RE: Custom signing keys for a linux feed and an API to swap them out?

Hi @stevedennis !

This is not about transport security, that's fine over HTTPs. Using a custom signing key for the feed is an important security feature to ensure the feed itself is integral and authentic and the artefacts from the feed can be verified.

We run a CA and deploy certificates and keys signed from this central authority as part of a wider security measure across services, machines and users. Practically, this means that users install a single CA certificate which can automatically derive authenticity and validity across artefacts and services without having to manage multiple certificates since these are formed as part of a chain.

In the case of ProGet, we request the ability to upload a signing key (both through the UI and via API) and which would cryptographically sign the feed. Note that because a key can be uploaded, a public certificate for the key can be generated such that a user can then use either the CA or the feed's public certificate to verify the contents during package retrieval.

Another important feature of uploading a custom signing key is that we can issue and revoke keys, certificates and signatures (and with specific date ranges) from a centrally managed location without disrupting the service itself, issuing a notice if necessary. This would allow us to indicate if a feed and its artefacts were ever tampered with before upload or whilst hosted.

Thanks,

Hi folks!

We are also interested in uploading and using our own signing key (which would be part of a chain from a CA).

Is there any update on the status of a feature in ProGet to support uploading and using custom signing keys?

Thanks!

cc @atripp

Your response gave me a hint -- i was just missing the relevant environmental variables from the OCI image. This is now resolved, thanks!

I am trying to run ProGet on a Linux 6.5.13 x86_64 VM and receive the following crash on startup:

Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object.
   at Inedo.ProGet.SharedConfig.ProcessUrls(IEnumerable`1 urls)+MoveNext() in C:\Users\builds\AppData\Local\Temp\InedoAgent\BuildMaster\192.168.44.60\Temp\_E561202\Src\ProGetCoreEx\Configuration\SharedConfig.cs:line 241
   at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
   at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
   at Inedo.ProGet.SharedConfig.Initialize(Boolean reloadFile) in C:\Users\builds\AppData\Local\Temp\InedoAgent\BuildMaster\192.168.44.60\Temp\_E561202\Src\ProGetCoreEx\Configuration\SharedConfig.cs:line 50
   at Inedo.ProGet.Service.Program.Main(String[] args) in C:\Users\builds\AppData\Local\Temp\InedoAgent\BuildMaster\192.168.44.60\Temp\_E561202\Src\ProGet.Service\Program.cs:line 340
   at Inedo.ProGet.Service.Program.<Main>(String[] args)

I use the following starting arguments:

/usr/local/proget/service/ProGet.Service run --mode=both

Tested with the last 2 major versions of ProGet (24.0.37, 24.0.x, and 23.x).

I am using the filesystem provided by the official OCI image as the root filesystem of the Linux VM, i.e.:

proget.inedo.com/productimages/inedo/proget:24.0.37

This makes the base OS Debian-based (at least from an initial inspection of the OCI image).

Any insight from the ProGet dev team would be greatly appreciated! Thank you!