https://github.com/osquery/osquery logo
Title
t

thor

01/21/2021, 5:11 AM
@seph and @alessandrogario, re: the build pipeline, I double checked that the Gist I made previously is good, it still more or less looks like the steps I follow to produce the signed packages. I'll update it with my test plan also: https://gist.github.com/muffins/7925e8bf8aed3230e82eb0f67f379389
s

seph

01/21/2021, 5:22 AM
I think I have a slightly older version of that in https://gist.github.com/directionless/767825510afc3cce99dfeb1d4eadb67a
t

thor

01/21/2021, 6:21 AM
Ah, yeah probably, I did a few updates this evening
a

alessandrogario

01/22/2021, 9:11 PM
This is great! Thanks šŸ™‚ I am integrating this in the signing workflow
Turns out that the Windows signing process seem to be the most sane one
s

seph

01/22/2021, 9:14 PM
I wouldn't go that far
a

alessandrogario

01/22/2021, 9:15 PM
it seems to be a simple call to signtool.exe regardless of target (.exe or .msi) šŸ¤”
s

seph

01/22/2021, 9:16 PM
Windows code signing, natively, uses signtool. Poorly documented, and it offers the promise of power and plugins but the reality is ugly. And I think you have to be at a console -- I can't get signtool to work remotely
Apple is basically the same. Codesign is trivial, with similar limitations and annoyance. (Notarize is a separate beast)
a

alessandrogario

01/22/2021, 9:17 PM
Ah yes i was also considering notarization
s

seph

01/22/2021, 9:17 PM
Other than the async part, it's pretty simple.
Oh. Unmentioned here is windows smart screen reputation. This part is horrible Windows code signing is based on easy to get x509 certs. This means malware authors have them too. Microsoft’s ā€œsolutionā€ to this is to add reputation to the smart screen checks. If you don’t have enough reputation, when you exec things, you get an extra ā€œare you sure you want to click thisā€ link. Reputation may be build by buying an expensive EV cert (which requires hardware HSMs). Or by having an unknown number of downloads of a regular cert.
There’s some indication that you can use cloud HSMs, but there’s a lot of poorly documented ground,
a

alessandrogario

01/22/2021, 9:26 PM
I am currently using a simple self-signed cert; I am not sure how we are going to proceed here
I think Windows is almost ready, then it's macOS time
and after that, we'll need keys
s

seph

01/22/2021, 9:26 PM
I expect we’ll buy a standard cert
šŸŽ‰ 2
a

alessandrogario

01/22/2021, 9:45 PM
Do you happen to know what kind of key we are using for Linux?
s

seph

01/22/2021, 9:54 PM
Pretty sure we have a gpg key that Teddy uses. It’s in 1password
a

alessandrogario

01/22/2021, 9:59 PM
i'm assuming we are going to rotate it, can you become our keymaster? šŸ˜„
s

seph

01/22/2021, 9:59 PM
I don’t have any plans to rotate it.
a

alessandrogario

01/22/2021, 10:00 PM
is that key personal or dedicated to osquery?
s

seph

01/22/2021, 10:01 PM
No clue! Let’s see
I’d assume it’s a dedicated key)
a

alessandrogario

01/22/2021, 10:01 PM
if it's personal it may not be the best to make it available through the CI
i think i had access to 1password, but it was on the other laptop
s

seph

01/22/2021, 10:03 PM
It’s key 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B Which is osquery@fb.com
šŸŽ‰ 1
We could rotate it, but 🤷
I’d say use a self signed key, and we’ll swap it out later?
a

alessandrogario

01/22/2021, 10:04 PM
oh yeah, I'll use a self-signed key for now
I was wondering what the next steps are when we need to start
seems like we have a plan for all three keys!
s

seph

01/22/2021, 10:05 PM
We should check with Nick for windows. I don’t know if we want to use his, or buy anew.
Long term, obviously buy. But maybe there’s an argument for something else.
For macOS, do you know what format that key should be in? And where I should upload it?
a

alessandrogario

01/22/2021, 10:06 PM
macOS is where I'll need help the most
I was able to run codesign and do the notarization in the past, but for the keys I always had to log into Xcode and ask it to download them locally through the UI
s

seph

01/22/2021, 10:09 PM
I wonder if I should iterate on a github workflow.
a

alessandrogario

01/22/2021, 10:10 PM
i would appreciate a lot to get some help on the macOS side!
s

seph

01/22/2021, 10:10 PM
I suspect we need to find prior art — my experience so far is that this all requires a console login, else the keychain stuff is weirdly locked
a

alessandrogario

01/22/2021, 10:10 PM
your go code is way cleaner than my hackish bash approach
s

seph

01/22/2021, 10:11 PM
That’s why I wrote go šŸ˜›
Looking at secrets — github supports repo level secrets, and also org ones, And it looks like the org ones need to be opted in for repos
That makes me think our secrets should be org level, and then only exposed to this repo?
a

alessandrogario

01/22/2021, 10:14 PM
Are those secrets going to be shared to multiple repos?
s

seph

01/22/2021, 10:14 PM
No idea!
But it feel like an okay pattern since we might move this code around
I’d feel less okay if it wasn’t selectable how it was shared
https://github.com/osquery/osquery-codesign/settings/secrets/actions is org level. I’m not even sure you can see the contents outside of the org management panel and the workflow jobs
t

thor

01/23/2021, 4:20 AM
The only argument I'd make for continuing to use mine is what y'all have already uncovered - my rep is high enough that we don't get flagged I don't think, so I'd be happy to continue using mine. That being said we'll inevitably need to switch over to an osquery based Windows cert anyway, so might as well start building that rep now šŸ˜›
Sorry for the delay in my response!
Lemme know what y'all wanna do either way!