← Back to context

Comment by benlivengood

5 years ago

If you use cloud services that offer automated builds you can push the trust onto the provider by building things in a standard (docker/ami) image with scripts in the same repository as the code, cloned directly to the build environment.

If you roll your own build environment then automate the build process for it and recreate it from scratch fairly often. Reinstall the OS from a trusted image, only install the build tools, generate new ssh keys that only belong to the build environment each time, and if the build is automated enough just delete the ssh keys after it's running. Rebuild it again if you need access for some reason. Don't run anything but the builds on the build machines to reduce the attack surface, and make it as self contained as possible, e.g. pull from git, build, sign, upload to a repository. The repository should only have write access from the build server. Verify signatures before installing/running binaries.

5 comments

benlivengood

Reply
tetha  5 years ago

> If you use cloud services that offer automated builds you can push the trust onto the provider by building things in a standard (docker/ami) image with scripts in the same repository as the code, cloned directly to the build environment.

And I guess, for those super-critical builds, don't rely on anything but the distro repos or upstream downloads for tooling?

Because if you deploy your own build tools from your own infra, you are at risk to taint the chain of trust with binaries from your own tainted infra again. I'm aware of the trusting trust issue, but compromising the signed gcc copy in debians repositories would be much harder than some copy of a proprietary compiler in my own (possibly compromised) binary repository.

  • benlivengood  5 years ago

    > And I guess, for those super-critical builds, don't rely on anything but the distro repos or upstream downloads for tooling?

    You can build more tooling by building it in the trusted build environment using trusted tools. Not everything has to be a distro package, but the provenance of each binary needs to be verifiable. That can include building your own custom tools from a particular commit hash that you trust.

hda111  5 years ago

Did you mean read access from the build server? I’m confused.

  • maybevain  5 years ago

    I believe the commenter meant that only the build server should be able to write to the build artifact repository, so ”write access from the build server” would be correct.