Title
#core
thor

thor

01/21/2021, 5:11 AM
@seph and @alessandrogario, re: the build pipeline, I double checked that the Gist I made previously is good, it still more or less looks like the steps I follow to produce the signed packages. I'll update it with my test plan also: https://gist.github.com/muffins/7925e8bf8aed3230e82eb0f67f379389
s

seph

01/21/2021, 5:22 AM
I think I have a slightly older version of that in https://gist.github.com/directionless/767825510afc3cce99dfeb1d4eadb67a
thor

thor

01/21/2021, 6:21 AM
Ah, yeah probably, I did a few updates this evening
a

alessandrogario

01/22/2021, 9:11 PM
This is great! Thanks 🙂 I am integrating this in the signing workflow
9:11 PM
Turns out that the Windows signing process seem to be the most sane one
s

seph

01/22/2021, 9:14 PM
I wouldn't go that far
a

alessandrogario

01/22/2021, 9:15 PM
it seems to be a simple call to signtool.exe regardless of target (.exe or .msi) 🤔
s

seph

01/22/2021, 9:16 PM
Windows code signing, natively, uses signtool. Poorly documented, and it offers the promise of power and plugins but the reality is ugly. And I think you have to be at a console -- I can't get signtool to work remotely
9:16 PM
Apple is basically the same. Codesign is trivial, with similar limitations and annoyance. (Notarize is a separate beast)
a

alessandrogario

01/22/2021, 9:17 PM
Ah yes i was also considering notarization
s

seph

01/22/2021, 9:17 PM
Other than the async part, it's pretty simple.
9:25 PM
Oh. Unmentioned here is windows smart screen reputation. This part is horrible Windows code signing is based on easy to get x509 certs. This means malware authors have them too. Microsoft’s “solution” to this is to add reputation to the smart screen checks. If you don’t have enough reputation, when you exec things, you get an extra “are you sure you want to click this” link. Reputation may be build by buying an expensive EV cert (which requires hardware HSMs). Or by having an unknown number of downloads of a regular cert.
9:26 PM
There’s some indication that you can use cloud HSMs, but there’s a lot of poorly documented ground,
a

alessandrogario

01/22/2021, 9:26 PM
I am currently using a simple self-signed cert; I am not sure how we are going to proceed here
9:26 PM
I think Windows is almost ready, then it's macOS time
9:26 PM
and after that, we'll need keys
s

seph

01/22/2021, 9:26 PM
I expect we’ll buy a standard cert
a

alessandrogario

01/22/2021, 9:45 PM
Do you happen to know what kind of key we are using for Linux?
s

seph

01/22/2021, 9:54 PM
Pretty sure we have a gpg key that Teddy uses. It’s in 1password
a

alessandrogario

01/22/2021, 9:59 PM
i'm assuming we are going to rotate it, can you become our keymaster? 😄
s

seph

01/22/2021, 9:59 PM
I don’t have any plans to rotate it.
a

alessandrogario

01/22/2021, 10:00 PM
is that key personal or dedicated to osquery?
s

seph

01/22/2021, 10:01 PM
No clue! Let’s see
10:01 PM
I’d assume it’s a dedicated key)
a

alessandrogario

01/22/2021, 10:01 PM
if it's personal it may not be the best to make it available through the CI
10:02 PM
i think i had access to 1password, but it was on the other laptop
s

seph

01/22/2021, 10:03 PM
It’s key 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B Which is osquery@fb.com
10:03 PM
We could rotate it, but 🤷
10:03 PM
I’d say use a self signed key, and we’ll swap it out later?
a

alessandrogario

01/22/2021, 10:04 PM
oh yeah, I'll use a self-signed key for now
10:04 PM
I was wondering what the next steps are when we need to start
10:04 PM
seems like we have a plan for all three keys!
s

seph

01/22/2021, 10:05 PM
We should check with Nick for windows. I don’t know if we want to use his, or buy anew.
10:05 PM
Long term, obviously buy. But maybe there’s an argument for something else.
10:05 PM
For macOS, do you know what format that key should be in? And where I should upload it?
a

alessandrogario

01/22/2021, 10:06 PM
macOS is where I'll need help the most
10:07 PM
I was able to run codesign and do the notarization in the past, but for the keys I always had to log into Xcode and ask it to download them locally through the UI
s

seph

01/22/2021, 10:09 PM
I wonder if I should iterate on a github workflow.
a

alessandrogario

01/22/2021, 10:10 PM
i would appreciate a lot to get some help on the macOS side!
s

seph

01/22/2021, 10:10 PM
I suspect we need to find prior art — my experience so far is that this all requires a console login, else the keychain stuff is weirdly locked
a

alessandrogario

01/22/2021, 10:10 PM
your go code is way cleaner than my hackish bash approach
s

seph

01/22/2021, 10:11 PM
That’s why I wrote go 😛
10:12 PM
Looking at secrets — github supports repo level secrets, and also org ones, And it looks like the org ones need to be opted in for repos
10:13 PM
That makes me think our secrets should be org level, and then only exposed to this repo?
a

alessandrogario

01/22/2021, 10:14 PM
Are those secrets going to be shared to multiple repos?
s

seph

01/22/2021, 10:14 PM
No idea!
10:19 PM
But it feel like an okay pattern since we might move this code around
10:19 PM
I’d feel less okay if it wasn’t selectable how it was shared
10:22 PM
https://github.com/osquery/osquery-codesign/settings/secrets/actions is org level. I’m not even sure you can see the contents outside of the org management panel and the workflow jobs
thor

thor

01/23/2021, 4:20 AM
The only argument I'd make for continuing to use mine is what y'all have already uncovered - my rep is high enough that we don't get flagged I don't think, so I'd be happy to continue using mine. That being said we'll inevitably need to switch over to an osquery based Windows cert anyway, so might as well start building that rep now 😛
4:21 AM
Sorry for the delay in my response!
4:21 AM
Lemme know what y'all wanna do either way!