Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
t
thor
01/21/2021, 5:11 AM@seph and @alessandrogario, re: the build pipeline, I double checked that the Gist I made previously is good, it still more or less looks like the steps I follow to produce the signed packages. I'll update it with my test plan also: https://gist.github.com/muffins/7925e8bf8aed3230e82eb0f67f379389
s
seph
01/21/2021, 5:22 AMI think I have a slightly older version of that in https://gist.github.com/directionless/767825510afc3cce99dfeb1d4eadb67a
t
thor
01/21/2021, 6:21 AMAh, yeah probably, I did a few updates this evening
a
alessandrogario
01/22/2021, 9:11 PMThis is great! Thanks š I am integrating this in the signing workflow
Turns out that the Windows signing process seem to be the most sane one
s
seph
01/22/2021, 9:14 PMI wouldn't go that far
a
alessandrogario
01/22/2021, 9:15 PMit seems to be a simple call to signtool.exe regardless of target (.exe or .msi) š¤
s
seph
01/22/2021, 9:16 PMWindows code signing, natively, uses signtool. Poorly documented, and it offers the promise of power and plugins but the reality is ugly.
And I think you have to be at a console -- I can't get signtool to work remotely
Apple is basically the same. Codesign is trivial, with similar limitations and annoyance. (Notarize is a separate beast)
a
alessandrogario
01/22/2021, 9:17 PMAh yes i was also considering notarization
s
seph
01/22/2021, 9:17 PMOther than the async part, it's pretty simple.
Oh. Unmentioned here is windows smart screen reputation. This part is horrible
Windows code signing is based on easy to get x509 certs. This means malware authors have them too. Microsoftās āsolutionā to this is to add reputation to the smart screen checks. If you donāt have enough reputation, when you exec things, you get an extra āare you sure you want to click thisā link.
Reputation may be build by buying an expensive EV cert (which requires hardware HSMs). Or by having an unknown number of downloads of a regular cert.
Thereās some indication that you can use cloud HSMs, but thereās a lot of poorly documented ground,
a
alessandrogario
01/22/2021, 9:26 PMI am currently using a simple self-signed cert; I am not sure how we are going to proceed here
I think Windows is almost ready, then it's macOS time
and after that, we'll need keys
s
seph
01/22/2021, 9:26 PMI expect weāll buy a standard cert
š 2
a
alessandrogario
01/22/2021, 9:45 PMDo you happen to know what kind of key we are using for Linux?
s
seph
01/22/2021, 9:54 PMPretty sure we have a gpg key that Teddy uses. Itās in 1password
a
alessandrogario
01/22/2021, 9:59 PMi'm assuming we are going to rotate it, can you become our keymaster? š
s
seph
01/22/2021, 9:59 PMI donāt have any plans to rotate it.
a
alessandrogario
01/22/2021, 10:00 PMis that key personal or dedicated to osquery?
s
seph
01/22/2021, 10:01 PMNo clue! Letās see
Iād assume itās a dedicated key)
a
alessandrogario
01/22/2021, 10:01 PMif it's personal it may not be the best to make it available through the CI
i think i had access to 1password, but it was on the other laptop
s
seph
01/22/2021, 10:03 PMItās key 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
Which is osquery@fb.com
š 1
We could rotate it, but š¤·
Iād say use a self signed key, and weāll swap it out later?
a
alessandrogario
01/22/2021, 10:04 PMoh yeah, I'll use a self-signed key for now
I was wondering what the next steps are when we need to start
seems like we have a plan for all three keys!
s
seph
01/22/2021, 10:05 PMWe should check with Nick for windows. I donāt know if we want to use his, or buy anew.
Long term, obviously buy. But maybe thereās an argument for something else.
For macOS, do you know what format that key should be in? And where I should upload it?
a
alessandrogario
01/22/2021, 10:06 PMmacOS is where I'll need help the most
I was able to run codesign and do the notarization in the past, but for the keys I always had to log into Xcode and ask it to download them locally through the UI
s
seph
01/22/2021, 10:09 PMI wonder if I should iterate on a github workflow.
a
alessandrogario
01/22/2021, 10:10 PMi would appreciate a lot to get some help on the macOS side!
s
seph
01/22/2021, 10:10 PMI suspect we need to find prior art ā my experience so far is that this all requires a console login, else the keychain stuff is weirdly locked
a
alessandrogario
01/22/2021, 10:10 PMyour go code is way cleaner than my hackish bash approach
s
seph
01/22/2021, 10:11 PMThatās why I wrote go š
Looking at secrets ā github supports repo level secrets, and also org ones, And it looks like the org ones need to be opted in for repos
That makes me think our secrets should be org level, and then only exposed to this repo?
a
alessandrogario
01/22/2021, 10:14 PMAre those secrets going to be shared to multiple repos?
s
seph
01/22/2021, 10:14 PMNo idea!
But it feel like an okay pattern since we might move this code around
Iād feel less okay if it wasnāt selectable how it was shared
https://github.com/osquery/osquery-codesign/settings/secrets/actions is org level. Iām not even sure you can see the contents outside of the org management panel and the workflow jobs
t
thor
01/23/2021, 4:20 AMThe only argument I'd make for continuing to use mine is what y'all have already uncovered - my rep is high enough that we don't get flagged I don't think, so I'd be happy to continue using mine. That being said we'll inevitably need to switch over to an osquery based Windows cert anyway, so might as well start building that rep now š
Sorry for the delay in my response!
Lemme know what y'all wanna do either way!