build(manager/electron): 👷 add option to use GCP KMS for signing (Jig…

…saw-Code#1168)

In this changeset:

- upgraded `jsign.jar` to version `4.2`
- add an option to leverage `gcp-hsm` certificate to sign Windows executables
- please note that [GCP does not support SHA-1](https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms), and here are the consequences of not adding SHA-1 to the binary signatures:
   1. [SHA-1 is deprecated by Microsoft](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/sha-1-windows-content-to-be-retired-august-3-2020/ba-p/1544373)
   2. The only affected OSes are Windows 7 and below ([support ended already](https://www.microsoft.com/en-us/windows/end-of-support)). Windows 7 (6.1.7600) users can still upgrade to Windows 7 SP1 (6.1.7601) which supports SHA-2.
   3. Users can still run our app on old Windows systems (Windows 7), despite that the following warning dialog might show up:
![image](https://user-images.githubusercontent.com/93548144/193613642-bf153ea1-d05e-47a2-91b6-73ac2d28ad15.png)

src/server_manager/electron_app/windows/sign_windows_executable.mjs

@@ -98,6 +98,20 @@ function appendDigicertUsbJsignArgs(args, options) {
   args.push('--keystore', eTokenCfg);
 }
 
+function appendGcpHsmJsignArgs(args, options) {
+  // Google Cloud Key Management HSM based certificate
+  args.push('--storetype', 'GOOGLECLOUD');
+
+  const keyRing = getOptionValue(options, 'gcp-keyring', 'WINDOWS_SIGNING_GCP_KEYRING', true);
+  args.push('--keystore', keyRing);
+
+  const keyName = getOptionValue(options, 'gcp-private-key', 'WINDOWS_SIGNING_GCP_PRIVATE_KEY', true);
+  args.push('--alias', keyName);
+
+  const certFile = getOptionValue(options, 'gcp-public-cert', 'WINDOWS_SIGNING_GCP_PUBLIC_CERT', true);
+  args.push('--certfile', certFile);
+}
+
 /**
  * Run jsign.jar according to the corresponding options targeting fileToSign.
  * @param {string} fileToSign The path string of a file to be signed.
@@ -112,7 +126,7 @@ function jsign(fileToSign, options) {
     throw new Error('fileToSign is required by jsign');
   }
 
-  const jSignJarPath = resolve(outlineDirname(), 'third_party', 'jsign', 'jsign-4.0.jar');
+  const jSignJarPath = resolve(outlineDirname(), 'third_party', 'jsign', 'jsign-4.2.jar');
   const jsignProc = spawn('java', ['-jar', jSignJarPath, ...options, fileToSign], {
     stdio: 'inherit',
   });
@@ -161,6 +175,9 @@ export async function signWindowsExecutable(exeFile, algorithm, options) {
     case 'digicert-usb':
       appendDigicertUsbJsignArgs(jsignArgs, options);
       break;
+    case 'gcp-hsm':
+      appendGcpHsmJsignArgs(jsignArgs, options);
+      break;
     default:
       throw new Error(`cert type ${type} is not supported`);
   }
@@ -190,18 +207,25 @@ async function main() {
 //   node sign_windows_executable.mjs
 //     --target <exe-path-to-sign>
 //     --algorithm <sha1|sha256>
-//     --certtype <none|pfx|digicert-usb>
-//     --password <cert-store-password>
+//     --certtype <none|pfx|digicert-usb|gcp-hsm>
+//     --password <cert-store-password|gcp-access-token>
 // The following options are for --certtype == pfx
 //     --pfx <pfx-cert-path>
 // The following options are for --certtype == digicert-usb
 //     [--subject <cert-subject-name>]
+// The following options are for --certtype == gcp-hsm
+//     --gcp-keyring <full-id: https://cloud.google.com/kms/docs/resource-hierarchy#retrieve_resource_id>
+//     --gcp-private-key <name-of-the-key-in-key-ring>
+//     --gcp-public-cert <full-path-of-the-public-certificate-file>
 //
 // You can also use environment variables to specify some arguments:
 //   WINDOWS_SIGNING_CERT_TYPE       <=> --certtype
 //   WINDOWS_SIGNING_CERT_PASSWORD   <=> --password
 //   WINDOWS_SIGNING_PFX_CERT        <=> --pfx
 //   WINDOWS_SIGNING_EV_CERT_SUBJECT <=> --subject
+//   WINDOWS_SIGNING_GCP_KEYRING     <=> --gcp-keyring
+//   WINDOWS_SIGNING_GCP_PRIVATE_KEY <=> --gcp-private-key
+//   WINDOWS_SIGNING_GCP_PUBLIC_CERT <=> --gcp-public-cert
 if (import.meta.url === pathToFileURL(process.argv[1]).href) {
   try {
     await main();

third_party/jsign/METADATA

@@ -12,6 +12,6 @@ third_party {
     type: GIT
     value: "https://github.com/ebourg/jsign"
   }
-  version: "4.0"
-  last_upgrade_date { year: 2022 month: 5 day: 27 }
+  version: "4.2"
+  last_upgrade_date { year: 2022 month: 9 day: 28 }
 }