https://github.com/osquery/osquery logo
Join Slack
Powered by
Windows code signing… (<@U0JT049S4> <@U0JFM04MS>)
# core
s
Windows code signing… (@thor @zwass)
Nick and I were emailing with Michael. Nick has whatever I have there
My hunch is that we cannot renew, we need it backed by an HSM. Nick was starting to go down the route via ssl.com, I think that’s worth continueing. Getting it into GCP would be a win
And we should start the osquery validation with whatever we need
t
Yeah so I had very nearly gotten the Google cloud HSM online, and was exploring that route, but if it's faster to just get Digicert to cut the HSM hosting for us I think it's also worth exploring to just get back online before the next release
I emailed support to see what's required and how much that'd cost to do, but I think it's a good option. I can investigate the SSL.com route as well if they have something similar for HSM hosting options, but I'm down to throw money at this to get just get it back online
s
I think either way. we should be doing it as osquery. Even if we delay a release for it
I don’t have strong feelings about ssl.com hosted by google vs digiocert. At some level. whatever feels most maintainable with some awareness of cost
t
Yeah sure, that sounds good. I think in general we just use the address provided by Michael in that email right?
s
I think so?
Whatever we do, we need to have an accoint with a CA that multiple people can use. 😆
t
Yes
I think there's a way for me to add a new organization on my digicert account, and that might be a path forward for getting the 
osquery
branding on the signing cert
s
I think we’d just make a new digicert account
t
I don't actually think that bit matters, I think just whomever has an account can be linked to manage a verfiied identity
There's a spot for it in digicert, and just so it's known all of my digicert account creds are in the 1pass
s
I have prior art in getting the GCP signtool stuff working in github actions. I have no idea how to make the digicert keylocker stuff go.
t
All that we need to continue leveraging GCP would be the CSR cut from the HSM
I can add everyone on digicert and start adding a new OU that is osquery and start the verification process for that
s
You’re suggesting we use the key in GCP, and have it signed by digicert?
t
We'd host the key in GCP, but I'm under the impression that Digicert still cuts it
No? Or do we have GCP issue the key and digicert just signs it to verify it? This HSM hosting is new to me
s
With an HSM, the key is created in the HSM
z
If we are going to go with GCP, should we try to find a vendor that will allow it to be issued under the "osquery" name?
t
Yeah I'm filling out the OU part through digicert now
They should support that
s
We should move it to the osquery name, regardless.
Thoguh it’ll probably be “osquery, a project under the linux foundation” or whatever
t
This is just the tooling I'm familiar with, we don't have to use it, but I think they support adding managing users and OUs thare are named as scuh
z
"osquery, a project under the linux foundation" seems fine to me
Ideally it doesn't have any individual's name
t
Is that the legal name?
We need legal name, phone, address, and then same for an organizational contact
And then i think they just setup a phone call and do address verification and that's it
s
The official info I have:
Copy code
OSQUERY A Series of LF Projects, LLC
2810 N Church St, PMB 57274
Wilmington, Delaware 19802-4447
With an LF contact as:
Copy code
Email: <mailto:manager@lfprojects.org|manager@lfprojects.org>
Website: <https://lfprojects.org>
Signatory: Michael Dolan, Series Manager
There’s a twilio phone number linked to my cell phone
t
Perfect
s
That address was in the email thread. And I’ve now propegated it to the 1password vault
t
@seph what's that phone number, and is it only used for the osquery stuff?
s
14154803443 yes, only ever for osquery. You could try calling it and seeing if it still works
t
Will do in a minute. I'm going to list this as the organizational phone number, so Digicert will call this shortly after I submit the OU, and I'll add everyone to the users on the account.
s
9 Views
Open in Slack
PreviousNext
Powered by