Security implications of the gitlab CI for binary factory
Problems to solve
binary-factory deals with creating various binary resources and making it available in proper place. Current tasks of the binary factory are,
- Websites
- Android builds
- Windows binaries
- MacOS binaries
- Flatpak builds
- Linux Appimages
- (In future) snap builds
Each build require a access to the some resources which are considered privileged. They include,
- SSH keys for deploying websites to final place, i.e nicoda.kde.org currently
- Android keystore for F-droid and playstore
- Windows signing keys for the windows store and our applications
- MacOS signing keys
- GPG signing keys for flatpak
- GPG signing keys for the app-images
We should go through each item and see how we can restrict access to various bits better. There's various attack vectors which we need to consider,
- People writing custom jobs which gets access to the secrets which they can "archive" for accessing
- People modifying their pipelines to push a "trusted version" of application to the our distribution mediums without validation
I have some solutions to the potential attack vectors and which we can implement, each use-case is described as a comment in this issue.