Skip to content

Commit

Permalink
Merge pull request #500 from DuendeSoftware/joe/code-signing-edits
Browse files Browse the repository at this point in the history
Update code signing discussion
  • Loading branch information
leastprivilege authored Jul 19, 2024
2 parents 12cbd65 + fbc447f commit 844035f
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -137,4 +137,4 @@ At this point, you should be able to query your migrated database and see your d
## Step 4: Move onto the upgrade guide for Duende IdentityServer v6

Once your project has been updated to IdentityServer4 v4, then you can work through the guide to update from IdentityServer4 v4 to Duende IdentityServer v6 (which should be far easier).
Here is the [link to the next upgrade guide]({{< ref "/is4_v4_to_dis_v6" >}}).
Here is the [link to the next upgrade guide]({{< ref "is4_v4_to_dis_v6" >}}).
26 changes: 20 additions & 6 deletions IdentityServer/v7/docs/content/overview/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,19 +69,20 @@ Duende IdentityServer is a [certified](https://openid.net/certification/) implem
NuGet packages published by Duende are cryptographically signed to ensure their
authenticity and integrity. Our certificate is signed by Sectigo, which is a widely
trusted certificate authority and installed by default in most environments. This means
that in many circumstances, the nuget tools can validate our packages' signatures
that in many circumstances, the NuGet tools can validate our packages' signatures
automatically.

However, some environments (notably the dotnet sdk docker image which is sometimes used in
However, some environments (notably the dotnet sdk docker image which is
sometimes used in
build pipelines) do not trust the Sectigo certificate. Typically this isn't a problem,
because NuGet packages distributed by nuget.org are signed by nuget.org as the repository
in addition to Duende's signature as the publisher. nuget.org's certificate is signed by a
different authority that most build pipelines do trust. The nuget tools will validate
different authority that most build pipelines do trust. The NuGet tools will validate
packages if they trust either the publisher or the repository.

In the rare circumstance that we distribute a NuGet package not through nuget.org (and
therefore without a nuget.org repository signature), it might be necessary to add the
Sectigo root certificate to nuget's code signing certificate bundle. Sectigo's root
Sectigo root certificate to NuGet's code signing certificate bundle. Sectigo's root
certificate is available from Sectigo
[here](https://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c).

Expand All @@ -92,15 +93,28 @@ trust Sectigo by default.

First, get the Sectigo certificate and convert it to PEM format:
```sh
wget https://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c
wget http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c

openssl pkcs7 -inform DER -outform PEM -in SectigoPublicCodeSigningRootR46.p7c -print_certs -out sectigo.pem
```

Next, you should validate that the thumprint of the certificate is correct.
Bootstrapping trust in a certificate chain can be challenging. Fortunately, most
desktop environments already trust this certificate, so you can compare the
downloaded certificate's thumprint to the thumbprint of the certificate on a
machine that already trusts it. You should verify this independently, but for
your convenience, the thumprint is
CC:BB:F9:E1:48:5A:F6:3C:E4:7A:BF:8E:9E:64:8C:25:04:FC:31:9D. You can check the
thumbprint of the downloaded certificate with openssl:
```sh
openssl x509 -in sectigo.pem -fingerprint -sha1 -noout
```

Then append that PEM to the certificate bundle at */usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem*:
```sh
cat sectigo.pem >> /usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem
```
After that, nuget packages signed by Duende can be successfully verified, even if they are not distributed by nuget.org:
After that, NuGet packages signed by Duende can be successfully verified, even if they are not distributed by nuget.org:
```sh
dotnet nuget verify Duende.IdentityServer.7.0.x.nupkg
```
Original file line number Diff line number Diff line change
Expand Up @@ -137,4 +137,4 @@ At this point, you should be able to query your migrated database and see your d
## Step 4: Move onto the upgrade guide for Duende IdentityServer v6

Once your project has been updated to IdentityServer4 v4, then you can work through the guide to update from IdentityServer4 v4 to Duende IdentityServer v6 (which should be far easier).
Here is the [link to the next upgrade guide]({{< ref "/is4_v4_to_dis_v6" >}}).
Here is the [link to the next upgrade guide]({{< ref "is4_v4_to_dis_v6" >}}).

0 comments on commit 844035f

Please sign in to comment.