Hi all,
I’m trying to see if there are people interested in having a certificate architecture for signing packages. Meaning, people can have their own key that they use for signing packages. Their key are then signed by a Certificate Authority (CA). If a machine trusts such CA, it will accept packages signed by a key signed by the CA.
My situation, which should explain the need:
I’m currently using Nix and NixOS in my company, and we’ve stumbled upon a process road block for administering NixOS machines.
We have some NixOS machines which are offline. Multiple people from our team must be able to administer them. The way we can do it is by giving our team member root ssh access (using SSH keys, or SSH certificates), and do remote rebuild. But, multiple people logging into root is not such a great practice, so we’ve been trying to figure out a way to do remote rebuild using normal users.
In order to use nixos-rebuild --target-host "normal-user@host" --use-remote-sudo
, currently we need:
- passwordless sudo
- the remote machine must trust the packages that it receives, either:
- the ssh’ed user is a trusted user (not good, because it’s basically giving root access without authentication)
- the packages are signed by a trusted key
For this post, I’m ignoring the issues of passwordless sudo (using ssh-agent, etc.).
From an organization point of view, I can’t ask every team member to have their own signing key, because it would be a nightmare to copy their public key on each NixOS machine, even when factorizing that in a “common configuration”. We have the same problem with SSH keys, which we’re currently solving using SSH certificates, so why not do the same thing for signing packages?
Using CI to sign packages is also a no go for us, because there are quite a lot of times where our development machine are disconnected from the internet. It would also mean that we can’t deploy anything if our CI is down. It would also mean we would have to commit and push every time we want to nixos-rebuild test
, which would be quite annoying.
What do you all think?