Proposal to adopt Sigsum signatures?
Eventually we are looking to adopt Sigsum logging in ST. Exactly when and how we're going to do that is up in the air. Below is the copy-paste of a milestone we had planned to work on, but it got backlogged. To the best of my knowledge the progress so far can be summarized by: there has been some discussion between nisse and philipp on how to express a spicy sigsum signature in a uki compatible way.
Let's try to add other things we know or have thought about wrt. adding sigsum in ST in this issue.
Transition to Sigsum signatures and support logging
Introduction: OS packages are currently signed by hashing with SHA256, then using Ed25519 or RSA to produce a signature. Moving forward, both of the existing approaches towards signing should be deprecated in favor of signatures that can be Sigsum-logged. Considering that there's going to be an OS-package format refactoring, now would be a good time to ensure that the signature on the new blob becomes Sigsum-compatible. And further, the sigsum log server protocol is now at version 1. So there's a stable interface to implement.
Roughly the steps needed:
- Propose sigsum-compatible signature format (and consider what to do with the old ways of signing)
- Refactor so our tooling can sign with this format
- Refactor so stboot accepts this format
The above should not require any other changes to, e.g., trust policy.
Then:
- Propose how to incorporate sigsum into ST's trust policy, maybe /etc/trust_policy/sigsum and an on-off toggle in /etc/trust_policy/trust_policy.json or similar?
- Add support for sigsum logging to happen with our tooling (i.e., not just signing)
- Add support for enforcing sigsum logging in stboot
Any monitoring that is now possible is considered out-of-scope, this milestone is already large as-is. (There's always the next milestone.)
Open questions:
- The proposals, obviously.
- How this fits into / on-top OS package refactoring. Can we assume that signing will look roughly the same as today, it's just a different blob?