github.com/nats-io/nsc/v2@v2.8.7-0.20240307184528-efd7023c6896/release-signing.md (about) 1 Release Signing 2 =============== 3 4 We sign releases with static signing keys, inside GitHub Actions. 5 6 If cosign keyless mode and GitHub can use OIDC identities from GitHub 7 identifying the organization, then we will probably switch to that, because it 8 avoids one organization holding secrets. 9 10 The signing keys we use here live in GitHub Actions as secrets, and in a 11 1Password vault used by the NATS Maintainers at Synadia Communications. 12 13 --- 14 15 We want release signatures to be verifiable by as many people as possible, 16 while using contemporary cryptography. It is fine to sign with multiple 17 systems. 18 19 We mostly sign checksums. 20 21 Our new channel-managing installer tries to balance "a modern tool for the 22 future" with "a tool which everyone will have installed", so will verify 23 cosign signatures and SSH file signatures. The cosign tool supports OCI 24 containers and has enough other useful features that we hope it's what the 25 industry moves towards. 26 27 We're seriously tempted to add OpenPGP signatures, since we have WKD set up 28 for nats.io, but three signatures at once might be overdoing things a little. 29 If there's demand, we will revisit. 30 31 --- 32 33 ## The Public Keys 34 35 In both cases, we use no passphrase on the private key: for the CI system, the 36 passphrase would have to live in the same place as the private key material, 37 so provides a false sense of security. 38 39 ```sh 40 ssh-keygen -t ed25519 -f nsc-release-signing-ssh -C 'nsc release builds SSH signing key' -N '' 41 COSIGN_PASSWORD='' cosign generate-key-pair 42 for f in cosign.*; do mv -v $f nsc-release-$f; done 43 tail -n +1 *.pub 44 ``` 45 46 gives these public keys 47 48 ``` 49 ==> nsc-release-cosign.pub <== 50 -----BEGIN PUBLIC KEY----- 51 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+Zi4Lxy2j3MYdUSWkKi/aQfA73s7 52 aNxCtk9yNPc3I08TsWISvhqbxquDHGOeDdf0FQh6mHMWclke2mMIYGDuLA== 53 -----END PUBLIC KEY----- 54 55 ==> nsc-release-signing-ssh.pub <== 56 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLLmYCvqzSVa+ZwHDToc6DLjGBMII7B9jSSRbZ8ylbN nsc release builds SSH signing key 57 ``` 58 59 These keys were generated 2022-02-23 by Phil Pennock, pdp@nats.io, and deleted 60 from local disk after storing in GitHub and 1Password. At time of writing, 61 four people have access to that Vault.