Chuck Karish
07-05-2003, 04:26 PM
Nick wrote:
We are using PGP signing (actually we are using GPG in linux) to sign applications within an embedded product as an anti hacker device. However, up until now the PGP public and private keys used in the PGP signing process are stored in our Source Code Repository along with the source code for the actual product. Our customer has told us that this is not good enough security. Our source control sytem is CVS under Linux. So, they have suggested that they want to be able to build the applications for production using some PGP keys which are inserted into the build process automatically, and these keys must no reside in our source control system ever. We are allowed to use some different keys for development, which can live in the source control system, but when doing a formal software release the keys must be got from someplace to which the developers have no access. Additionally the customer is located in USA, while the build server is located in England. So the PGP keys are located some place in USA and the PGP keys will need to go across the atlantic through the companys WAN.
Create a key pair to be used to sign a build on your end. The private
key should be under the control of someone who has authority to answer
for the integrity of your build process.
When the components that must be signed are complete, sign them with
your key and send them to the customer. The customer can then verify
that the components are properly signed, then re-sign them with their
key. They send the signed components back to you and you package them
and release them.
We are using PGP signing (actually we are using GPG in linux) to sign applications within an embedded product as an anti hacker device. However, up until now the PGP public and private keys used in the PGP signing process are stored in our Source Code Repository along with the source code for the actual product. Our customer has told us that this is not good enough security. Our source control sytem is CVS under Linux. So, they have suggested that they want to be able to build the applications for production using some PGP keys which are inserted into the build process automatically, and these keys must no reside in our source control system ever. We are allowed to use some different keys for development, which can live in the source control system, but when doing a formal software release the keys must be got from someplace to which the developers have no access. Additionally the customer is located in USA, while the build server is located in England. So the PGP keys are located some place in USA and the PGP keys will need to go across the atlantic through the companys WAN.
Create a key pair to be used to sign a build on your end. The private
key should be under the control of someone who has authority to answer
for the integrity of your build process.
When the components that must be signed are complete, sign them with
your key and send them to the customer. The customer can then verify
that the components are properly signed, then re-sign them with their
key. They send the signed components back to you and you package them
and release them.