Personal tools
     DOCUMENTATION

rPath Appliance Platform Agent:Flip-flop Update Plugin Signed

From rPath Wiki

Jump to: navigation, search
rPath Appliance Platform --> Agent --> Plugins --> Flip-Flop Update --> Signed

Contents

Workflow

Creation and Signing:

  • Creates a tarball image in rBuilder (Build Type: Tarball Image)
  • The tarball image is downloaded to a workstation with a signing key and signed by the key owner
  • The image is uploaded after signing to a ftp site for customers to download (or other mechanism for distribution)

Consumption and Application:

  • The customer downloads the signed image
  • The customer uploads the signed image to the Flip-flop Plugin on the appliance to be updated
  • The Flip-Flop plugin reads the signed image, verifies the signature, and if intact and correct, applies the update. If incorrect, or missing, returns a message to the user stating that signature validation failed.
  • Flip-Flop then continues as currently implemented (See Upload Update Images).

To create in an appliance:

  • Create and maintain a keyring that contains all trusted public keys.
    • Package this keyring as a trove that is installed in the system image. Updates to the keyring will need to be delivered through Flip-Flop update tarballs.
  • Configure the Flip-Flop plugin on the appliance to accept signed images.
    • Set the location of the OpenPGP keyring to use
  • Build the gpg:runtime trove into the appliances.

Creation of Signing Key

To create a gpg key, download and install the gnupg trove onto the workstation that will be singing images:

  • sudo conary update gnupg

After the update completes, generate a key with the following command:

  • gpg --gen-key

You will be prompted with a series of questions such as encryption algorithm, key size, etc. Choose these with specific requirements that meet or exceed the needs of your company security. This command generates a key inside the ~/.gnupg directory. Remember your passphrase as it will be needed when validating the image (see below).

Sign Image

To sign a Flip-flop image you must have OpenGPG installed on a the workstation where signing will take place. The rPath Appliance Platform Agent Flip-flop Plugin requires a valid signature or the update will not be applied. A valid signature will be one that has not expired, and the key that created the signature is contained in the OpenPGP keyring that the Appliance Agent is configured to use (See Signed Image Settings. The following command is used to sign the image: 

gpg --sign --compress-algo none filename.tgz

This will prompt for the signing key passphrase and create a binary data file named filename.tgz.gpg. This file contains the original file, plus the signature. The file, filename.tgz.gpg, is the file that will be uploaded to the Flip-Flop plugin. The file's signature can be verified external to the Flip-Flop plugin by running gpg --verify filename.tgz.gpg. The original file can be extracted by running gpg filename.tgz.gpg.

Image:Bulbgraph.png   Information on managing keys using gpg can be found in The GNU Privacy Handbook

Validate Signed Image

Using gpg --verify filename.tgz.gpg will validate via command line on any workstation with access to the public key which the image was signed with. The Flip-flop Update plugin will validate (if configured to do so) the image via the Flip-flop Update plugin. Follow the instructions on applying a signed image update. The Flip-Flop plugin reads the signed image and verifies the signature. If the signature is intact and correct, the update is applied. If incorrect or missing, the plugin returns a message stating that the signature validation failed.

Distribution of Signed Image

Industry standard signing operations using GNUgpg state that an individual is responsible for the signing key while the signing operation is executed by another individual (who is subject to the security policies created by the company). rPath recommends that the process NOT be automated in order to validate and verify individual signatures (for security purposes).

Saving private keys within rBuilder would introduce significant additional liability in maintaining the safety of those private keys on a networked server. However, because the image will need to be delivered to the end consumer, a distribution method outside that of rBuilder must be used (such as FTP or HTTP)

Use an FTP server or web server to distribute signed images after signing of the image is complete.

Other Notes

When validating against an expired public key, the conary OpenPGP library uses the signature date as opposed to the current date, when validating signatures. This means that a Flip-Flop update may be provided which updates the OpenPGP keyring, but that update needs to be signed before the expiry of the original key in order for it to be accepted.



From here you may wish to:

Participate in the rPath Community | Contribute to rPath Wiki | Report an issue to rPath

Retrieved from "http://wiki.rpath.com/wiki/rPath_Appliance_Platform_Agent:Flip-flop_Update_Plugin_Signed"