Page MenuHomeVyOS Platform

Use minisign/signify instead of GPG for release signing
Closed, ResolvedPublic

Description

Currently we are using GPG for release signing (pretty much like everyone else).

Popularity of GPG for release signing comes from the fact that many people already had it installed for email encryption/signing. Inside a VyOS image, signature checking is the only reason to have it installed.
However, it still comes with all the features no one needs, such as support for multiple outdated cipher suits and ability to embed a photo in the key file. More importantly, web of trust, the basic premise of PGP, is never used in release signing context. Once you have a knowingly authentic image, authenticity of upgrades is checked using a key that comes in the image, and to get their first image people never rely on keyservers either.

Another point is that we are using RSA now, which requires absurdly large keys to be secure.

In 2015, OpenBSD introduced signify. An alternative implementation of the same protocol is minisign, which is also available for Windows and OS X, and in most GNU/Linux distros it's in the repositories now.

Its installed size (complete with libsodium) is less than that of GPG binary alone (not including libgcrypt and some other libs, which I think we only use for GPG). Since it uses elliptic curves, it gets away with much smaller keys, and it doesn't include as much metadata to begin with.

Another issue of GPG is that it creates a /root/.gnupg directory just for release checking. The dir is small so the fact that it's never used again is an aesthetic problem, but we've had that process fail in the past. But, small key size of the Ed25519 algorithm allows passing public keys in command line arguments, so verification process can be completely stateless:

minisign -Vm myfile.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3

I think we should switch to minisign to:

  • Simplify release signature checking process for people and scripts alike.
  • Avoid creating junk data in the image and avoid junk output (about initializing the PGP dir etc.)
  • Keep images smaller.

To ensure key continuity, we can start including the minisign key and update the "add system image" script in 1.2.6, but keep signing releases with both GPG and minisign for now. 1.3.0 can be the last GPG-signed release, so that people can upgrade from any 1.2.x to 1.3.0 securely.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

Added minisign package https://github.com/vyos/vyos-build/tree/current/packages/minisign and also included this in vyos-1x dependency list for crux, equuleus and current

c-po set Issue type to Unspecified (please specify).

Now the last part left is to add minisign signature verification to the add system image script. For now, we should keep the old GPG verification code just in case someone wants to downgrade, or if we have to re-introduce GPG signatures for whatever reason.

So the script should first check for the $imageName.minisig file first, then try to find the GPG one if that fails.

Thus command to verify a file is:

minisign -V -q -p /usr/share/vyos/keys/vyos-release.minisign.pub -m $fileName -x $signatureFile

If the signature is in a file named $fileName.minisig, then the -x part can be omitted. The -q option is for "quiet".

c-po changed the task status from Open to Needs testing.Aug 26 2021, 6:38 PM
c-po moved this task from Backlog to Finished on the VyOS 1.4 Sagitta board.
c-po moved this task from Need Triage to In Progress on the VyOS 1.3 Equuleus board.
c-po moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.9) board.
c-po triaged this task as Normal priority.
c-po moved this task from In Progress to Finished on the VyOS 1.3 Equuleus board.
c-po moved this task from In Progress to Finished on the VyOS 1.2 Crux (VyOS 1.2.9) board.
c-po changed Is it a breaking change? from Behavior change to Perfectly compatible.
c-po changed Issue type from Unspecified (please specify) to Feature (new functionality).