New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security audit of remote signing #5
Comments
What does remote signing do? Can you get your app signed and notarized without an apple developer subscription? That would be a pretty cool service, I doubt apple would be happy about it |
A code signing service that allowed you to bypass Apple's Developer subscription requirements would almost certainly run afoul of Apple policies. This is not what I've implemented nor do I have plans to implement such a mechanism. |
I've been wanting to implement this feature for months. My initially conceived use case for this is enabling a low trust CI worker to delegate signing operations to a human using a hardware device for signing. But there are other similar use cases, such as a team of developers and only a few people have access to the signing key. This commit includes an implementation of the websocket server including a Terraform module to deploy it to AWS. I have this running in a personal account and it seems to be pretty stable. There is tons of documentation for the feature, including extensive documentation of the protocol and cryptosystem design. Since I rolled my own crypto here, my guess is there are some weaknesses with it. Issue #552 tracks having it audited by... someone. Until then, the docs have a giant warning about the potential for security issues. Even if there are critical weaknesses in the cryptosystem, signing requires presence of a signer. It's not like the private key is sitting around on a CI worker waiting to be exfiltrated by anyone who can run a PR or anyone with machine level access to those workers. So I'd like to think that even if there is a weakness here that other design choices limit the potential for danger. Of course, I still very much want the security to be sound! There's a ton of small paper cuts remaining with the implementation. Lots of small things we can do to improve security, like prompting for consent before signing operations, keeping a "transparency log" of signing operations, etc. But at this point I've probably spent ~30 hours on this feature and just want to get something merged. Partially implements #387.
I have an implementation of remote code signing almost ready to push.
I effectively implemented my own cryptosystem to implement this feature.
As I learned many years ago, one doesn't just roll their own cryptosystems.
So I'm filing this issue to track getting some kind of audit/review of the code so we have confidence in the soundness of the design and implementation.
The text was updated successfully, but these errors were encountered: