{cmd/dist,release/dist}: add support for intermediary QNAP signing certificates

Updates #23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-08-24 03:48:15 +00:00 · 2025-08-15 15:45:17 -05:00
parent 6006bc92b5
commit 192fa6f05d
4 changed files with 31 additions and 23 deletions
--- a/release/dist/qnap/files/scripts/sign-qpkg.sh
+++ b/release/dist/qnap/files/scripts/sign-qpkg.sh
@@ -24,7 +24,9 @@ MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEtfLbXkHUVc9oUPTNyaEK3hIwmuGRoTtd
 -----END PUBLIC KEY-----" > pkcs11-release-signing-key.pem
 openssl dgst -sha384 -verify pkcs11-release-signing-key.pem -signature "$PKCS11_MODULE_PATH.sig" "$PKCS11_MODULE_PATH"

-echo "$QNAP_SIGNING_CERT_BASE64" | base64 --decode > cert.crt
+echo "$QNAP_SIGNING_CERT_BASE64" | base64 --decode > signer.pem
+
+echo "$QNAP_SIGNING_CERT_INTERMEDIARIES_BASE64" | base64 --decode > certs.pem

 openssl cms \
 	-sign \
@@ -35,6 +37,7 @@ openssl cms \
 	-inkey "pkcs11:object=$QNAP_SIGNING_KEY_NAME" \
 	-keyopt rsa_padding_mode:pss \
 	-keyopt rsa_pss_saltlen:digest \
-	-signer cert.crt \
+	-signer signer.pem \
+	-certfile certs.pem \
 	-in "$1" \
 	-out -
--- a/release/dist/qnap/pkgs.go
+++ b/release/dist/qnap/pkgs.go
@@ -27,11 +27,12 @@ type target struct {
 }

 type signer struct {
-	gcloudCredentialsBase64 string
-	gcloudProject           string
-	gcloudKeyring           string
-	keyName                 string
-	certificateBase64       string
+	gcloudCredentialsBase64         string
+	gcloudProject                   string
+	gcloudKeyring                   string
+	keyName                         string
+	certificateBase64               string
+	certificateIntermediariesBase64 string
 }

 func (t *target) String() string {
@@ -90,6 +91,7 @@ func (t *target) buildQPKG(b *dist.Build, qnapBuilds *qnapBuilds, inner *innerPk
 			"-e", fmt.Sprintf("GCLOUD_KEYRING=%s", t.signer.gcloudKeyring),
 			"-e", fmt.Sprintf("QNAP_SIGNING_KEY_NAME=%s", t.signer.keyName),
 			"-e", fmt.Sprintf("QNAP_SIGNING_CERT_BASE64=%s", t.signer.certificateBase64),
+			"-e", fmt.Sprintf("QNAP_SIGNING_CERT_INTERMEDIARIES_BASE64=%s", t.signer.certificateIntermediariesBase64),
 			"-e", fmt.Sprintf("QNAP_SIGNING_SCRIPT=%s", "/sign-qpkg.sh"),
 			"-v", fmt.Sprintf("%s:/sign-qpkg.sh", filepath.Join(qnapBuilds.tmpDir, "files/scripts/sign-qpkg.sh")),
 		)
--- a/release/dist/qnap/targets.go
+++ b/release/dist/qnap/targets.go
@@ -18,15 +18,16 @@ import (
 // gcloudKeyring is the full path to the Google Cloud keyring containing the signing key.
 // keyName is the name of the key.
 // certificateBase64 is the PEM certificate to use in the signature, base64 encoded.
-func Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, keyName, certificateBase64 string) []dist.Target {
+func Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, keyName, certificateBase64, certificateIntermediariesBase64 string) []dist.Target {
 	var signerInfo *signer
-	if !slices.Contains([]string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, keyName, certificateBase64}, "") {
+	if !slices.Contains([]string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, keyName, certificateBase64, certificateIntermediariesBase64}, "") {
 		signerInfo = &signer{
-			gcloudCredentialsBase64: gcloudCredentialsBase64,
-			gcloudProject:           gcloudProject,
-			gcloudKeyring:           gcloudKeyring,
-			keyName:                 keyName,
-			certificateBase64:       certificateBase64,
+			gcloudCredentialsBase64:         gcloudCredentialsBase64,
+			gcloudProject:                   gcloudProject,
+			gcloudKeyring:                   gcloudKeyring,
+			keyName:                         keyName,
+			certificateBase64:               certificateBase64,
+			certificateIntermediariesBase64: certificateIntermediariesBase64,
 		}
 	}
 	return []dist.Target{