cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key

QNAP now requires builds to be signed with an HSM. This removes support for signing with a local keypair. This adds support for signing with a Google Cloud hosted key. The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest. The GCloud project, keyring and key name are passed in as command-line arguments. The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments. Updates tailscale/corp#23528 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-08-14 23:17:29 +00:00 · 2025-04-15 11:50:39 -05:00
parent 0c78f081a4
commit 26f31f73f4
5 changed files with 119 additions and 47 deletions
--- a/cmd/dist/dist.go
+++ b/cmd/dist/dist.go
@@ -5,11 +5,13 @@
 package main

 import (
+	"cmp"
 	"context"
 	"errors"
 	"flag"
 	"log"
 	"os"
+	"slices"

 	"tailscale.com/release/dist"
 	"tailscale.com/release/dist/cli"
@@ -19,9 +21,12 @@ import (
 )

 var (
-	synologyPackageCenter bool
-	qnapPrivateKeyPath    string
-	qnapCertificatePath   string
+	synologyPackageCenter   bool
+	gcloudCredentialsBase64 string
+	gcloudProject           string
+	gcloudKeyring           string
+	qnapKeyName             string
+	qnapCertificateBase64   string
 )

 func getTargets() ([]dist.Target, error) {
@@ -42,10 +47,11 @@ func getTargets() ([]dist.Target, error) {
 	// To build for package center, run
 	// ./tool/go run ./cmd/dist build --synology-package-center synology
 	ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
-	if (qnapPrivateKeyPath == "") != (qnapCertificatePath == "") {
-		return nil, errors.New("both --qnap-private-key-path and --qnap-certificate-path must be set")
+	qnapSigningArgs := []string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64}
+	if cmp.Or(qnapSigningArgs...) != "" && slices.Contains(qnapSigningArgs, "") {
+		return nil, errors.New("all of --gcloud-credentials, --gcloud-project, --gcloud-keyring, --qnap-key-name and --qnap-certificate must be set")
 	}
-	ret = append(ret, qnap.Targets(qnapPrivateKeyPath, qnapCertificatePath)...)
+	ret = append(ret, qnap.Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64)...)
 	return ret, nil
 }

@@ -54,8 +60,11 @@ func main() {
 	for _, subcmd := range cmd.Subcommands {
 		if subcmd.Name == "build" {
 			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
-			subcmd.FlagSet.StringVar(&qnapPrivateKeyPath, "qnap-private-key-path", "", "sign qnap packages with given key (must also provide --qnap-certificate-path)")
-			subcmd.FlagSet.StringVar(&qnapCertificatePath, "qnap-certificate-path", "", "sign qnap packages with given certificate (must also provide --qnap-private-key-path)")
+			subcmd.FlagSet.StringVar(&gcloudCredentialsBase64, "gcloud-credentials", "", "base64 encoded GCP credentials (used when signing QNAP builds)")
+			subcmd.FlagSet.StringVar(&gcloudProject, "gcloud-project", "", "name of project in GCP KMS (used when signing QNAP builds)")
+			subcmd.FlagSet.StringVar(&gcloudKeyring, "gcloud-keyring", "", "path to keyring in GCP KMS (used when signing QNAP builds)")
+			subcmd.FlagSet.StringVar(&qnapKeyName, "qnap-key-name", "", "name of GCP key to use when signing QNAP builds")
+			subcmd.FlagSet.StringVar(&qnapCertificateBase64, "qnap-certificate", "", "base64 encoded certificate to use when signing QNAP builds")
 		}
 	}