同步操作将从 openEuler/signatrust 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
Signatrust offers a highly secure, async and efficient solution for signing Linux packages and binaries using Rust. Our unified platform ensures streamlined operations and a high throughput for all signing requests.
Signing packages and binaries for a Linux distribution is essential in many use cases. Typically, PGP is used for RPM packages, ISO checksums, AppImages, and repository metadata. X509 certificates, on the other hand, are used to cover the cases of kernel modules and EFI. While there are several projects and scripts already in use within the community, they are often limited to CI/CD environments, and the management and security of private keys are not always covered.
We have observed several projects aiming to address these challenges.
Signatrust, stands for Signature + Trust + Rust
is a rust project that can provide a unified solution for all the challenges:
E2E security design: Our end-to-end security design prioritizes the protection of sensitive data, such as keys and certificates, by transparently encrypting them with external KMS providers, like CloudHSM or Huawei KMS, before storing them in the database. Additionally, we have eliminated the need to transfer private keys to the client for local sign operations, opting instead to deliver content to the sign server and perform signature calculations directly in memory. Furthermore, all memory keys are zeroed out when dropped to protect against leaks to swap and core dump. Currently, mutual TLS is required for communication between the client and server, with future upgrades planned to integrate with the SPIFF&SPIRE ecosystem.
High throughput: To ensure high throughput, we have split the control server and data server and made it easy to replicate the data server. We have also made several performance enhancements, such as utilizing gRPC stream, client round-robin, memory cache, and async tasks to increase single-instance performance.
Complete binaries support:
User-friendly key management: Signatrust offers a user-friendly, standalone interface for managing sensitive keys, which can be seamlessly integrated with external account systems using the OpenID Connect (OIDC) protocol. Administrators have the ability to generate, import, export, and delete keys through this intuitive interface.
According to our performance tests, Signatrust outperformed Obs Sign(with pgp agent backend) by a significant margin in a concurrent test environment:
obs-sign
command with golang goroutines
or python multiprocessing
.Based on these test results, it appears that Signatrust is a more efficient and effective solution for signing RPM packages, it's also worth noting that the performance issue of obs sign is mainly due to the gpg's agent implementation.
In order to support different levels of backend security, signatrust supports different kinds of sign backend, memory
backend is the default one which will provide better performance
while all sensitive data are stored decrypted in memory. the configuration would be like:
[sign-backend]
type = "memory"
[memory.kms-provider]
type = ""
kms_id = ""
endpoint = ""
project_name = ""
project_id = ""
username = ""
password = ""
domain=""
[memory.encryption-engine]
rotate_in_days = 90
algorithm = "aes256gsm"
This project consists of several binaries:
There are two ways to setup a local development enviroment:
Build and run binary directly:
Run these commands correspondingly to build or run project executable binary:
# build binary
cargo build --bin control-server/data-server/client/control-admin
# running command
RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/<binary> --config <config-file-path>
Additionally, we have developed a script to set up the MySQL database in a Docker environment. To use the script, you will need to install the Docker server, the MySQL binary, and the Sqlx binary. Once you have these installed, simply run the command below to initialize the database.
make db
Using docker compose:
Alternately, you can using docker compose
to setup a develop environment easily:
docker compose up
This will build docker images for redis
, mysql
, control-server
and data-server
and start them
When using memory backend, to ensure the security of sensitive data, Signatrust requires an external KMS system for encryption and decryption. However, to run the system locally for development purpose, you will need to configure a dummy KMS provider
[kms-provider]
type = "dummy"
In order to develop without the need of setting up the external OIDC server, simple run the prepared script which will generate the default admin&token and the default keys:
make init
Pay attention to the command output:
...skipped output
[Result]: Administrator tommylikehu@gmail.com has been successfully created with token XmUICsVV48EjfkWYv3ch1eutRJOQh7mp3bRfmQDL will expire 2023-09-23 11:20:33 UTC
...skipped output
[Result]: Keys 'default-pgp' type pgp has been successfully generated
[Result]: Keys 'default-x509' type x509 has been successfully generated
Now you can use this token to debug the control service API or use the pgp keys for signing rpm packages with client.
curl -k --header "Authorization:XmUICsVV48EjfkWYv3ch1eutRJOQh7mp3bRfmQDL" -v http(s)://localhost:8080/api/v1/keys/
RUST_BACKTRACE=full RUST_LOG=info ./target/debug/client --config <client-config-file-path> add --key-name default-pgp --file-type rpm --key-type pgp .data/simple.rpm
Signatrust supports online openAPI documentation, once control server starts, navigate to localhost:8080/api/swagger-ui/
and check the document. note you need to add correct Authorization
header to try the APIs.
In order to build and run the project in a local cluster:
make client-image/make data-server-image/make control-server-image/make control-admin-image
make deploy-local
and you will have these pods running:
signatrust-client-6cfddccc7-frl5r ● 1/1 0 Running 0 0 0 n/a 0 n/a 10.10.1.120 10.0.0.56 14m
signatrust-control-admin-665fccc4b-mhknb ● 1/1 0 Running 0 3 n/a n/a n/a n/a 10.10.1.31 10.0.0.134 10m
signatrust-control-server-967f6d84f-lrbl9 ● 1/1 0 Running 2 13 0 n/a 0 n/a 10.10.0.28 10.0.0.175 17m
signatrust-database-6cfdb54c58-5c2lr ● 1/1 0 Running 3 491 0 n/a 12 n/a 10.10.0.229 10.0.0.237 6h37m
signatrust-redis-9bcc87b46-88jbp ● 1/1 0 Running 1 11 0 n/a 0 n/a 10.10.0.29 10.0.0.175 15m
signatrust-server-6995c84749-zj2df ● 1/1 0 Running 1 1 0 n/a 0 n/a 10.10.0.30 10.0.0.175 4h2m
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。