Mender Artifact Signing Key Rollover Support

Mender docs (and experimentation and a brief inspection of the code) that there can be only one signature on an artifact. While this is minimally sufficient it makes key rollover messy at best. Or am I missing something? I couldn’t find anything that described how to roll / replace / update signing keys.

I did come up with this approach but it has problems due to artifact file format rigidity / versioning issues.

GIVEN a mender file format that allows multiple manifest.sig elements, including the client (installer) modified such that if any one manifest.sig (rather than the exactly one) verifies using the public key provided in ArtifactVerifyKey then the artifact is considerd valid

WHEN a mender artifact that contains a mender.conf with a new ArtifactVerifyKey is signed with all previously used (private) keys AND the new (private) key

THEN the artifact would be accepted as validated by a client with any of the previously used private keys as the value of ArtifactVerifyKey and so perform an update

AND THEN the updated client would now only accept artifacts signed with (at least) the new key.

This allows both simple key rotation and key upgrades (including to new algorithms) without breaking backwards compatibility EXCEPT that the mender artifact file format lacks non-breaking extensibility.

So this change would need a new artifact format / break existing clients…

Related to (see my comment there)

Repeating my reply from the mentioned pull request:

It’s possible that would require require a new artifact format, yes.

There are workarounds for this issue though, at least on Mender Enterprise: Give each of your artifacts an extra “Provides” field which contains the checksum of the key inside that artifact (the one it contains, not the one it’s signed with). Make sure that each artifact from that point onwards has a “Depends” field on the key checksum. This checksum should match the key the artifact is signed with. When you need an artifact signed with two keys, just sign two copies with one key each, and upload both. The server will then take care of giving the correct artifact to each device.

I know, not perfectly ideal, and it is some manual work, but once it’s set up, it should be pretty seamless.