-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
win,tools: upgrade Windows signing to smctl #50956
Conversation
5258981
to
f318d9b
Compare
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker.
f318d9b
to
56ae5f6
Compare
Pinging @mhdawson and @richardlau since they have the biggest context on this. The current certificate expires in ~2 weeks, so I think we should try and push the PR this week, and hopefully land changes in both LTS branches by the end of this week or early next week. |
I see this PR has the |
Hey, @richardlau (pinging you because you approved the PR). Is there something else I should do before we land this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Fast-track has been requested by @mhdawson. Please 👍 to approve. |
PR has been opened for over a week so a fast-track is unnecessary (it can land as soon as the CI passes). |
Landed in 1ba508d |
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: nodejs#50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: #50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: #50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: #50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: #50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: #50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: #50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525 deps: * upgrade npm to 10.2.4 (npm team) #50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com//pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51614 http: * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520 lib: * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #49621 tools: * add macOS notarization verification step (Ulises Gascón) #50833 * use macOS keychain to notarize the releases (Ulises Gascón) #50715 * remove unused file (Ulises Gascon) #50622 * add macOS notarization stapler (Ulises Gascón) #50625 * improve macOS notarization process output readability (Ulises Gascón) #50389 * remove unused `version` function (Ulises Gascón) #50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) #50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542 PR-URL: nodejs-private/node-private#545
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715 * remove unused file (Ulises Gascon) nodejs#50622 * add macOS notarization stapler (Ulises Gascón) nodejs#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389 * remove unused `version` function (Ulises Gascón) nodejs#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: nodejs/node#50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs/node#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715 * remove unused file (Ulises Gascon) nodejs/node#50622 * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389 * remove unused `version` function (Ulises Gascón) nodejs/node#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: nodejs/node#50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs/node#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715 * remove unused file (Ulises Gascon) nodejs/node#50622 * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389 * remove unused `version` function (Ulises Gascón) nodejs/node#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: nodejs/node#50956 Fixes: nodejs/build#3491 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com>
This PR introduces a new signing process on Windows based on new requirements for it to be valid. It relies on DigiCert's cloud HSM service called KeyLocker and the new certificate stored there.
The signing tool is changed (in a way) from
signtool
tosmctl
. That is a DigiCert client-side tool for various operations, one of which is signing files. Under the hood,smctl
callssigntool
with the key from KeyLocker, so in its essence, the signing tool is still the same. The decision to usesmctl
instead ofsigntool
directly came down to it being part of the mandatory DigiCert client-side tools and needing less configuring and simpler command to run.There is a release CI job testing these changes and all 6 Windows release machines are prepared for signing with the new certificate. These changes should also be landed on all LTS versions (v18 and v20) for future releases. I will also update the docs, and write new ones where needed to describe the entire process after the process is over.
cc @nodejs/build @nodejs/platform-windows @nodejs/releasers
Fixes: nodejs/build#3491