GPG-signed commits


I’m thinking over some deployment pipeline security ideas, and I was wondering if anyone’s looking at using GPG-signed commits as a safeguard against unauthorized changes making it into production, and consequentially onto the devices themselves.



I think it depends a bit where you are looking to secure things. If it’s on the builder side (i.e. the git endpoint that you push code to to be built by then we’re already using ssh to encrypt everything. Adding a GPG signature would be possible but under normal circumstances I’m not sure how much extra security it gives – if someone compromises your ssh key they could probably compromise your GPG key as well. And it adds a lot of overhead in terms of key management, verification, etc. that would not be easy to expose securely.

If it’s a concern about the device side, that’s another question entirely. Signing images on the device would be fantastic, but the device would need to have hardware support for storing and checking keys. Think about it: in order to verify a signed image, your device needs to store a public key to check the signature against. But if the public key is stored on an unencrypted volume, an attacker could easily replace the on-device key with their own. Now their malicious image is validated by the on-device key and you are no better off than before. (Maybe even worse as you have a false sense of security!)

Encrypting the volume on which the key is stored has the same issue: where do you store the encryption key? If it’s on the device, you’re back to the same problem. And if not, how do you get it to the device without worrying that it’s been compromised in transit? (Exactly the problem you have with signed images.)

The good news is that device manufacturers are starting to think about this. As we see more Intel TPM and ARM TrustZone support on devices, this becomes a real possibility. These technologies provide hardware support for storing secrets in a way that makes them much more difficult to compromise. But unfortunately for devices that lack this hardware support there’s really not a lot we can do.