Received: from wolfsden.cz (wolfsden.cz [37.205.8.62])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 6C355781F1F
	for <~alpine/devel@lists.alpinelinux.org>; Sat, 13 Jun 2020 21:24:28 +0000 (UTC)
Received: by wolfsden.cz (Postfix, from userid 110)
	id 0C6F634D3F2; Sat, 13 Jun 2020 21:24:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on wolfsden
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_ADSP_ALL autolearn=no autolearn_force=no version=3.4.2
Received: from localhost (unknown [128.0.188.242])
	by wolfsden.cz (Postfix) with ESMTPSA id 975A534D5FD
	for <~alpine/devel@lists.alpinelinux.org>; Sat, 13 Jun 2020 21:24:26 +0000 (UTC)
Date: Sat, 13 Jun 2020 23:24:26 +0200
From: Wolf <wolf@wolfsden.cz>
To: ~alpine/devel@lists.alpinelinux.org
Subject: How to protect repository's private key?
Message-ID: <20200613212426.kqtzbohhnfme4lhn@wolfsden.cz>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="ylb6hc45przlt7i3"
Content-Disposition: inline


--ylb6hc45przlt7i3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,

I'm trying to setup (well, actually update to 3.12) my private
repository for alpine packages and I'm facing issues with how to protect
repository signing key from rogue software.

For example, if some shady code is executed as part of a Makefile or
something, it does by default have read access to repository private key
(and it can therefore extract it). I would like to prevent that.

In 3.11, I was using fake dummy key in the build container,
abuild-gzsplit and abuild-sign with the real key which worked fairly
well. However, that is not possible in 3.12 since abuild-gzsplit is
broken there.

How is this issue usually solved? What approach does official Alpine
repository takes? What approach do people with private repositories use?



Thanks in advance :)

W.

--=20
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

--ylb6hc45przlt7i3
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE7BIrb0FxyZaks1p7hTP5S2N55TgFAl7lRAoACgkQhTP5S2N5
5TgzsA/8CnvLV8DMzn3CCkRDbMs32AmmH7JxJbYzBRh14axg3KkhRMdiXMuhZ9P8
CUPBzXJYLUMRs4Ldz5n5K7oV1CCDWBaucVlo7KMQYzdS0oXnYD5LriA60r16G67M
ldAAWciATRZCXw+601L1yZ9ZasPxIqoEftqvNhnLWjLCAGqxc8DpTbMf01RKUt8v
CEO0ckWj4/2yChcs2RGt+S6Y+e9xoTSk9MZIp8SdmUnF3Dk0858PLprBYrmFt6TV
x3PHYJf+u+nw9aRfmFVGlMnIAFcAf47a63UUbytm21OFVZbXd0oVCuWpRinowkbg
uWYJowC5qPxaTnecTBRV4/AIRjaJ+503j8SPZaWUbLOWVe4BZRqWi++AXNJr6Gxt
B300iizfM9s2aCWeswddPUaImi4mr+BScBcncs4lGY7v1ovemhpvKkSehrodXeX/
g0e0ZS48scBCPKRiB9j4+DfOWhTeIiBvdM0u0FTf+7pfNb/wvhO1zm61CAm9UNhz
wYgmCrjDLsxQc+5nt86KWxJZT0/eEfFBU7+NLLna8CaHoMWIIWivxKUm1fCboAkb
0nuN/iqs9wyLG/CDhVgHuEvZq1rp+RlfQak9riGyZcuWlj8Biizbq0vSDioWR40E
3qwu5EZfuksMCKqyWwoHmdOKreE2tQ7xFCMXp/UCHSBpaTiBhp0=
=FBF4
-----END PGP SIGNATURE-----

--ylb6hc45przlt7i3--