wiki:CodeSigning

Version 5 (modified by davea, 10 years ago) (diff)

--

Code signing

BOINC uses digital signatures to allow the core client to authenticate executable files.

It is important that you use a proper code-signing procedure for publicly-accessible projects. If you don't, and your server is broken into, hackers will be able to use your BOINC project to distribute malware. This could result in the end of your project, and will negatively impact all BOINC projects.

  • Choose a computer (an old, slow one is fine) to act as your "code signing machine". After being set up, this computer must remain physically secure and disconnected from the network (i.e. keep it in a locked room and put duct tape over its Ethernet port). You'll need a mechanism for moving files to and from the code-signing machine. A USB-connected disk or CD-RW will work, or if your files are small you can use a floppy disk.
  • Install crypt_prog on the code signing machine (it's easiest if the machine runs Unix/Linux?; Windows can be used but requires Visual Studio 2003).
  • Run crypt_prog -genkey to create a code-signing key pair. Copy the public key to your server. Keep the private key on the code-signing machine, make a permanent, secure copy of the key pair (e.g. on a CD-ROM that you keep locked up), and delete all other copies of the private key.
  • To sign an executable file, move it to the code-signing machine, run crypt_prog -sign to produce the signature file, then move the signature file to your server.
  • Use update_versions to install your application, including its signature files, in the download directory and database.

There are less-secure variants; e.g. you could keep the private key on a CD-ROM that is only mounted during signature generation, on a machine that is disconnected during signature generation. But we do not recommend this; a hacked computer could be running a hidden program that steals the private key and transmits it when the computer is connected again.

Changing your code-signing key

To change your project's code-signing key:

  • Generate a new key pair (do this on an offline machine).
  • In your project's 'keys' directory, put the old public key in a file 'old_key_0'.
  • Sign the new public key with the old private key, and put the signature in 'keys/signature_0'.
  • Release new versions of all apps, signed with the new key.

You might want to do this when your project goes public, you've started using an offline signing machine, and you don't want to force existing users to detach and reattach.