aptly icon indicating copy to clipboard operation
aptly copied to clipboard

Published 20 hours ago verified publisher icon aptly-dev

Implement support for TPM-backed signing keys (#953)

Open charles-dyfis-net opened this issue 3 years ago • 5 comments

Fixes #953

Requirements

This should not be removed from draft state until the below are checked.

  • [x] Documentation is updated
  • [ ] Test coverage has been extended to cover the new functionality.
  • [x] Switch from the charles-dyfis-net fork of tpmk to upstream (which at the time of that fork's creation did not support clearsigning, but does now).

The test suite shall use Google's TPM emulator for Go (supported by tpmk and used for its own test suite), so it can be run on systems without TPM hardware.

Description of the Change

Use the Go library github.com/folbricht/tpmk to support TPM-backed keys for OpenPGP signatures.

This allows hardware-backed keys to be used for repository signing. Because the private key data cannot be copied out of the TPM into general-purpose RAM, these keys cannot be stolen by an attacker and used to sign content on a different host; as soon as an attacker's access to the host with the TPM is eliminated, that attacker can no longer generate signatures with any key that TPM stored.

This feature is not available in released versions of upstream GnuPG, so it exclusive to the internal Go implementation.

Checklist

  • [ ] unit-test added (if change is algorithm)
  • [ ] functional test added/updated (if change is functional)
  • [x] man page updated (if applicable)
  • [ ] ~~bash completion updated~~ (not applicable)
  • [x] documentation updated
  • [x] author name in AUTHORS

charles-dyfis-net avatar Apr 12 '21 03:04 charles-dyfis-net

@folbricht has tracked down the build failure -- while tpmk declared a dependency on Go 1.11, it in fact requires Go 1.15.

I expect this PR will need to be extended to hide the feature behind a tag (or otherwise make it conditionally compiled).

charles-dyfis-net avatar Apr 12 '21 14:04 charles-dyfis-net

...a question for the aptly team here: What's the feasibility of having a go 1.15 builder in Travis, so this code can be tested if it's moved behind such a flag?

charles-dyfis-net avatar Apr 12 '21 16:04 charles-dyfis-net

@charles-dyfis-net Travis is no more. We have GH Actions running Go 1.14, 15, 16, and 17.

Would you like to rebase against master?

Also, there are no tests, which are required for a PR to be considered for merging.

lbolla avatar Jan 28 '22 08:01 lbolla

I will close this as there seems to be a lack of interest for this change, feel free to leave a comment if you want this reopened

randombenj avatar Apr 13 '22 12:04 randombenj

Welcome to Codecov :tada:

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered :open_umbrella:

codecov[bot] avatar Apr 24 '24 19:04 codecov[bot]