TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-24 01:41:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
tailscale/release/dist/qnap/files/scripts/sign-qpkg.sh
Percy Wegmann 26f31f73f4 cmd/dist,release/dist: sign QNAP builds with a Google Cloud hosted key 
QNAP now requires builds to be signed with an HSM.

This removes support for signing with a local keypair.

This adds support for signing with a Google Cloud hosted key.

The key should be an RSA key with protection level `HSM` and that uses PSS padding and a SHA256 digest.

The GCloud project, keyring and key name are passed in as command-line arguments.

The GCloud credentials and the PEM signing certificate are passed in as Base64-encoded command-line arguments.

Updates tailscale/corp#23528

Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-04-17 08:39:31 -05:00

41 lines
1.3 KiB
Bash
Executable File
Raw Blame History

#! /usr/bin/env bash
set -xeu
mkdir -p "$HOME/.config/gcloud"
echo "$GCLOUD_CREDENTIALS_BASE64" | base64 --decode > /root/.config/gcloud/application_default_credentials.json
gcloud config set project "$GCLOUD_PROJECT"
echo "---
tokens:
- key_ring: \"$GCLOUD_KEYRING\"
log_directory: "/tmp/kmsp11"
" > pkcs11-config.yaml
chmod 0600 pkcs11-config.yaml
export KMS_PKCS11_CONFIG=`readlink -f pkcs11-config.yaml`
export PKCS11_MODULE_PATH=/libkmsp11-1.6-linux-amd64/libkmsp11.so
# Verify signature of pkcs11 module
# See https://github.com/GoogleCloudPlatform/kms-integrations/blob/master/kmsp11/docs/user_guide.md#downloading-and-verifying-the-library
echo "-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEtfLbXkHUVc9oUPTNyaEK3hIwmuGRoTtd
6zDhwqjJuYaMwNd1aaFQLMawTwZgR0Xn27ymVWtqJHBe0FU9BPIQ+SFmKw+9jSwu
/FuqbJnLmTnWMJ1jRCtyHNZawvv2wbiB
-----END PUBLIC KEY-----" > pkcs11-release-signing-key.pem
openssl dgst -sha384 -verify pkcs11-release-signing-key.pem -signature "$PKCS11_MODULE_PATH.sig" "$PKCS11_MODULE_PATH"
echo "$QNAP_SIGNING_CERT_BASE64" | base64 --decode > cert.crt
openssl cms \
-sign \
-binary \
-nodetach \
-engine pkcs11 \
-keyform engine \
-inkey "pkcs11:object=$QNAP_SIGNING_KEY_NAME" \
-keyopt rsa_padding_mode:pss \
-keyopt rsa_pss_saltlen:digest \
-signer cert.crt \
-in "$1" \
-out -
Reference in New Issue View Git Blame Copy Permalink