https://github.com/osquery/osquery logo
Join Slack
Powered by
<@U7QP20JQH> I know you've worked through this kin...
# core
z
@seph I know you've worked through this kind of thing before with Apple... What organization name, DUNS number, and address are used for osquery?
Screenshot 2024-07-17 at 2.20.36 PM.png
Looks like Tax ID or Registered Business Number would work but I think you've got a DUNS from LF in the past?
s
Are you in our 1password account?
z
Yes
Ah I see it!
s
I was going to point you there
That screen shot is Azure. I know knowing about Azure and it makes me cry. Which isn’t to say you shouldn’t use it. just that I cannot.
z
lol
oh no
MS has the best pricing and the offering seems pretty good
s
You probably need a phone number. 1 415 480 3443 is a twilio number that probably goes to Nick, but we can repoint that
🤷 Other people can use it. but it really does make me personally unhappy. It’s all a confusing morass of terrible windows2000 UIs and I find it incomprehensible. But I hear the product is solid
z
yes it certainly is an awful UI
s
I think you want the DE address, not the CA one.
ty 1
mmm, don’t use 
tsc@
, there’s some cert address
z
I could create a catch-all or something else that sounds more official?
s
I’m pretty sure I made one already
z
s
<mailto:codesign@osquery.io|codesign@osquery.io>
it should have tsc@ on it
z
okay yeah can use that
s
I just forwarded an email to you @osquery.io from Michael Dolan. I think the 1p vault item covers it, but that’s the last thing he said to Nick about this
z
K so I put a request in and we'll see 🤷
s
Thank you for doing it
z
I may try digicert as well depending on what I hear. It's much pricier.
s
I would bias a little towards where we want the cert stored and how we hook it to GitHub Actions
IIRC Nick uses digicert, and they do not support thigns backed by a google KMS, which makes it harder for us to use.
Where does Azure store the actual cert and key?
z
I was imagining using their action: https://github.com/marketplace/actions/trusted-signing
s
That implies is stored in some Azure HSM/KMS thing? Which we probably pay a trivial fee for? And they ship a cg plugin and help with GHA This seems reasonable. But it’d be good to check those assuptions
z
Yes it's $9.99/month and stored in an Azure HSM. All the new keys need to be HSM-backed.
That gives 5k signatures/month
s
Kolide stores the underlying key in google’s KSM stuff, so which CAs we could use was bounded by who supported that. And then we follow google’s docs on for signtool integration. I’d have to check, but we probably pay less than $2/month
z
Google provides an HSM that cheap?
Oh but you still must spend several hundred with the provider?
s
It’s the KMS side, not the HSM side. HSM is dedicated hardware and expensive. KMS is dirt cheap
But we still spent $300ish with the CA
👍 1
Does $10/month replace the CA fee?
z
Yes I understand $10/month as all-in
MS issues the cert
s
Huh. That’s much more legit pricing
z
Yeah that's why I want to try them first
s
If the UI doesn’t make you cry, go for it.
I assume we’ll end up with an osquery account/org and either shared creds or invite more of us
z
Yeah I just created one under my email and if this works I'll invite others.
ty 1
4 Views
Open in Slack
PreviousNext
Powered by