You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+29-15Lines changed: 29 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,9 +21,12 @@ particular, a _role_ refers to a manner of use of a particular key. A given key
21
21
might, in principle, be used in multiple roles - for instance, the same key
22
22
could be used to sign timestamps and mirrors. In this context, "the timestamp
23
23
key" and "the mirror key" would refer to the same key used in two different
24
-
ways. Similarly, keys are distinguished from key IDs, which are hashes of the
25
-
key content. With the `ed25519` keys used by this process, they are the same
26
-
length, so be careful.
24
+
ways. Each role is assigned a _threshold_ that states how many signatures are
25
+
expected for a given role. For instance, in Hackage, the timestamp role requires
26
+
just one signature, while the root role requires three signatures. Similarly,
27
+
keys are distinguished from key IDs, which are hashes of the key content. With
28
+
the `ed25519` keys used by this process, they are the same length, so be
29
+
careful.
27
30
28
31
Hackage provides the following to build tools:
29
32
* An index, which contains the metadata for every package
@@ -87,6 +90,12 @@ file-based Hackage repositories in addition to signing.
87
90
88
91
## Keys and Participants
89
92
93
+
### The Root of Trust
94
+
95
+
The file `root.json` describes all of the keys used in Hackage Security. It
96
+
lists the public parts of the keys, enumerates the roles used, and assigns keys
97
+
and thresholds to each role. It is signed by keys in the root role.
98
+
90
99
### Root Keys
91
100
92
101
The Hackage root keys are held by trusted members of the Haskell community. A
@@ -97,21 +106,25 @@ encouraged to keep their keys very secure. The current collection of
97
106
keyholders, plus signatures that demonstrate that they have the keys, is
98
107
available at https://github.com/haskell-infra/hackage-root-keys .
99
108
100
-
The public part of the root key is shipped with the build tools that need to
101
-
verify Hackage downloads. Because these keys are so difficult to replace, they
102
-
are not used for operations. The root key is used to sign a set of operational
109
+
Root keys present a bootstrapping problem: how is a build tool to know whether
110
+
it should trust a newly-downloaded `root.json`? To work around this, the public
111
+
part of the root keys and the threshold policy for the root role are shipped
112
+
with the build tools that need to verify Hackage downloads. Once this
113
+
`root.json` has been verified, its policies override the built-in bootstrapping
114
+
keys.
115
+
116
+
Because these root keys are so difficult to replace, they are not used for
117
+
operations. The root keys are used to delegate roles to a set of operational
103
118
keys, and these operational keys are used for the daily signing of indices by
104
119
Hackage.
105
120
106
121
### Operational Keys
107
122
108
123
The operational keys are signed by the root keys. Build tools have no in-built
109
-
knowledge of them, but can instead discover them through downloading a file
110
-
(`/root.json`) signed by the root keys. This file contains the public parts of
111
-
all keys, whether root or operational, and describes which keys have which
112
-
roles. The operational private keys are kept secure by the Hackage
113
-
administrators, but because they are on an online machine, they are more
114
-
vulnerable than the root keys.
124
+
knowledge of them, but can instead discover them through `root.json`. The
125
+
operational private keys are kept secure by the Hackage administrators, but
126
+
because they are on an online machine, they are more vulnerable than the root
127
+
keys.
115
128
116
129
Operational keys fulfill two roles:
117
130
***Snapshot keys** are used to sign the Hackage index.
@@ -685,9 +698,10 @@ To prepare the updated `roots.json` for signing by the root keyholders, a coordi
685
698
4. Delete the existing signatures.
686
699
687
700
Each holder of root keys should do the following:
688
-
1. Install `hackage-root-tool` on the signing machine and ensure that the key is present.
689
-
2. Place the updated `roots.json` file on the signing machine.
690
-
3. Sign the file using `hackage-root-tool sign KEY roots.json`, and send the resulting signature back to the person who is coordinating the signing.
701
+
1. Verify that the contents of`root.json` are correct. Any changes to the set of keys and their roles or to the threshold policies should be trustworthy, and any newkeyholders need to have their identity verified. Please be a stickler for details here.
702
+
2. Install `hackage-root-tool` on the signing machine and ensure that the key is present.
703
+
3. Place the updated `roots.json` file on the signing machine.
704
+
4. Sign the file using `hackage-root-tool sign KEY roots.json`, and send the resulting signature back to the person who is coordinating the signing.
691
705
692
706
Finally, the coordinator should insert the provided signatures and commit the updated file to `https://github.com/haskell-infra/hackage-root-keys` and inform the Hackage admins so they can install it.
0 commit comments