Channels
#core
Title
# core
t
thor
01/21/2021, 5:11 AM
@seph and @alessandrogario, re: the build pipeline, I double checked that the Gist I made previously is good, it still more or less looks like the steps I follow to produce the signed packages. I'll update it with my test plan also: https://gist.github.com/muffins/7925e8bf8aed3230e82eb0f67f379389
s
seph
01/21/2021, 5:22 AM
I think I have a slightly older version of that in https://gist.github.com/directionless/767825510afc3cce99dfeb1d4eadb67a
t
thor
01/21/2021, 6:21 AM
Ah, yeah probably, I did a few updates this evening
a
alessandrogario
01/22/2021, 9:11 PM
This is great! Thanks š I am integrating this in the signing workflow
Turns out that the Windows signing process seem to be the most sane one
s
seph
01/22/2021, 9:14 PM
I wouldn't go that far
a
alessandrogario
01/22/2021, 9:15 PM
it seems to be a simple call to signtool.exe regardless of target (.exe or .msi) š¤
s
seph
01/22/2021, 9:16 PM
Windows code signing, natively, uses signtool. Poorly documented, and it offers the promise of power and plugins but the reality is ugly.
And I think you have to be at a console -- I can't get signtool to work remotely
Apple is basically the same. Codesign is trivial, with similar limitations and annoyance. (Notarize is a separate beast)
a
alessandrogario
01/22/2021, 9:17 PM
Ah yes i was also considering notarization
s
seph
01/22/2021, 9:17 PM
Other than the async part, it's pretty simple.
Oh. Unmentioned here is windows smart screen reputation. This part is horrible
Windows code signing is based on easy to get x509 certs. This means malware authors have them too. Microsoftās āsolutionā to this is to add reputation to the smart screen checks. If you donāt have enough reputation, when you exec things, you get an extra āare you sure you want to click thisā link.
Reputation may be build by buying an expensive EV cert (which requires hardware HSMs). Or by having an unknown number of downloads of a regular cert.
Thereās some indication that you can use cloud HSMs, but thereās a lot of poorly documented ground,
a
alessandrogario
01/22/2021, 9:26 PM
I am currently using a simple self-signed cert; I am not sure how we are going to proceed here
I think Windows is almost ready, then it's macOS time
and after that, we'll need keys
s
seph
01/22/2021, 9:26 PM
I expect weāll buy a standard cert
š 2
a
alessandrogario
01/22/2021, 9:45 PM
Do you happen to know what kind of key we are using for Linux?
s
seph
01/22/2021, 9:54 PM
Pretty sure we have a gpg key that Teddy uses. Itās in 1password
a
alessandrogario
01/22/2021, 9:59 PM
i'm assuming we are going to rotate it, can you become our keymaster? š
s
seph
01/22/2021, 9:59 PM
I donāt have any plans to rotate it.
a
alessandrogario
01/22/2021, 10:00 PM
is that key personal or dedicated to osquery?
s
seph
01/22/2021, 10:01 PM
No clue! Letās see
Iād assume itās a dedicated key)
a
alessandrogario
01/22/2021, 10:01 PM
if it's personal it may not be the best to make it available through the CI
i think i had access to 1password, but it was on the other laptop
s
seph
01/22/2021, 10:03 PM
Itās key 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
Which is osquery@fb.com
š 1
We could rotate it, but š¤·
Iād say use a self signed key, and weāll swap it out later?
a
alessandrogario
01/22/2021, 10:04 PM
oh yeah, I'll use a self-signed key for now
I was wondering what the next steps are when we need to start
seems like we have a plan for all three keys!
s
seph
01/22/2021, 10:05 PM
We should check with Nick for windows. I donāt know if we want to use his, or buy anew.
Long term, obviously buy. But maybe thereās an argument for something else.
For macOS, do you know what format that key should be in? And where I should upload it?
a
alessandrogario
01/22/2021, 10:06 PM
macOS is where I'll need help the most
I was able to run codesign and do the notarization in the past, but for the keys I always had to log into Xcode and ask it to download them locally through the UI
s
seph
01/22/2021, 10:09 PM
I wonder if I should iterate on a github workflow.
a
alessandrogario
01/22/2021, 10:10 PM
i would appreciate a lot to get some help on the macOS side!
s
seph
01/22/2021, 10:10 PM
I suspect we need to find prior art ā my experience so far is that this all requires a console login, else the keychain stuff is weirdly locked
a
alessandrogario
01/22/2021, 10:10 PM
your go code is way cleaner than my hackish bash approach
s
seph
01/22/2021, 10:11 PM
Thatās why I wrote go š
Looking at secrets ā github supports repo level secrets, and also org ones, And it looks like the org ones need to be opted in for repos
That makes me think our secrets should be org level, and then only exposed to this repo?
a
alessandrogario
01/22/2021, 10:14 PM
Are those secrets going to be shared to multiple repos?
s
seph
01/22/2021, 10:14 PM
No idea!
But it feel like an okay pattern since we might move this code around
Iād feel less okay if it wasnāt selectable how it was shared
https://github.com/osquery/osquery-codesign/settings/secrets/actions is org level. Iām not even sure you can see the contents outside of the org management panel and the workflow jobs
t
thor
01/23/2021, 4:20 AM
The only argument I'd make for continuing to use mine is what y'all have already uncovered - my rep is high enough that we don't get flagged I don't think, so I'd be happy to continue using mine. That being said we'll inevitably need to switch over to an osquery based Windows cert anyway, so might as well start building that rep now š
Sorry for the delay in my response!
Lemme know what y'all wanna do either way!
3 Views