rfcs icon indicating copy to clipboard operation
rfcs copied to clipboard
verified publisher icon NixOS

[RFC 0149] Cache key rotation

Open vcunat opened this issue 2 years ago • 15 comments

Rotate cache.nixos.org signing key.

Rendered

vcunat avatar May 26 '23 15:05 vcunat

This is very preliminary for now, but let me open it as a PR already.

vcunat avatar May 26 '23 15:05 vcunat

It would be wise to attach keys to releases. This way there will be no need track key start/expiration dates separately, the release number will tell. If a key is compromised, a new release can be published with an incremented minor number. It may be the case where the key is required be published/in place before the release.

evrim avatar May 28 '23 06:05 evrim

I wouldn't do that. Our infrastructure is concurrently building various stuff: multiple NixOS/NixPkgs release branches and also some that are not tied to such a number at all. Similarly from the other side – when Nix looks for some store path in a binary cache, it doesn't care about release numbers.

vcunat avatar May 28 '23 07:05 vcunat

If that's the case, then there should be mechanism to track key start/expiration dates since the keys are bare not certs. I would be glad to help you in the matter but no free time Im afraid. Even if I have the time, I can't get past the marketing team, they say they have rules. Good luck, hope this problem is gone forever without much trouble ;)

evrim avatar May 28 '23 07:05 evrim

Once a workflow for regular key rotation is finalized, I suppose it might still be useful to tie its schedule to the schedule of NixOS releases.

vcunat avatar May 28 '23 07:05 vcunat