Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement support for TPM-backed signing keys (#953) #955

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Implement support for TPM-backed signing keys (#953) #955

wants to merge 1 commit into from

Conversation

charles-dyfis-net
Copy link

@charles-dyfis-net charles-dyfis-net commented Apr 12, 2021
edited

Fixes #953

Requirements

This should not be removed from draft state until the below are checked.

  • Documentation is updated
  • Test coverage has been extended to cover the new functionality.
  • Switch from the charles-dyfis-net fork of tpmk to upstream (which at the time of that fork's creation did not support clearsigning, but does now).

The test suite shall use Google's TPM emulator for Go (supported by tpmk and used for its own test suite), so it can be run on systems without TPM hardware.

Description of the Change

Use the Go library github.com/folbricht/tpmk to support TPM-backed keys for OpenPGP signatures.

This allows hardware-backed keys to be used for repository signing. Because the private key data cannot be copied out of the TPM into general-purpose RAM, these keys cannot be stolen by an attacker and used to sign content on a different host; as soon as an attacker's access to the host with the TPM is eliminated, that attacker can no longer generate signatures with any key that TPM stored.

This feature is not available in released versions of upstream GnuPG, so it exclusive to the internal Go implementation.

Checklist

  • unit-test added (if change is algorithm)
  • functional test added/updated (if change is functional)
  • man page updated (if applicable)
  • bash completion updated (not applicable)
  • documentation updated
  • author name in AUTHORS

@charles-dyfis-net charles-dyfis-net mentioned this pull request Apr 12, 2021
Merged
@charles-dyfis-net charles-dyfis-net mentioned this pull request Apr 12, 2021
Draft
@charles-dyfis-net
Copy link
Author

@folbricht has tracked down the build failure -- while tpmk declared a dependency on Go 1.11, it in fact requires Go 1.15.

I expect this PR will need to be extended to hide the feature behind a tag (or otherwise make it conditionally compiled).

@charles-dyfis-net
Copy link
Author

...a question for the aptly team here: What's the feasibility of having a go 1.15 builder in Travis, so this code can be tested if it's moved behind such a flag?

@lbolla
Copy link
Contributor

lbolla commented Jan 28, 2022
edited

@charles-dyfis-net Travis is no more. We have GH Actions running Go 1.14, 15, 16, and 17.

Would you like to rebase against master?

Also, there are no tests, which are required for a PR to be considered for merging.

@randombenj
Copy link
Member

I will close this as there seems to be a lack of interest for this change, feel free to leave a comment if you want this reopened

@randombenj randombenj closed this Apr 13, 2022
@neolynx neolynx self-assigned this Apr 24, 2024
@neolynx neolynx reopened this Apr 24, 2024
@codecov Codecov
Copy link

codecov bot commented Apr 24, 2024
edited

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

@neolynx neolynx mentioned this pull request Apr 24, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@neolynx neolynx

Labels
PR superseded
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support TPM-backed signing key storage
4 participants
@charles-dyfis-net @lbolla @randombenj @neolynx