Code-signing certificate expired

[davemfish]

Our certificate expired on Jan 24th. Here's a failed workflow: https://github.com/natcap/invest/actions/runs/7849423200/job/21422745396

[phargogh]

I have the certificates in hand and am working through the steps to update the certificate in our automation.

[phargogh]

Notes:

• I was able to import the "Certificate with issuer after, PEM encoded" version from Sectigo into my yubikey's slot 9c (for digital signatures) using the default management key.
• I have not yet been able to create a .p12 key because the creation of a .p12 key requires both the .p7b certificate and the private key ... but the private key is stored on the yubikey. Therefore we will either need to extract the private key from this yubikey to create the .p12, or we will each need to create a code-signing certificate and use it to sign binaries. I have asked our contact at UIT about recommended next steps and am waiting to hear back.

[phargogh]

Until we can resolve this issue with UIT in a more centralized way (which I'm working on), ab794a2 comments out the Windows-specific code-signing stuff since our mac certificates are still valid for another year.

[phargogh]

OK, it turns out that Stanford doesn't offer GCP KMS, so unless they happen to provide some other alternative cloud-based HSM that doesn't cost an arm and a leg, I think the yubikeys may be our best approach. AWS does provide an HSM, but it's at a cost of over $1000/month (about $1.50 per minute), which is nuts in my opinion.

So, the first step here will be to work out how to sign our windows binaries using the yubikey. Then, after that, it'd be neat to try out using a github actions self-hosted runner, especially w/r/t how to restrict access so that only approved code can run on the self-hosted runner.

[phargogh]

It turns out that there must be some kind of issue with my desktop computer (maybe just the age of hardware? Maybe the USBA-to-USBC adapter I'm using?) that is preventing Windows from being able to detect the installed key. I'm not sure what's up.

When I run the same commands on my personal windows laptop, it works great following the docs at https://support.yubico.com/hc/en-us/articles/360016614840-Code-Signing-with-the-YubiKey-on-Windows

NOTE: I did need to make sure that I set a different PUK on the key ... the default apparently will cause the key to be rejected by the smart card driver.

[phargogh]

We now are able to sign our binaries using a yubikey on our local computers, so this issue is effectively complete.

To sign on Windows, I needed to:

• Install the Windows SDK (in order to get the signcode application)
• CD to where signcode is located
• Invoke signcode using the fingerprint of the key (which is viewable from the Windows certmgr.msc

The steps are described in the Yubico support docs here: https://support.yubico.com/hc/en-us/articles/360016614840-Code-Signing-with-the-YubiKey-on-Windows

This key was the one used to generate the attestation, so I'm curious if we can copy the same certificate over to other yubikeys and then use them to sign the binaries. The signature would of course be different because each yubikey would have its own private key that we can't access, but that's fine ... we just want to be able to sign the binaries from multiple yubikeys.

Future work: #1580