yubico.com/genuine/ and tools (ykman piv keys attest 9c -) to do parts of this
@jku jku added the enhancement New feature or request label Sep 5, 2024
@jku jku mentioned this issue Sep 5, 2024
Merged
@jku
Copy link
Member Author

jku commented Sep 6, 2024
edited
Loading

yubico provides a web page https://www.yubico.com/genuine/ and tools (ykman piv keys attest 9c -) to do parts of this

Note to future me, what we are looking to verify is this:

for each non-kms key in metadata, get keyholder to somehow submit ykman piv keys attest 9c - attestation. Then

  1. verify that the key in the assertation ykman piv keys attest 9c - | openssl x509 -noout -text and the public key in metadata openssl ec -pubin -in $PUBKEY -noout -text are the same key (where $PUBKEY comes from metadata)
  2. verify that the assertation cert is part of the GitHub cert chain

The lowest effort, minimal integration way to do this might be:

  • ask new signers to add the assertation in a signing event comment
  • setup new workflow that reacts to signing event commits and runs a check on any assertation certs it sees, adds a comment to say which tuf key it is for

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jku