Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security audit of remote signing #5

Open
indygreg opened this issue Apr 23, 2022 · 2 comments
Open

Security audit of remote signing #5

indygreg opened this issue Apr 23, 2022 · 2 comments
Labels
apple-codesign apple-codesign crate and rcodesign CLI tool

Comments

@indygreg
Copy link
Owner

I have an implementation of remote code signing almost ready to push.

I effectively implemented my own cryptosystem to implement this feature.

As I learned many years ago, one doesn't just roll their own cryptosystems.

So I'm filing this issue to track getting some kind of audit/review of the code so we have confidence in the soundness of the design and implementation.
@indygreg indygreg added the apple-codesign apple-codesign crate and rcodesign CLI tool label Apr 23, 2022
@dvc94ch
Copy link
Collaborator

dvc94ch commented Apr 23, 2022
edited

What does remote signing do? Can you get your app signed and notarized without an apple developer subscription?

That would be a pretty cool service, I doubt apple would be happy about it

@indygreg
Copy link
Owner Author

A code signing service that allowed you to bypass Apple's Developer subscription requirements would almost certainly run afoul of Apple policies. This is not what I've implemented nor do I have plans to implement such a mechanism.

indygreg referenced this issue in indygreg/PyOxidizer Apr 24, 2022
@indygreg
apple-codesign: implement remote code signing
9a9b1ae 
I've been wanting to implement this feature for months.

My initially conceived use case for this is enabling a low trust CI
worker to delegate signing operations to a human using a hardware
device for signing. But there are other similar use cases, such as
a team of developers and only a few people have access to the
signing key.

This commit includes an implementation of the websocket server
including a Terraform module to deploy it to AWS. I have this
running in a personal account and it seems to be pretty stable.

There is tons of documentation for the feature, including extensive
documentation of the protocol and cryptosystem design.

Since I rolled my own crypto here, my guess is there are some
weaknesses with it. Issue #552 tracks having it audited by... someone.
Until then, the docs have a giant warning about the potential for
security issues. Even if there are critical weaknesses in the
cryptosystem, signing requires presence of a signer. It's not like
the private key is sitting around on a CI worker waiting to be
exfiltrated by anyone who can run a PR or anyone with machine
level access to those workers. So I'd like to think that even if
there is a weakness here that other design choices limit the
potential for danger. Of course, I still very much want the
security to be sound!

There's a ton of small paper cuts remaining with the implementation.
Lots of small things we can do to improve security, like prompting
for consent before signing operations, keeping a "transparency log"
of signing operations, etc. But at this point I've probably spent
~30 hours on this feature and just want to get something merged.

Partially implements #387.
@indygreg indygreg transferred this issue from indygreg/PyOxidizer Sep 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
apple-codesign apple-codesign crate and rcodesign CLI tool
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@indygreg @dvc94ch