Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign all Kiota .exe files #5650

Open
xantari opened this issue Oct 21, 2024 · 4 comments · May be fixed by #5730
Open

Sign all Kiota .exe files #5650

xantari opened this issue Oct 21, 2024 · 4 comments · May be fixed by #5730
Assignees
@andrueastman
Labels
priority:p1 High priority/Major issue but not blocking or Big percentage of customers affected.Bug SLA <=7days type:bug A broken experience type:regression A bug from previous release WIP
Milestone
Kiota v1.20

Comments

@xantari
Copy link

xantari commented Oct 21, 2024
edited
Loading

Is your feature request related to a problem? Please describe the problem.

We run in a high security environment. Only applications signed with a code signing certificate that are whitelisted (via Windows AppLocker) are allowed to run.

All Kiota .exe's however are unsigned, so there is no easy way to whitelist Kiota .exe files because each version change of Kiota changes the file hash.

Whitelisting by code signing certificate is the best way to whitelist in high security AppLocker environments.

Client library/SDK language

Csharp

Describe the solution you'd like

All kiota .exe files should be signed with the Microsoft code signing certificate. Right now the big one is kiota.exe.

Microsoft signs most .exe's, such as dotnet-ef.exe (for entity framework) found in C:\Users\profilename\.dotnet\tools when it is installed as a global .net core tool.

I am requesting you do the same for Kiota so that we can start to use this tool in our environment.

Additional context

No response
@xantari xantari added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:feature New experience request labels Oct 21, 2024
@msgraph-bot msgraph-bot bot added the Csharp Pull requests that update .net code label Oct 21, 2024
@baywet baywet added this to the Kiota v1.21 milestone Oct 22, 2024
@baywet baywet added type:bug A broken experience type:regression A bug from previous release priority:p1 High priority/Major issue but not blocking or Big percentage of customers affected.Bug SLA <=7days and removed Csharp Pull requests that update .net code status:waiting-for-triage An issue that is yet to be reviewed or assigned type:feature New experience request labels Oct 22, 2024
@baywet
Copy link
Member

baywet commented Oct 22, 2024

Hi @xantari
Thank you for using kiota and for reaching out.

This is unintended, in the meantime you can use the release distribution since it's properly signed.

For others picking this up, we need to:

  1. build the package first
  2. send the exe over to esrp release
  3. pack the tool (with --no-build switch)

Which is roughly what we're doing around here but either the sign step does not drop the exe at the expected place pack is looking, or pack is triggering a new build somehow.

@andrueastman
Copy link
Member

Just double checking here @baywet, @xantari

Are we saying the nuget published packages are not signed while the GH ones are? From an initial look, it looks like the only thing we don't sign are the linux artifacts. DLLs/Exe's look signed though..

@baywet
Copy link
Member

baywet commented Oct 22, 2024

@andrueastman yes I checked the signature for the windows release (it's signed) but the tool once installed is not.

@andrueastman andrueastman self-assigned this Oct 30, 2024
@andrueastman andrueastman modified the milestones: Kiota v1.21, Kiota v1.20 Nov 5, 2024
@andrueastman andrueastman linked a pull request Nov 5, 2024 that will close this issue
Open
@andrueastman
Copy link
Member

All the binaries are indeed signed. But according to https://github.com/dotnet/sdk/blob/main/documentation/general/signing-global-tool-packages.md, the unsigned binary is created in the local machine at the time of installing the dotnet tool.

Authored #5730 so that it is created beforehand and signed from our end...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrueastman andrueastman

Labels
priority:p1 High priority/Major issue but not blocking or Big percentage of customers affected.Bug SLA <=7days type:bug A broken experience type:regression A bug from previous release WIP
Projects
Kiota
Status: In Review 💭
Milestone
Kiota v1.20
Development

Successfully merging a pull request may close this issue.

Fix unsigned kiota.exe file when installed as dotnet tool. microsoft/kiota
3 participants
@andrueastman @xantari @baywet