I wanted to post this discussion I have been having with one of the product specialists regarding secure keys. I know there must be other teams performing this task and am curious to see what has worked best.
I have a question regarding signing builds using signtool. We have to certificates, one for development only builds and a production one for those we actually wish to sign and cross sign for distribution. I presume the certificates would live on the remote build agent. Our signed builds are currently executing by limiting access to the password, and only certain users can create a valid certificate. If the person kicking the build off is authorized, the submitter would only then input the certificate password. We then create a scheduled task in that users name to execute the build with the signed certificate they have previously installed on the build machine. Obviously I am looking to streamline this approach.
I believe I could have the user enter the password as an environment variable, although this is problematic as it is clear text in the log. Also, I believe the builds are executing as the service account user, which would cause the cert signing to fail since the certificates are user specific.
The response I received appears to be a workable solution, and I had considered it prior to posing my question. However, I think the password would still be visible in the logs. If there were a way to mark certain variables as “private” or “do not display” or “mask”, the approach would work.
I think the following would be both SOX and PCI compliant.
1.Define a Release Engineer role as the custodian of a build account. (Asserting the RE is trusted is fundamental to this plan.)
2.Keep the signing key in source control accessible by only the RE and the build account.
3.Run builds (via a Go Agent) on a machine only accessible by the RE.
4.Put the agent service process under the build account.
5.Configure pipelines to get source material using the build account (not some personal account).
6.Consider making the signing step a manual stage in the pipeline that’s only used by the RE (who is the custodian of the signing password). Requiring a password assures that if someone were to get access to the cert/key pair they would not be able to compromise the system.
Only the build account and RE can sign assemblies using this scheme. Not sure how to make it any tighter.
I actually want to take a slightly different approach, and that is to read the password from a file which is pulled from a secure location. I just have to make certain the text read is never displayed to the console.
- Define custodial account for GO Service and GO Agents to use for running services
- Keep the signing key in a secure location, accessible only by custodial account
- Keep password file in a secure location, not with signing key, accessible only by custodial account
- Configure pipelines to get source files as custodial account and execute builds
- Configure pipeline security to ensure only authorized users can execute builds
So how are others handling this?