From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id DA83C4086; Fri, 16 Aug 2024 19:01:47 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 182053FB1; Fri, 16 Aug 2024 19:01:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=DMARC_MISSING, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout5-smtp.messagingengine.com (fout5-smtp.messagingengine.com [103.168.172.148]) by atuin.qyliss.net (Postfix) with ESMTPS id 6B92E3F8D for ; Fri, 16 Aug 2024 19:01:34 +0000 (UTC) Received: from phl-compute-08.internal (phl-compute-08.nyi.internal [10.202.2.48]) by mailfout.nyi.internal (Postfix) with ESMTP id 8AD78138FC8E for ; Fri, 16 Aug 2024 15:01:32 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-08.internal (MEProxy); Fri, 16 Aug 2024 15:01:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to; s=fm2; t=1723834892; x=1723921292; bh=De8hPGaNAVA28pAiwFycM+iXM8LsLwno lZUrwxU9NJA=; b=TRckuBamyv779MiCc45C2yMZir5of39HYiZR7HANNqGjcReh WtoObtcatylC35XOjHgRZw8ETs4olRRz5MWV2SFy7xJka2wMxW+Hk1DcpYs7vuCO vkjgux+HBvB46FAc04BNf9ZRHpch1ZQYG/E25ejuNyV9cuNlep3oDGuBFE9nKjtM vXIC3UP09KAVnYoRxEt9lPFFxSDcqCHBSrAzZJsULSwrQBPATZXhDhqCafi+SVtU rrBaJcmTVv+VprBdbr69XsnVpJ02q5lXwZ44wy2AtN+4qTE2hrF5p64fjXT/AATA uRU/Xg1+SIa7O5hVBr46ASaWqcd6ZMMqwrWfVA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1723834892; x=1723921292; bh=De8hPGaNAVA28pAiwFycM+iXM8LsLwnolZU rwxU9NJA=; b=ZxQXgdHfdOeDRlAWPur2tvKLSpj8pi29J9VaXp1i6Lq304DmVPp asMTTlqDHo6QQDrx8dWsnUC7M12FKnoVQgEfE7+atDpFqkfGK6Q8GBYd//xPBCun w42vfzgbo5Oeao+ow1JzpoqB5A6vpIbxp7WL47D4erlArgnJ+x9Kjxjdz6hdwa9m mO8O5SO0fTBrp0o3O5x7F23sTAhYnlziLbtJLY4ZxA8FyFiIM2nnM4btL3fVkTDd yKhePqN+JORkRNjEYC0SALxs8yFli2HW1BUyoziecDTmMSBGnq9F1f1CbNRvKFrC NRt8/HXs747htp52Mf5UUm/YlYBXunBOzvA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddruddtkedgudeftdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvuf ffkfggtgesghdtreertddtjeenucfhrhhomheptehlhihsshgrucftohhsshcuoehhihes rghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepleffgfeuteffhfdvjeethfekue egtefgjeelffduudehieekueekjeejhffgkedtnecuffhomhgrihhnpehsphgvtghtrhhu mhdqohhsrdhorhhgpdhgihhthhhusgdrtghomhdpshgtrghlvgifrgihrdgtohhmnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhih shhsrgdrihhspdhnsggprhgtphhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtph htthhopeguvghvvghlsehsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Fri, 16 Aug 2024 15:01:32 -0400 (EDT) Received: by mbp.qyliss.net (Postfix, from userid 1000) id 52AE4506F; Fri, 16 Aug 2024 21:01:30 +0200 (CEST) From: Alyssa Ross To: devel@spectrum-os.org Subject: Binary cache key rotation Date: Fri, 16 Aug 2024 21:01:14 +0200 Message-ID: <87zfpc5m2t.