enable chain-of-trust artifact generation in docker-worker

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: aki, Unassigned)

Tracking

Details

(Reporter)

Description

3 years ago
For TaskCluster nightly security, we need chain of trust artifacts generated+signed by the workers.  This will be enabled by a boolean in the task definition (enableChainOfTrust: true?).  It will be signed by an embedded GPG key, which will be unique per AMI.

* download previous signed CoT artifacts, if applicable
* generate hashes for all task artifacts
* generate CoT json
* sign the json with embedded private GPG key
* upload signed json

The chain-of-trust artifact is a list of the below json blobs, signed:

[
  PREVIOUS_SIGNED_COT_ARTIFACT(s),  // if applicable; links to these in task definition.
                                    // these are ascii-armor blobs
  {
    "artifacts": {
      "name": "ALG:...",  // sha256 or sha512
      ...
    },
    "task": {
      taskdefn
    },
    "taskId": "...",
    "runId": ...,
    "extra": {
      ...  // for docker-worker, probably docker image sha, and
           // enough info to get to the docker image artifact builder task and 
           // its cot artifact if applicable.  alternately, embed the docker image
           // artifact builder task's cot artifact in the list of 
           // previous_signed_cot_artifacts above
    }
  }
]

I think it'll be ascii-armored, which isn't directly human readable, but is easier for machines to work with.

Then add it to the list of artifacts to upload, and upload.

Ideally the private key is never in a human's hands, only the public key, but this is a good first step.
Jonas and I discussed the option of our AMI creation process issue the commands to generate a gpg key directly on the temporary ami that's running rather than requiring a user to have that information.
"* download previous signed CoT artifacts, if applicable"

When would this be applicable by docker-worker?
(Reporter)

Comment 3

3 years ago
(In reply to Greg Arndt [:garndt] from comment #2)
> "* download previous signed CoT artifacts, if applicable"
> 
> When would this be applicable by docker-worker?

When there are CoT artifact links in the task definition.

Also potentially as a way to vet the docker image artifact builder's output, but that can be in 'extra' as noted above.
(Reporter)

Comment 4

3 years ago
(In reply to Greg Arndt [:garndt] from comment #1)
> Jonas and I discussed the option of our AMI creation process issue the
> commands to generate a gpg key directly on the temporary ami that's running
> rather than requiring a user to have that information.

Awesome, as long as we can get the public key to add to the set of known+good.
(In reply to Aki Sasaki [:aki] from comment #4)
> (In reply to Greg Arndt [:garndt] from comment #1)
> > Jonas and I discussed the option of our AMI creation process issue the
> > commands to generate a gpg key directly on the temporary ami that's running
> > rather than requiring a user to have that information.
> 
> Awesome, as long as we can get the public key to add to the set of
> known+good.

Yup, once the key is created it can spit the public key out to the console so we can copy it wherever we need it.
(Reporter)

Comment 6

3 years ago
Had a chat with Jonas over Vidyo.  I'm going to WONTFIX this bug and file a new one with an updated description.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
(Reporter)

Updated

3 years ago
See Also: → bug 1284991
(Reporter)

Comment 7

3 years ago
The new bug is bug 1284991.
You need to log in before you can comment on or make changes to this bug.