Secure supply chain (PGP) #9

New Issue

southerntofu · 2020-09-22T22:09:23Z

southerntofu commented

2020-09-22 22:09:23 +00:00

Currently, forgebuild does very little for security (support for https sources). We should support PGP signatures for repositories.

However, git's verification of signatures (no idea about mercurial) only verifies the signature of HEAD, not of every commit. This is good basic security for most needs.

For more sensitive systems, we should find inspiration in guix's channel introductions to ensure the whole commit history has been vetted.

Currently, forgebuild does very little for security (support for https sources). We should support PGP signatures for repositories. However, git's verification of signatures (no idea about mercurial) only verifies the signature of HEAD, not of every commit. This is good basic security for most needs. For more sensitive systems, we should find inspiration in guix's [channel introductions](https://guix.gnu.org/en/blog/2020/securing-updates/) to ensure the whole commit history has been vetted.

southerntofu commented

2020-11-29 15:43:20 +00:00

With GNU/Guix 1.2, their secure supply chain has been exposed as a subcommand: guix git authenticate.

It's a perfect fit for our usecase.

With [GNU/Guix 1.2](https://guix.gnu.org/en/blog/2020/gnu-guix-1.2.0-released/), their secure supply chain has been exposed as a subcommand: [guix git authenticate](https://guix.gnu.org/manual/en/html_node/Invoking-guix-git-authenticate.html). It's a perfect fit for our usecase.

Sign in to join this conversation.

No Label

No Milestone

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: forge/build#9