Received: from st43p00im-ztdg10073201.me.com (st43p00im-ztdg10073201.me.com [17.58.63.177])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id DD9EC782B24
	for <~alpine/devel@lists.alpinelinux.org>; Sat, 13 Jun 2020 21:52:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=me.com; s=1a1hai;
	t=1592085164; bh=W8tdTYlwclJiquT5TTrg5CX75BqWUS/WNqgr/9QRgIA=;
	h=Content-Type:From:Subject:Date:Message-Id:To;
	b=XKRb+7bTzDgXo46ZtvA0PELQ8SRxJh9h6NAU2Jn8zR4pXNjGL3wwVCVo/B+TqDqZR
	 Ru08IYBzkuhzBJO3al0xW5/B4QDWmp1L5PbUT+XMcZ4NBoby+V2bW+Ifa6yzqu2PNx
	 bpW7OZoDvRFyv3MCh6fKjBZtAIN7Oxmob/KWs8gWD1a4C5LEPzTxGAf4XIeIZq0LaE
	 c18QsyPBAFntPrzKC4tp0wR/BLvnnfVNXtgCfGDdSR40PmY9pN2sOLwXKa6rcmbHqm
	 PIfSW2z+fPm/Q7SEo46JL618ZCxMYMXMZr5XIj2/cLpyskaLXcP9WGkPkfhA+Pcovn
	 4xINtwG7ytwKg==
Received: from [100.73.231.242] (28.sub-174-221-132.myvzw.com [174.221.132.28])
	by st43p00im-ztdg10073201.me.com (Postfix) with ESMTPSA id 3972B221D4E;
	Sat, 13 Jun 2020 21:52:44 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Maxwell Rees <maxcrees@me.com>
Mime-Version: 1.0 (1.0)
Subject: Re: How to protect repository's private key?
Date: Sat, 13 Jun 2020 16:52:42 -0500
Message-Id: <EF5EF49E-2FDD-43AC-9AE8-F56881A37B17@me.com>
References: <20200613212426.kqtzbohhnfme4lhn@wolfsden.cz>
Cc: ~alpine/devel@lists.alpinelinux.org
In-Reply-To: <20200613212426.kqtzbohhnfme4lhn@wolfsden.cz>
To: Wolf <wolf@wolfsden.cz>
X-Mailer: iPhone Mail (17F75)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216,18.0.687
 definitions=2020-06-13_11:2020-06-12,2020-06-13 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-2004280000 definitions=main-2006130193



> On Jun 13, 2020, at 4:24 PM, Wolf <wolf@wolfsden.cz> wrote:
>=20
> =EF=BB=BFHello,
>=20
> I'm trying to setup (well, actually update to 3.12) my private
> repository for alpine packages and I'm facing issues with how to protect
> repository signing key from rogue software.
>=20
> For example, if some shady code is executed as part of a Makefile or
> something, it does by default have read access to repository private key
> (and it can therefore extract it). I would like to prevent that.
>=20
> In 3.11, I was using fake dummy key in the build container,
> abuild-gzsplit and abuild-sign with the real key which worked fairly
> well. However, that is not possible in 3.12 since abuild-gzsplit is
> broken there.

This is something I have spent considerable time thinking about and the stra=
tegy you describe is basically what I have encoded in software that I've bee=
n developing called APK Foundry. It's basically abuild's rootbld feature bui=
lt out to support Gitlab CI and has some nice features like being able to ea=
sily reuse containers that rootbld doesn't really support. It generates a th=
rowaway key inside the container and can re-sign packages outside of the con=
tainer using the precious key for you. It's still a work in progress but it s=
hould be mostly usable out of the box for local building, just needs some do=
cumentation on how to get started quickly.

It sounds like abuild-gzsplit needs to be fixed then; you should file an iss=
ue on alpine/abuild.git.=20

> How is this issue usually solved? What approach does official Alpine
> repository takes? What approach do people with private repositories use?

I can't speak for Alpine but Ad=C3=A9lie doesn't have mitigations for this i=
n place yet; it is my hope that we will eventually adopt my software to fix t=
hat. As far as I know most developers with private repositories use either l=
xc/lxd, docker-abuild, or just build directly on the host (eww) and don't re=
ally consider these issues.=20

Max=