-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implements profile signing and verification [Experimental] #1228
Conversation
implements #966 |
@metadave Awesome work. I was thinking about #967 as well. Do we use the same file extensions for profiles and reports? Or we use specific extensions like: InSpec Signed Profile I like the current scope, but lets the feature mark as experimental. Distribution of valid keys is not part of this PR. |
@chris-rock I would suggest keeping signed reports and profiles separate, I like your suggestion: This might change the headers to:
|
👍 |
9ebb3ee
to
93467d2
Compare
|
8a4548a
to
38c37d9
Compare
Signed-off-by: Dave Parfitt <dparfitt@chef.io>
38c37d9
to
51378d3
Compare
Awesome work @metadave This is a great step forward to secure the execution and reporting of compliance profiles |
This PR is a prototype/work in progress of profile signing and verification.
It's most definitely NOT complete and has many TODOs and ideas that need to be worked out.
Demo:
bundle exec inspec artifact generate --keyname foo
bundle exec inspec artifact sign-profile --profile ./examples/profile-attribute/ --keyname foo
.iaf
file:bundle exec inspec artifact verify --infile profile-attribute-0.1.0.iaf --outfile bar.tar.gz
Notes:
Implementation notes here: https://gist.github.com/metadave/a11745db15fc1bc33a44719c5e3a026e
Installing artifacts
The current implementation allows for a .iaf file to be extracted to a .tar.gz
file with verification. We could extend the command to install a profile
to a given location w/ verification. (via lib/inspec/file_provider.rb)
Generate keys
The initial implementation uses 2048 bit RSA key pairs (public + private).
Public keys must be available for a customer to install and verify an artifact.
Private keys should be stored in a secure location and NOT be distributed.
(They're only for creating artifacts).
.IAF file format
.iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
The iaf file wraps a binary artifact with some metadata. The first implementation
looks like this:
Let's look at each line:
INSPEC-PROFILE-1
:This is the artifact version descriptor. It should't change unless the
format of the archive changes.
name_of_signing_key
The name of the public key that can be used to verify an artifact
algorithm
The digest used to sign, I picked SHA512 to start with.
If we support multiple digests, we'll need to have the verify() method
support each digest.
signature
The result of passing the binary artifact through the digest algorithm above.
Result is base64 encoded.
<empty line>
We use an empty line to separate artifact header from artifact body (binary blob).
The artifact body can be anything you like.
binary-blob
A binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
stick with it as part of the "INSPEC-1" artifact version. If we change block
format, the artifact version descriptor must be incremented, and the sign()
and verify() methods must be updated to support a newer version.
Key revocation
This implementation doesn't support key revocation. However, a customer
can remove the public cert file before installation, and artifacts will then
fail verification.
Key locations
This implementation uses the current working directory to find public and
private keys. We should establish a common key directory (similar to /hab/cache/keys
or ~/.hab/cache/keys in Habitat).
Extracting artifacts outside of Inspec
As in Habitat, the artifact format for Inspec allows the use of common
Unix tools to read the header and body of an artifact.
To extract the header from a .iaf:
sed '/^$/q' foo.iaf
To extract the raw content from a .iaf:
sed '1,/^$/d' foo.iaf
Here's a mini-demo of this feature:
NOTE: this screenshot is out of date, however the general idea is still the same