Add code-signing for Homebrew proposal #20
Conversation
|
This is great! One thing I would like to see added is a list of goals and non-goals focusing on what threats are addressed. For example: This prevents attackers who can forge TLS certs for GitHub from tampering with artifacts, but does not prevent an upstream repo from being compromised and Homebrew CI from automatically building/signing/distributing a malicious package. The latter is partially addressed in this proposal, but would not be 100% addressed until a requirement that all Homebrew upstream sources are signed is added to the CI builder's logic. A future proposal may add a config option to enable a TAP owner to mark their TAP as 100% signed so all packages within the TAP must have signatures before Homebrew CI should build/distribute. |
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
There was a problem hiding this comment.
This is great! The PR is missing some context, but from Slack I infer that this is a proposal for Alpha-Omega funding that is sponsored by the WG Securing Software Repos. Is that correct?
This is just a general proposal from this WG that could be submitted to any potential funder. Although we do plan to submit this to A/O for funding first, there isn't anything A/O-specific here. |
Code signing for Homebrew: address feedback
Signed-off-by: Dustin Ingram <di@users.noreply.github.com>
Signed-off-by: Dustin Ingram <di@users.noreply.github.com>
Signed-off-by: Dustin Ingram <di@users.noreply.github.com>
There was a problem hiding this comment.
The PR is missing some context, but from Slack I infer that this is a proposal for Alpha-Omega funding that is sponsored by the WG Securing Software Repos. Is that correct?
This is just a general proposal from this WG that could be submitted to any potential funder. Although we do plan to submit this to A/O for funding first, there isn't anything A/O-specific here.
Got it. The part I was missing from the PR description was that this is a "proposal from this WG that could be submitted to any potential funder".
|
Some feedback from the Homebrew maintainers on their Slack:
cc @MikeMcQuaid and @SMillerDev, since I've summarized your feedback above; please correct me if I've missed or mistaken anything 🙂 |
I've updated the description! |
Signed-off-by: William Woodruff <william@trailofbits.com>
Homebrew codesigning: review and feedback
Signed-off-by: William Woodruff <william@trailofbits.com>
Homebrew: compatibility considerations
Highlight build provenance in Homebrew proposal
|
Hi folks, thanks for all the reviews to date. Just an FYI that I'd like to merge this by EOD today, so we can submit it to A/O by the end of the week. |
|
@di @woodruffw What do you think about adding a threat model as mentioned in #20 (comment)? |
I'm happy to do that; I'll open a PR in a bit. |
Signed-off-by: William Woodruff <william@trailofbits.com>
Homebrew: add threat modeling
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Don't commit to a specific attestation predicate
Signed-off-by: William Woodruff <william@trailofbits.com>
Generalize attestation verification
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com> Signed-off-by: Dustin Ingram <di@users.noreply.github.com>
|
Thanks everyone for your feedback here! |
This adds a proposal by myself and @woodruffw to add code-signing to the Homebrew ecosystem.
Edit: The goal here is to have a proposal from 'within' this WG that could be submitted to any potential funder. We plan to submit this to Alpha/Omega for funding first.