Skip to content

Sign Windows CLI #359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #778
kylecarbs opened this issue Feb 24, 2022 · 21 comments · Fixed by #13086
Closed
Tracked by #778

Sign Windows CLI #359

kylecarbs opened this issue Feb 24, 2022 · 21 comments · Fixed by #13086
Assignees
@sreya
Labels
api Area: HTTP API cli Area: CLI

Comments

@kylecarbs
Copy link
Member

kylecarbs commented Feb 24, 2022
edited by bpmct
Loading

Acceptance Criteria
As a user, I want the Coder CLI on Windows signed because of organization security policy and peace of mind that the CLI is secure.

Use osslsignencode to sign the Windows binary on Linux during release.

This is NOT the extended validation version.

Edit (04.18.24): We want to do extended validation as well

Edit: See #359 (comment) for game plan
@misskniss misskniss added this to the Community MVP milestone Mar 29, 2022
@misskniss misskniss mentioned this issue May 6, 2022
Closed
17 tasks
@deansheather
Copy link
Member

We can't use osslsignencode because it doesn't support google cloud HSM. We will probably want to use jsign instead: https://ebourg.github.io/jsign/

@kylecarbs
Copy link
Member Author

This is how the GitHub CLI does it:
https://github.com/cli/cli/blob/trunk/.github/workflows/releases.yml#L32-L38

Not sure if it's entirely applicable though...

@deansheather
Copy link
Member

If we're ok with not doing extended validation signing then osslsignencode will be OK.

@kylecarbs
Copy link
Member Author

Ahhhh

@misskniss

This comment was marked as off-topic.

Sign in to view
@deansheather
Copy link
Member

depends on if we want extended validation or not... this is probably a 3 if not but could be up to an 8 if so

@misskniss misskniss changed the title Sign Windows CLI Sign Windows CLI (small) May 17, 2022
@tjcran

This comment was marked as off-topic.

Sign in to view
@misskniss misskniss mentioned this issue May 20, 2022
Closed
4 tasks
@kylecarbs kylecarbs changed the title Sign Windows CLI (small) Sign Windows CLI Jul 11, 2022
@misskniss misskniss removed this from the Enterprise MVP milestone Jul 22, 2022
@f0ssel f0ssel mentioned this issue Jul 28, 2022
Closed
@f0ssel f0ssel closed this as completed Jul 28, 2022
@f0ssel f0ssel closed this as not planned Won't fix, can't repro, duplicate, stale Jul 28, 2022
@kylecarbs
Copy link
Member Author

https://github.com/cli/cli/blob/ebcf3a10225a9b7c9422f6b63ff798d695f7f0a2/.github/workflows/deployment.yml#L187-L196

@kylecarbs kylecarbs reopened this Nov 8, 2023
@bpmct
Copy link
Member

bpmct commented Nov 14, 2023

Kyle wants this :)

@bpmct bpmct closed this as not planned Won't fix, can't repro, duplicate, stale Mar 5, 2024
@kylecarbs kylecarbs reopened this Mar 13, 2024
@coder-labeler coder-labeler bot added cli Area: CLI feature labels Mar 13, 2024
@michaelbrewer
Copy link
Contributor

@kylecarbs - i just noticed this on windows machines that want to use VSCode Desktop, as it fails to run the coder cli. Hopefully this fixes this issue!

@bpmct
Copy link
Member

bpmct commented Apr 9, 2024

Slotting this in as a candidate for our next sprint as several folks need this as a long-term solution for rolling out Coder to Windows users.

@MrPeacockNLB MrPeacockNLB mentioned this issue Apr 20, 2024
Closed
@kylecarbs
Copy link
Member Author

Seems like the GitHub CLI does this pretty cleanly now: https://github.com/cli/cli/blob/c465d465a5c60dae4e4759b4383292dab3f77504/.github/workflows/deployment.yml#L136

@bpmct
Copy link
Member

bpmct commented Apr 23, 2024
edited by sreya
Loading

Game plan:

  • Test whether Google Cloud HSM can sign Windows artifacts with a self-signed cert (needs owner)
  • Pick a vendor or tool we feel good with (needs owner)
  • Do the paperwork (@bpmct)
  • Modify our CI pipeline to sign Windows binaries (needs owner)

@bpmct bpmct assigned bpmct and unassigned sreya Apr 23, 2024
@michaelbrewer
Copy link
Contributor

michaelbrewer commented Apr 23, 2024
edited
Loading

  • Beers 🍻

@sreya sreya mentioned this issue Apr 27, 2024
Merged
@sreya sreya assigned sreya and unassigned bpmct Apr 27, 2024
@michaelbrewer
Copy link
Contributor

@kylecarbs i think we need some instructions on how to allow for these new signed exes in tools like Cyberark. So far this is not working

@sreya
Copy link
Collaborator

sreya commented May 10, 2024

@michaelbrewer could you elaborate on what's not working?

@michaelbrewer
Copy link
Contributor

Unfortunately i don't have a windows machine or am the person responsible for approving signed exe. But users are still getting an Application Blocked error

@michaelbrewer
Copy link
Contributor

@kylecarbs @sreya - looks like it was signed as Coder Technologies Inc. and previous Coder Technologies Inc.

In the future exactness matter :)

@kylecarbs
Copy link
Member Author

@michaelbrewer is all working now after that change?

@michaelbrewer
Copy link
Contributor

No unfortunately it is still being flagged and blocked by CyberArk. I am not sure how to resolve this. We tried both names.

@michaelbrewer
Copy link
Contributor

@kylecarbs good news, we where able to get the signed exec working, waiting on how to document a standard working instructions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sreya sreya

Labels
api Area: HTTP API cli Area: CLI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: sign windows binaries coder/coder
8 participants
@misskniss @sreya @michaelbrewer @tjcran @kylecarbs @deansheather @f0ssel @bpmct