tailscale/release/dist/qnap/files/scripts/sign-qpkg.sh

#! /usr/bin/env bash
set -xeu

mkdir -p "$HOME/.config/gcloud"
echo "$GCLOUD_CREDENTIALS_BASE64" | base64 --decode > /root/.config/gcloud/application_default_credentials.json
gcloud config set project "$GCLOUD_PROJECT"

echo "---
tokens:
  - key_ring: \"$GCLOUD_KEYRING\"
log_directory: "/tmp/kmsp11"
" > pkcs11-config.yaml
chmod 0600 pkcs11-config.yaml

export KMS_PKCS11_CONFIG=`readlink -f pkcs11-config.yaml`
export PKCS11_MODULE_PATH=/libkmsp11-1.6-linux-amd64/libkmsp11.so

# Verify signature of pkcs11 module
# See https://github.com/GoogleCloudPlatform/kms-integrations/blob/master/kmsp11/docs/user_guide.md#downloading-and-verifying-the-library
echo "-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEtfLbXkHUVc9oUPTNyaEK3hIwmuGRoTtd
6zDhwqjJuYaMwNd1aaFQLMawTwZgR0Xn27ymVWtqJHBe0FU9BPIQ+SFmKw+9jSwu
/FuqbJnLmTnWMJ1jRCtyHNZawvv2wbiB
-----END PUBLIC KEY-----" > pkcs11-release-signing-key.pem
openssl dgst -sha384 -verify pkcs11-release-signing-key.pem -signature "$PKCS11_MODULE_PATH.sig" "$PKCS11_MODULE_PATH"

echo "$QNAP_SIGNING_CERT_BASE64" | base64 --decode > cert.crt

openssl cms \
	-sign \
	-binary \
	-nodetach \
	-engine pkcs11 \
	-keyform engine \
	-inkey "pkcs11:object=$QNAP_SIGNING_KEY_NAME" \
	-keyopt rsa_padding_mode:pss \
	-keyopt rsa_pss_saltlen:digest \
	-signer cert.crt \
	-in "$1" \
	-out -
cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-04-15 11:50:39 -05:00			`#! /usr/bin/env bash`
			`set -xeu`

			`mkdir -p "$HOME/.config/gcloud"`
			`echo "$GCLOUD_CREDENTIALS_BASE64" \| base64 --decode > /root/.config/gcloud/application_default_credentials.json`
			`gcloud config set project "$GCLOUD_PROJECT"`

			`echo "---`
			`tokens:`
			`- key_ring: \"$GCLOUD_KEYRING\"`
			`log_directory: "/tmp/kmsp11"`
			`" > pkcs11-config.yaml`
			`chmod 0600 pkcs11-config.yaml`

			export KMS_PKCS11_CONFIG=`readlink -f pkcs11-config.yaml`
			`export PKCS11_MODULE_PATH=/libkmsp11-1.6-linux-amd64/libkmsp11.so`

			`# Verify signature of pkcs11 module`
			`# See https://github.com/GoogleCloudPlatform/kms-integrations/blob/master/kmsp11/docs/user_guide.md#downloading-and-verifying-the-library`
			`echo "-----BEGIN PUBLIC KEY-----`
			`MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEtfLbXkHUVc9oUPTNyaEK3hIwmuGRoTtd`
			`6zDhwqjJuYaMwNd1aaFQLMawTwZgR0Xn27ymVWtqJHBe0FU9BPIQ+SFmKw+9jSwu`
			`/FuqbJnLmTnWMJ1jRCtyHNZawvv2wbiB`
			`-----END PUBLIC KEY-----" > pkcs11-release-signing-key.pem`
			`openssl dgst -sha384 -verify pkcs11-release-signing-key.pem -signature "$PKCS11_MODULE_PATH.sig" "$PKCS11_MODULE_PATH"`

			`echo "$QNAP_SIGNING_CERT_BASE64" \| base64 --decode > cert.crt`

			`openssl cms \`
			`-sign \`
			`-binary \`
			`-nodetach \`
			`-engine pkcs11 \`
			`-keyform engine \`
			`-inkey "pkcs11:object=$QNAP_SIGNING_KEY_NAME" \`
			`-keyopt rsa_padding_mode:pss \`
			`-keyopt rsa_pss_saltlen:digest \`
			`-signer cert.crt \`
			`-in "$1" \`
			`-out -`