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Message-ID-Hash: UJLFVBCN3WTDRWXJUIFUSG5IDF7OYJO7 X-Message-ID-Hash: UJLFVBCN3WTDRWXJUIFUSG5IDF7OYJO7 X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Some of you may know that a few months ago, the Spectrum binary cache builder broke, because a change to the TLS on github.com (where the builder downloaded NixOS netboot images from) meant that Vultr's iPXE was no longer able to connect to it, and Vultr told me they couldn't give a timeline on updating iPXE to include the fix[1]. In the time since then, I've been working on a new binary cache builder with no need for iPXE =E2=80=94 more information in the commit message[2]. = One of the nice things about the new design is that it allows for being a little bit more careful with the key =E2=80=94 it's stored in Scaleway's Se= cret Manager[3] (which stores it encrypted), and it's never written to disk unencrypted by the builder. Given this slightly higher level of security for the key, it makes sense to transition to a new key that has never been stored outside of this arrangement. (I generated it from Tails.) So, if you have Nix configured to trust the old binary cache key, spectrum-os.org-1:rnnSumz3+Dbs5uewPlwZSTP0k3g/5SRG4hD7Wbr9YuQ=3D, you should replace that in your configuration with the new key, spectrum-os.org-2:foQk3r7t2VpRx92CaXb5ROyy/NBdRJQG2uX2XJMYZfU=3D. During the Tails session where I generated the new key, I also generated and uploaded signatures for all store paths in the binary cache that had a valid signature from the old key, so it's possible to distrust the old key without losing the ability to substitute old paths from the binary cache. In future, all store paths built by the builder will only be signed with the new key. I've updated the binary cache documentation to describe the new binary cache[4]. The rendered documentation on the website will update once the new builder has completed its first build. This is a small evolutionary step for builder security =E2=80=94 I'd probab= ly still want to do more before using it to build non-development images, for example having the key on an HSM rather than being on the builder's filesystem. [1]: https://github.com/ipxe/ipxe/commit/1d1cf74a5e58811822bee4b3da3cff7282= fcdfca [2]: https://spectrum-os.org/git/infra/commit/?id=3Def9717440ff4e000cb50009= bb68ba3b4c9eb17ef [3]: https://www.scaleway.com/en/secret-manager/ [4]: https://spectrum-os.org/git/spectrum/commit/?id=3Df5a75c9739d9ab233237= 34ccdfda425a9eb65034 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAma/ofoACgkQ+dvtSFmy ccCtsg//YUoaJH6mo2b3UViNmiMENBCIKhcTAaCAuUe2ndbUTo1tL8JcIUciMQY1 vMJKI65Ry38/oFTuG21k9jbbcqUDK3Gb2xszm+ssZO5XLfLioNIvXYd6AbXs6DIM hYbHeiVDtpWBp1jihVD7+Yj0p6S1+eu+o1IlGzbk8e7x9L4YjTSAw9WXp+tFMl38 Nb2NYB1O6ZUlSYshdi7BxJjjsuhSzsbsDG8PhTx/nTXFbcMsb+WiZaxoSi+3GzuG geHHwnOIPiEx6wztWg1OaDP9zX+xw3eBMSOMgIiCDaEUZ89b1tVjzKqoYVtzf515 E/3KHUi12L+hFDJbh+S/LBFXGlC7HBwzcfLvpxdqcpku/kf/xXR75bko9f/X54iF +OKrjjnNAhlikJghBb0ZPk6gOQZQQLsMsfRpm54AMcCpKrbQhZDdz2+fdL1s9pp/ BZTSEnQfx9dOffa29FXiaYjVm1EMaYCbB/PGMlhGb2g6G8J6/oyXwl7EsMI+Qrr+ 0+78EWibKLBoGW6bjtNGHOE5bxiIkKecr/LtlzUVrQUwWeyEQTiLrA2P1y6VQ2de dR9Dif/6WqwWOKYQ/g3V7yRkE1J7launGSyD2gAStsG9ustUMNkcvtk5qvGdXJw8 c9BiaWHA7CtD1tGFeE/aWlrEULFTHtIl6bR2MIR/XKufTHcbVvE= =0gki -----END PGP SIGNATURE----- --=-=-=--