James Green jg@jmkg.net writes:
Six 'trusted' employees, six 'secure' servers. Employees are minor shareholders in the company. For an upgrade to be pushed out, a majority of the trusted employees must submit the same upgrade package to a majority of the servers, and the servers between them must agree that the upgrade is verified as coming from the claimed sources. Combined, they should check out. If any one employee, or one machine, were to raise a black flag, the process is aborted. In the event that a bad upgrade is indeed rolled out any two employees can activate a rollback procedure (which I can't think of procedurally right now).
Have you considered doing the verification end-to-end, i.e. the clients have a public key on them and verify the image with that? Then the important things becomes protecting the private half of the key rather than maintaining and protecting multiple trusted servers.
(How currently do the clients tell that the upgrade comes from the right place? I hope they're not relying on IP address or hostname over the internet!)