Open patriziobrunops opened 2 years ago
Hi,
Thanks for pointing this issue out. An internal ticket has been raised for this and will be addressed in due course.
I'm sorry I don't have any update on when we will be able to prioritise this, I just wanted to let you know that it's not forgotten and does sit in the list of new features that we aim to deliver as part of the evolution of Tyk.
Artifact signing is a pillar of supply chain protection. For it to be reliable, key rotation is a main requirement, in order to protect the supply chain from the compromise of the signing key.
With current Tyk implementation, the public verification key is statically and centrally configured in
tyk.conf
, while plugin bundles are signed and then referenced in theApiDefinition
. In addition to this, the plugin's manifest doesn't contain any reference to the signing key. It's just assumed that all the bundles must be signed with the same key-pair used bytyk.conf
.The key rotation process consists of signing with the new key and releasing new plugin bundles, and changing
tyk.conf
to point to the new key. This disconnect leads to complicated and brittle key rotation operations and potential down-times that affect business operations.Describe the solution you'd like Versioning the sign/verify key-pair would solve the problem by allowing Tyk to use multiple verification keys. When a key rotation needs to happen, the new key can be added to Tyk's configuration, while new plugin bundles get released. Once all the plugins have been signed with the new key, the old key can be invalidated/unloaded.
From the implementation standpoint, Tyk should be able to load multiple keys and assign an id to each of them. The plugin-bundle's manifest should contain the id of the key used to sign it.
Additional context
public_key_path
intyk.conf
point to a dir instead of file:key-id
as name and containing the verification key: