Open hoh opened 5 months ago
Requiring the last git commit to be signed with a GPG key
That's definitively planned and I actually created comin to replace a deployment bach script that checks Git commit are signed. This should be implemented in the two next releases.
Requiring updates to be upstream the current configuration would help avoiding unauthorized rollbacks, preventing replay attacks.
I'm sorry but I don't understand what you mean. But, in order to avoid unauthorized rollbacks, comin already do not allow hard reset on the main branches.
Also, i actually didn't clean correctly the code base since there are some currently dead code ;)
That's great, looking forward to it !
Not allowing hard resets on the main branches solves the unauthorized rollbacks, good to read that this is handled already.
Since comin can update it's own configuration from a git repository, trust in the repository seems absolute and a compromise of the forge could lead to a compromise of the machine.
Requiring the last git commit to be signed with a GPG key would add an extra security, requiring an adversary to not only compromise the forge and/or the repository, but obtaining the private key of one of the approved committers as well.
This would also allow unauthorized committers to publish to the repository while only commits signed with an preauthorized key would trigger an update of the system.
Requiring updates to be upstream the current configuration would help avoiding unauthorized rollbacks, preventing replay attacks.