Closed
Bug 1284968
Opened 8 years ago
Closed 8 years ago
enable chain-of-trust artifact generation in docker-worker
Categories
(Taskcluster :: Workers, defect)
Taskcluster
Workers
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: mozilla, Unassigned)
References
Details
For TaskCluster nightly security, we need chain of trust artifacts generated+signed by the workers. This will be enabled by a boolean in the task definition (enableChainOfTrust: true?). It will be signed by an embedded GPG key, which will be unique per AMI.
* download previous signed CoT artifacts, if applicable
* generate hashes for all task artifacts
* generate CoT json
* sign the json with embedded private GPG key
* upload signed json
The chain-of-trust artifact is a list of the below json blobs, signed:
[
PREVIOUS_SIGNED_COT_ARTIFACT(s), // if applicable; links to these in task definition.
// these are ascii-armor blobs
{
"artifacts": {
"name": "ALG:...", // sha256 or sha512
...
},
"task": {
taskdefn
},
"taskId": "...",
"runId": ...,
"extra": {
... // for docker-worker, probably docker image sha, and
// enough info to get to the docker image artifact builder task and
// its cot artifact if applicable. alternately, embed the docker image
// artifact builder task's cot artifact in the list of
// previous_signed_cot_artifacts above
}
}
]
I think it'll be ascii-armored, which isn't directly human readable, but is easier for machines to work with.
Then add it to the list of artifacts to upload, and upload.
Ideally the private key is never in a human's hands, only the public key, but this is a good first step.
|
||
Comment 1•8 years ago
|
||
Jonas and I discussed the option of our AMI creation process issue the commands to generate a gpg key directly on the temporary ami that's running rather than requiring a user to have that information.
|
|
||
Comment 2•8 years ago
|
||
"* download previous signed CoT artifacts, if applicable" When would this be applicable by docker-worker?
|
Reporter | |
Comment 3•8 years ago
|
||
(In reply to Greg Arndt [:garndt] from comment #2) > "* download previous signed CoT artifacts, if applicable" > > When would this be applicable by docker-worker? When there are CoT artifact links in the task definition. Also potentially as a way to vet the docker image artifact builder's output, but that can be in 'extra' as noted above.
|
|
Reporter | |
Comment 4•8 years ago
|
||
(In reply to Greg Arndt [:garndt] from comment #1) > Jonas and I discussed the option of our AMI creation process issue the > commands to generate a gpg key directly on the temporary ami that's running > rather than requiring a user to have that information. Awesome, as long as we can get the public key to add to the set of known+good.
|
|
||
Comment 5•8 years ago
|
||
(In reply to Aki Sasaki [:aki] from comment #4) > (In reply to Greg Arndt [:garndt] from comment #1) > > Jonas and I discussed the option of our AMI creation process issue the > > commands to generate a gpg key directly on the temporary ami that's running > > rather than requiring a user to have that information. > > Awesome, as long as we can get the public key to add to the set of > known+good. Yup, once the key is created it can spit the public key out to the console so we can copy it wherever we need it.
|
|
Reporter | |
Comment 6•8 years ago
|
||
Had a chat with Jonas over Vidyo. I'm going to WONTFIX this bug and file a new one with an updated description.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
|
|
Reporter | |
Comment 7•8 years ago
|
||
The new bug is bug 1284991.
|
Assignee | |
Updated•5 years ago
|
Component: Docker-Worker → Workers
You need to log in
before you can comment on or make changes to this bug.
Description
•