Implements profile signing and verification [Experimental] #1228
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
implements #966 |
|
@metadave Awesome work. I was thinking about #967 as well. Do we use the same file extensions for profiles and reports? Or we use specific extensions like: InSpec Signed Profile I like the current scope, but lets the feature mark as experimental. Distribution of valid keys is not part of this PR. |
|
@chris-rock I would suggest keeping signed reports and profiles separate, I like your suggestion: This might change the headers to: |
|
👍 |
bookshelfdave
force-pushed
the
dp_signing
branch
from
9ebb3ee
to
93467d2
Compare
|
|
bookshelfdave
force-pushed
the
dp_signing
branch
3 times, most recently
from
8a4548a
to
38c37d9
Compare
Signed-off-by: Dave Parfitt <dparfitt@chef.io>
chris-rock
force-pushed
the
dp_signing
branch
from
38c37d9
to
51378d3
Compare
chris-rock
changed the title
|
Awesome work @metadave This is a great step forward to secure the execution and reporting of compliance profiles |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a prototype/work in progress of profile signing and verification.
It's most definitely NOT complete and has many TODOs and ideas that need to be worked out.
Demo:
bundle exec inspec artifact generate --keyname foobundle exec inspec artifact sign-profile --profile ./examples/profile-attribute/ --keyname foo.iaffile:bundle exec inspec artifact verify --infile profile-attribute-0.1.0.iaf --outfile bar.tar.gzNotes:
Implementation notes here: https://gist.github.com/metadave/a11745db15fc1bc33a44719c5e3a026e
Installing artifacts
The current implementation allows for a .iaf file to be extracted to a .tar.gz
file with verification. We could extend the command to install a profile
to a given location w/ verification. (via lib/inspec/file_provider.rb)
Generate keys
The initial implementation uses 2048 bit RSA key pairs (public + private).
Public keys must be available for a customer to install and verify an artifact.
Private keys should be stored in a secure location and NOT be distributed.
(They're only for creating artifacts).
.IAF file format
.iaf = "Inspec Artifact File", easy to rename if you'd like something more appropriate.
The iaf file wraps a binary artifact with some metadata. The first implementation
looks like this:
Let's look at each line:
INSPEC-PROFILE-1:This is the artifact version descriptor. It should't change unless the
format of the archive changes.
name_of_signing_keyThe name of the public key that can be used to verify an artifact
algorithmThe digest used to sign, I picked SHA512 to start with.
If we support multiple digests, we'll need to have the verify() method
support each digest.
signatureThe result of passing the binary artifact through the digest algorithm above.
Result is base64 encoded.
<empty line>We use an empty line to separate artifact header from artifact body (binary blob).
The artifact body can be anything you like.
binary-blobA binary blob, most likely a .tar.gz or tar.xz file. We'll need to pick one and
stick with it as part of the "INSPEC-1" artifact version. If we change block
format, the artifact version descriptor must be incremented, and the sign()
and verify() methods must be updated to support a newer version.
Key revocation
This implementation doesn't support key revocation. However, a customer
can remove the public cert file before installation, and artifacts will then
fail verification.
Key locations
This implementation uses the current working directory to find public and
private keys. We should establish a common key directory (similar to /hab/cache/keys
or ~/.hab/cache/keys in Habitat).
Extracting artifacts outside of Inspec
As in Habitat, the artifact format for Inspec allows the use of common
Unix tools to read the header and body of an artifact.
To extract the header from a .iaf:
sed '/^$/q' foo.iafTo extract the raw content from a .iaf:
sed '1,/^$/d' foo.iafHere's a mini-demo of this feature:
NOTE: this screenshot is out of date, however the general idea is still the same