Using Nitrokey 3A Mini for build artifact signing key storage

Petr Štetiar ynezz at true.cz
Sat May 13 09:17:13 PDT 2023 

Hi,

we're in the process of upgrading OpenWrt build infrastructure right now and
there is a consensus, that its a good opportunity to improve handling of
secret GnuPG keys used for build artifact signing.

Current idea is to start using Nitrokey 3A Mini (nk3) USB security key for
this purpose, nk3 would contain single Ed25519 based signing key with 10 year
expiration, that means we're going to use single key for snapshot/release
signing.

Only 3 such identical nk3 dongles were provisioned[1], one nk3 dongle is going
to be attached to the new buildbot master server, remaining two nk3 dongles
are going to be kept as a backup (ynezz, jow). GnuPG master/secret keys are
not available, only revocation certificate was generated, just in case.

This new signing key 0xCAE438715492B555 available only from those three nk3
dongles was cross signed with 3 previous signing keys (snapshot, 21.02, 22.03):

 $ gpg --list-signatures 0xCAE438715492B555
 pub   ed25519/0xCAE438715492B555 2023-05-13 [C] [expires: 2033-05-10]
       Key fingerprint = E902 5ED8 43D0 FDC7 866F  7064 CAE4 3871 5492 B555
 uid                   [ultimate] OpenWrt Build System (Nitrokey3) <contact at openwrt.org>
 sig 3        0xCAE438715492B555 2023-05-13  OpenWrt Build System (Nitrokey3) <contact at openwrt.org>
 sig          0xCD84BCED626471F1 2023-05-13  OpenWrt Build System (PGP key for unattended snapshot builds) <pgpsign-snapshots at openwrt.org>
 sig          0xCD54E82DADB3684D 2023-05-13  OpenWrt Build System (GnuPGP key for 22.03 release builds) <pgpsign-22.03 at openwrt.org>
 sig          0x88CA59E88F681580 2023-05-13  OpenWrt Build System (PGP key for 21.02 release builds) <pgpsign-21.02 at openwrt.org>
 sub   ed25519/0x78BBEC94A894C992 2023-05-13 [S] [expires: 2033-05-10]
 sig          0xCAE438715492B555 2023-05-13  OpenWrt Build System (Nitrokey3) <contact at openwrt.org>
 
nk3 dongle PIN is going to be available to all build infrastructure admins
(needed after server restarts), admin PIN and reset PIN to folks having backup
key dongles (ynezz, jow).

Another handy feature of such dongles is `Signature counter`, thats a number
which keeps track of the signatures performed with the stored signature key.
It is only reset if a new signature key is created on or imported to the card.

I would like to keep track of this signature counter in Rekor[2] transparency
log, along with nk3 dongle serial number and other build artifact details
being signed with that key. I'll follow up once that pull request enabling
this feature is ready.


1. https://openwrt.org/docs/guide-developer/releases/provision-nitrokey3
2. https://docs.sigstore.dev/rekor/overview/


Cheers,

Petr

More information about the openwrt-devel mailing list