FS#67536 - Feature request: add 2FA support for package signing
Attached to Project:
Pacman
Opened by Mark Stosberg (markstos) - Sunday, 09 August 2020, 13:23 GMT
Last edited by Allan McRae (Allan) - Sunday, 04 December 2022, 02:22 GMT
Opened by Mark Stosberg (markstos) - Sunday, 09 August 2020, 13:23 GMT
Last edited by Allan McRae (Allan) - Sunday, 04 December 2022, 02:22 GMT
|
Details
This is a feature request to add 2FA support for package
signing.
An initial goal can be to support certain packages uploads to require 2FA signing, as the NPM registry supports. https://docs.npmjs.com/requiring-2fa-for-package-publishing-and-settings-modification A longer term goal could be to require all developers uploading packages to sign their packages with 2FA, as Apple started doing in 2019: https://developer.apple.com/support/authentication/ Security compromises may start with remotely compromised laptops. If those laptops also hold private packaging signing keys, there is a path to uploading malicious packages. Requiring 2FA for package uploads would require an additional layer of security by requiring the developer to also possess a trusted device or security key to complete the package upload. This may not be the right place to file this suggestion. Let me know if there's a better place to post it. Thanks! |
This task depends upon
Are you asking for the Arch infrastructure to add 2FA to the ssh login for submitting packages?