Issue #20729 has been updated by Peter Meier.
The catalog itself is not very static as it is compiled on the master based on a lot of dynamic information (facts, hiera, etc.) Also as the content of file sources are not included into the shipped catalog, which can be another moving part of your catalog. Imho such a feature would only be feasible in combination with the static catalog feature and if the catalogs would be compiled offline on the machine containing the private key so it can be signed there. But that would make the whole thing (uhhh) very static. It is correct that the puppetmaster becomes a very crucial part of your infrastructure and it is therefore important that it is secured accordingly. However, there is always a tradeoff between an environment that is being able to change quickly and a very safe environment. Btw: i think the idea with the static catalog could already be hacked up - in combination with the pre_prun parameter - without extending puppet core. ---------------------------------------- Feature #20729: Have a way to sign the catalog offline so the puppetmaster server doesn't have to be trusted https://projects.puppetlabs.com/issues/20729#change-91627 * Author: Pedro CĂ´rte-Real * Status: Unreviewed * Priority: Normal * Assignee: * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- As I was reviewing the security of my servers I realized that gaining root on the puppetmaster means gaining root everywhere as you can push whatever configuration you want to another server. It would be great if all the puppet resources served by the puppetmaster were signed by a private key that the puppetmaster doesn't hold so that the clients could check that key and not have to trust the puppetmaster. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
