added secure deployment guide #228
Conversation
zr-msft
requested review from
FeynmanZhou,
NiazFK,
iamsamirzon,
justincormack,
priteshbandi,
SteveLasker,
toddysm,
vaninrao10 and
yizha1
as code owners
✅ Deploy Preview for notarydev ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
zr-msft
force-pushed
the
secure-fs-access
branch
from
60d6709 to
31c8797
Compare
|
@priteshbandi @iamsamirzon could you review this PR again? |
There was a problem hiding this comment.
The purpose of this document is to provide prescriptive guidance for the deployment. I am not sure we are achieving that goal with the current text and am not sure what the value of this documentation is. Here are the main questions that I think should be answered:
- How should I obtain the binaries (I believe we are covering that in the installation guide but reinforcing this here and making sure that the the chksum is validated is imperative here)
- If there is no installation, how do I copy the binary to the respective folder? Do I use sudo or not? Should I create new user or not? Should I change the folder permissions or not?
- How do I set up the signing key? What user do I use for that? Should I use sudo or separate user?
- For validation - how do I download the cert? What user do I use to download the cert? Should I protect the folder where the cert is stored? What permissions should the folder have?
- For trust policies - what user do I use to create the policy? Should I use sudo or not? What permissions the folder where the policy is should have?
|
All above questions are PM questions but I can provide some security suggestions:
In general, binaries can be obtained from any sources, either trusted or untrusted. It is critical to obtain the checksum from a trusted source so that the binaries can be verified. Overall, the binaries can be obtained from a package manager with authenticity guarantee (e.g.
It depends on whether you want to install for all users on the system or just you. If it is for all users on the system, it is better to copy the binary to
Since you are setting up the signing key for yourself, you should use your own account to do that. Never use
The certs must be downloaded from trusted sources. It can be done by directly downloading from the web page via HTTPS from the signing key vendor or by running scripts or tools provided by the signing key vendor. Since those certs may be private certs (e.g. no CT records) and contain confidential information, it is recommended to set the permissions to
It depends on the precise scenarios whether the trust policies are for all users on the system or just for you. The first scenario is not defined yet so that I would like to skip for now. For the second scenario, you should create the policy using your own account without |
|
Thanks @shizhMSFT for providing the comments. I recalled one issue, that only user level config is supported. The system level config is not supported and there is no plan for now. So, we just need to document user level config as you explained. @zr-msft could you check whether the input provided by Shiwei is good enough for you to update the PR? |
|
Thank you @shizhMSFT and @yizha1 This additional information is very helpful and i'll have it incorporated into the PR today. |
zr-msft
force-pushed
the
secure-fs-access
branch
from
31c8797 to
c2feb7d
Compare
Signed-off-by: Zach Rhoads <[email protected]>
zr-msft
force-pushed
the
secure-fs-access
branch
from
c2feb7d to
2c67d15
Compare
Signed-off-by: Zach Rhoads <[email protected]>
Signed-off-by: Zach Rhoads <[email protected]> Signed-off-by: Roseline <[email protected]>
fixes #224
fixes #185