Signing Key Rotation
Describes our signing key rotation.
Rotation policy
Our keys have a cryptoperiod of 3 years which is the maximum recommended by NIST SP 800-57. This is significantly shorter than most signing keys used by distribution/software maintainers, hence our use of bundled keyring via the staker-repo
package to support key rotation.
In practical terms a key isn’t used to sign releases for the full 3 years period as the key rotation needs transition periods. Therefore, the key lifecycle is as follows:
- 1 year in seed mode. The key is created, but it is not actively signing/validating releases. The purpose is to provide some overlap with the key which is currently used for signing and validation (i.e the active key) and allow this key to be installed before being actively used.
- 1 year in active (sign/validate) mode. This is the key which is currently used to sign releases.
- 1 year in validate mode. This is a previously used active key which can still verify signatures, but no new releases are produced using this key.
The only exception to this rule is the 1st key ever used for signing releases which shall be in active mode for 2 years. There’s no key to fulfil the seed mode for the 1st year.
Rotation procedure
You need to update the staker-repo
package at least once per year in order to get a keyring which contains the signing key that shall be active for future releases. Should you fail to do so, you must follow the repository installation procedure and go through the bootstrap steps again to fix your installation of this repository.