Infrastructure
Describes our repository infrastructure.
Design
The RPM repositories themselves are nothing fancy. All they require is a basic HTTP server to be delivered.
Our repositories are published as Cloudflare pages and delivered via Cloudflare. This allows us to provide them at no cost for the community besides our use cases.
Signing key delivery
Our signing keys are delivered initially from Keybase i.e for repository bootstrap procedure. This is by design. If the signing key and the repository are delivered by the same server (which is a common example for quite a few software vendors), then the trust can not be established as the chain of custody may be broken. A compromised server could simply deliver a compromised signing key as well as a set of compromised packages signed with the key delivered by the same server. Essentially, all of the systems that use TOFU (no, not the fake cheese, but Trust On First Use) are subjected to this limitation as the supply chain can be attacked in this initial phase if not enough care is exercised.
While we deliver a keyring via our staker-repo
package, the release itself is signed via a key initially delivered though Keybase. Furthermore, all of our RPM packages are also signed. Our repository configuration is set to check the signatures of both the repository metadata and the packages themselves.