launcher icon indicating copy to clipboard operation
launcher copied to clipboard
verified publisher icon kolide

Upcoming changes to windows codesigning

Open directionless opened this issue 2 years ago • 2 comments

Recently, the standards for certificate storage on code signing certs changed. Basically, it needs to be in hardware. There are cloud based things, but we have to figure out how to use them. I did some research before, but I expect the world is smoother now.

https://knowledge.digicert.com/generalinformation/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022.html has some info

directionless avatar Aug 05 '23 01:08 directionless

We'll want to close this issue before April 2024.

Cloud KMSes we could consider:

  • GCP's Cloud KMS / Cloud HSM: https://cloud.google.com/kms/docs/hsm
  • SSL eSigner: https://www.ssl.com/esigner/
  • Digicert ONE / Digicert KeyLocker: https://www.digicert.com/digicert-one, https://knowledge.digicert.com/solution/digicert-keylocker.html
  • AWS KMS: https://aws.amazon.com/kms/
  • Azure Key Vault: https://azure.microsoft.com/en-us/products/key-vault/
  • HashiCorp Vault: https://www.vaultproject.io/

Spent a bit looking into Cloud HSM today -- if we want to use Cloud HSM, which fulfills the requirements for storage, it looks like we'd probably need to use jsign instead of signtool. (It might be possible to re-create something like this in our packaging tool, but probably a bit of a pain.) jsign, incidentally, works with all the KMSes listed above.

RebeccaMahany avatar Aug 28 '23 21:08 RebeccaMahany

I know I have some browser tabs about this... 😆

  • I think the best one is https://github.com/nextgens/authenticode-sign-action which you found.
  • https://www.ssl.com/guide/supported-cloud-hsms-document-signing-ev-code-signing/ has some more info about ssl.com's handling. Interesting to see the pricing
  • https://stackoverflow.com/questions/57627916/microsoft-authenticode-code-signing-ev-google-cloud-hsm references osslsigncode (an open source tool I've used before, though jsign) might be easier

I suspect we should land in Google HMS (since that's where everything we do is) and probably try osslsigncode and jsign

I also have this note that https://blog.trailofbits.com/2020/05/27/verifying-windows-binaries-without-windows/ might have a good verification

directionless avatar Sep 01 '23 11:09 directionless

I think this shipped.

directionless avatar Apr 24 '24 12:04 directionless