Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide the signing key #272

Open
zimbatm opened this issue Sep 10, 2023 · 2 comments
Open

Hide the signing key #272

zimbatm opened this issue Sep 10, 2023 · 2 comments
Labels
enhancement

Comments

@zimbatm
Copy link
Member

zimbatm commented Sep 10, 2023

Is your feature request related to a problem? Please describe.

It prevents the team from growing.

I'm just recording this to remember the conversation with @delroth

Describe the solution you'd like

Either a HSM, or an upload machine that can hold the key, sign and upload.

Describe alternatives you've considered

Additional context
@vcunat
Copy link
Member

vcunat commented Sep 30, 2023

After we have workflow with a locked-down key, it would make sense to me to rotate it NixOS/rfcs#149

Well, these two could be independent, but rotation seems to require relatively lots of work, so I think it's better to rotate directly to a key that's better secured from the start.

@cole-h
Copy link
Member

cole-h commented Sep 30, 2023

For any interested parties, we're discussing what this would look like / how it should be approached in the following Matrix room: https://matrix.to/#/#nixos-infra-signing:matrix.org

Please feel free to join and chime in if you have ideas!

@RaitoBezarius RaitoBezarius mentioned this issue Sep 30, 2023
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zimbatm @vcunat @cole-h