Skip to content

newrelic/infrastructure-public-keys

Community Project header

New Relic Infrastructure Public Keys

This project consists on building a debian package, newrelic-infra-public-keys, which contains the public key for both the key that is currently being used for signing (“current key”), and the key that will be used after the rotation takes place (“future key”). The future key is generated in advance, but not used to sign packages until a reasonable time (“update window”) passes.

newrelic-infra-public-keys would be a dependency of all New Relic core packages. As users upgrade packages, they will get the latest version of newrelic-infra-public-keys, which adds to their system’s truststore the future key. After the update window passes, New Relic will start to sign packages and repository metadata with the future key, effectively making it the current key. The previous current key ("old key") is removed from the newrelic-infra-public-keys package, and a new future key is generated and added to the package.

The following diagram illustrates the process. In State 1, 0xAAAA is the current key, and 0xBBBB the future key. All NR packages are signed with 0xAAAA, but the newrelic-infra-public-keys package is already deploying 0xBBBB as a valid key. After some time passes, State 2 is reached when 0xBBBB becomes the current key and packages start to get signed with it. A new key, 0xCCCC is generated and its public counterpart deployed, and the process restarts with 0xBBBB being the current key and 0xCCCC the future key.

Signing Key Diagram

Installation

This package will be installed within the newrelic-infra as a dependency

Build

Current command will leave the generated deb package under ./pkg folder

PGK_VERSION=1.2.3 make build

Contribute

We encourage your contributions to improve New Relic Infrastructure Public Keys! Keep in mind that when you submit your pull request, you'll need to sign the CLA via the click-through using CLA-Assistant. You only have to sign the CLA one time per project.

If you have any questions, or to execute our corporate CLA (which is required if your contribution is on behalf of a company), drop us an email at opensource@newrelic.com.

A note about vulnerabilities

As noted in our security policy, New Relic is committed to the privacy and security of our customers and their data. We believe that providing coordinated disclosure by security researchers and engaging with the security community are important means to achieve our security goals.

If you believe you have found a security vulnerability in this project or any of New Relic's products or websites, we welcome and greatly appreciate you reporting it to New Relic through our bug bounty program.

If you would like to contribute to this project, review these guidelines.

License

New Relic Infrastructure Public Keys is licensed under the Apache 2.0 License.

About

DEB package for seamless public key rotation.

Resources

License

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

9 watching

Forks

Packages

 
 
 

Contributors