In 2019, the Drupal Association lead an initiative to bring Automatic Updates to Drupal. The first phase of that work is complete, and a major part of that work was implementing a secure signing infrastructure for the update services being delivered by Drupal.org. Join us for a presentation about the architecture of this infrastructure.
Implementing an automatic updates system is no small feat, especially for a project as mature and architecturally complex as Drupal. There are many different factors that have to be considered:
-
Supporting both Drupal 7 and Drupal 8
-
Ensuring that sites are ready to safely & securely receive updates
-
Managing the transitional state of Drupal, where some installations use Composer, and some do not
But perhaps the most important element to manage is:
-
Avoiding creating more surface area for risk
It’s on this last point that we’ll focus in this session, in each of its component parts:
-
Managing our root signing keys with physical Hardware Security Modules (HSMs)
-
Using an intermediate key signing structure to limit the risk of compromise
-
Enforcing an expiring trust window
-
Building the 2 initial services, release content hashes and in-place-update artifacts, with signed data
The Automatic Updates Initiative was an effort done in collaboration by the Drupal Association, the European Commission, Acquia, Pantheon, MTech, and Tag1Consulting. We particularly want to thank contributor mbaynton, for his work on the architecture of the signing oracle.