FS#67536 - Feature request: add 2FA support for package signing

Attached to Project: Pacman
Opened by Mark Stosberg (markstos) - Sunday, 09 August 2020, 13:23 GMT
Last edited by Allan McRae (Allan) - Sunday, 04 December 2022, 02:22 GMT
Task Type Feature Request
Category General
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 5.2.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

This is a feature request to add 2FA support for package signing.

An initial goal can be to support certain packages uploads to require 2FA signing, as the NPM registry supports.

https://docs.npmjs.com/requiring-2fa-for-package-publishing-and-settings-modification

A longer term goal could be to require all developers uploading packages to sign their packages with 2FA, as Apple started doing in 2019:

https://developer.apple.com/support/authentication/

Security compromises may start with remotely compromised laptops. If those laptops also hold private packaging signing keys, there is a path to uploading malicious packages.

Requiring 2FA for package uploads would require an additional layer of security by requiring the developer to also possess a trusted device or security key to complete the package upload.

This may not be the right place to file this suggestion. Let me know if there's a better place to post it.

Thanks!
This task depends upon

Closed by  Allan McRae (Allan)
Sunday, 04 December 2022, 02:22 GMT
Reason for closing:  No response
Comment by Eli Schwartz (eschwartz) - Sunday, 09 August 2020, 13:33 GMT
I *definitely* don't understand this ticket. How would pacman check this? Note that both npm and Apple doesn't say anything about 2FA for *code signing*, only for *logging into your account* during the release upload.

Are you asking for the Arch infrastructure to add 2FA to the ssh login for submitting packages?

Loading...