github.com/nats-io/nsc/v2@v2.8.7-0.20240307184528-efd7023c6896/release-signing.md

github.com/nats-io/nsc/v2@v2.8.7-0.20240307184528-efd7023c6896/release-signing.md (about)

     1  Release Signing
     2  ===============
     3  
     4  We sign releases with static signing keys, inside GitHub Actions.
     5  
     6  If cosign keyless mode and GitHub can use OIDC identities from GitHub
     7  identifying the organization, then we will probably switch to that, because it
     8  avoids one organization holding secrets.
     9  
    10  The signing keys we use here live in GitHub Actions as secrets, and in a
    11  1Password vault used by the NATS Maintainers at Synadia Communications.
    12  
    13  ---
    14  
    15  We want release signatures to be verifiable by as many people as possible,
    16  while using contemporary cryptography.  It is fine to sign with multiple
    17  systems.
    18  
    19  We mostly sign checksums.
    20  
    21  Our new channel-managing installer tries to balance "a modern tool for the
    22  future" with "a tool which everyone will have installed", so will verify
    23  cosign signatures and SSH file signatures.  The cosign tool supports OCI
    24  containers and has enough other useful features that we hope it's what the
    25  industry moves towards.
    26  
    27  We're seriously tempted to add OpenPGP signatures, since we have WKD set up
    28  for nats.io, but three signatures at once might be overdoing things a little.
    29  If there's demand, we will revisit.
    30  
    31  ---
    32  
    33  ## The Public Keys
    34  
    35  In both cases, we use no passphrase on the private key: for the CI system, the
    36  passphrase would have to live in the same place as the private key material,
    37  so provides a false sense of security.
    38  
    39  ```sh
    40  ssh-keygen -t ed25519 -f nsc-release-signing-ssh -C 'nsc release builds SSH signing key' -N ''
    41  COSIGN_PASSWORD='' cosign generate-key-pair
    42  for f in cosign.*; do mv -v $f nsc-release-$f; done
    43  tail -n +1 *.pub
    44  ```
    45  
    46  gives these public keys
    47  
    48  ```
    49  ==> nsc-release-cosign.pub <==
    50  -----BEGIN PUBLIC KEY-----
    51  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+Zi4Lxy2j3MYdUSWkKi/aQfA73s7
    52  aNxCtk9yNPc3I08TsWISvhqbxquDHGOeDdf0FQh6mHMWclke2mMIYGDuLA==
    53  -----END PUBLIC KEY-----
    54  
    55  ==> nsc-release-signing-ssh.pub <==
    56  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLLmYCvqzSVa+ZwHDToc6DLjGBMII7B9jSSRbZ8ylbN nsc release builds SSH signing key
    57  ```
    58  
    59  These keys were generated 2022-02-23 by Phil Pennock, pdp@nats.io, and deleted
    60  from local disk after storing in GitHub and 1Password.  At time of writing,
    61  four people have access to that Vault.