Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update code signing discussion #500

Merged
merged 2 commits into from
Jul 19, 2024
Merged

Update code signing discussion #500

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f05ee42
Fix a link that hugo complained about
josephdecock Jul 19, 2024
fbc447f
Update code signing discussion
josephdecock Jul 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion IdentityServer/v6/docs/content/upgrades/is4_v3_to_dis_v6.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,4 +137,4 @@ At this point, you should be able to query your migrated database and see your d
## Step 4: Move onto the upgrade guide for Duende IdentityServer v6

Once your project has been updated to IdentityServer4 v4, then you can work through the guide to update from IdentityServer4 v4 to Duende IdentityServer v6 (which should be far easier).
Here is the [link to the next upgrade guide]({{< ref "/is4_v4_to_dis_v6" >}}).
Here is the [link to the next upgrade guide]({{< ref "is4_v4_to_dis_v6" >}}).
26 changes: 20 additions & 6 deletions IdentityServer/v7/docs/content/overview/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,19 +69,20 @@ Duende IdentityServer is a [certified](https://openid.net/certification/) implem
NuGet packages published by Duende are cryptographically signed to ensure their
authenticity and integrity. Our certificate is signed by Sectigo, which is a widely
trusted certificate authority and installed by default in most environments. This means
that in many circumstances, the nuget tools can validate our packages' signatures
that in many circumstances, the NuGet tools can validate our packages' signatures
automatically.

However, some environments (notably the dotnet sdk docker image which is sometimes used in
However, some environments (notably the dotnet sdk docker image which is
sometimes used in
build pipelines) do not trust the Sectigo certificate. Typically this isn't a problem,
because NuGet packages distributed by nuget.org are signed by nuget.org as the repository
in addition to Duende's signature as the publisher. nuget.org's certificate is signed by a
different authority that most build pipelines do trust. The nuget tools will validate
different authority that most build pipelines do trust. The NuGet tools will validate
packages if they trust either the publisher or the repository.

In the rare circumstance that we distribute a NuGet package not through nuget.org (and
therefore without a nuget.org repository signature), it might be necessary to add the
Sectigo root certificate to nuget's code signing certificate bundle. Sectigo's root
Sectigo root certificate to NuGet's code signing certificate bundle. Sectigo's root
certificate is available from Sectigo
[here](https://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c).

Expand All @@ -92,15 +93,28 @@ trust Sectigo by default.

First, get the Sectigo certificate and convert it to PEM format:
```sh
wget https://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c
wget http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c

openssl pkcs7 -inform DER -outform PEM -in SectigoPublicCodeSigningRootR46.p7c -print_certs -out sectigo.pem
```

Next, you should validate that the thumprint of the certificate is correct.
Bootstrapping trust in a certificate chain can be challenging. Fortunately, most
desktop environments already trust this certificate, so you can compare the
downloaded certificate's thumprint to the thumbprint of the certificate on a
machine that already trusts it. You should verify this independently, but for
your convenience, the thumprint is
CC:BB:F9:E1:48:5A:F6:3C:E4:7A:BF:8E:9E:64:8C:25:04:FC:31:9D. You can check the
thumbprint of the downloaded certificate with openssl:
```sh
openssl x509 -in sectigo.pem -fingerprint -sha1 -noout
```

Then append that PEM to the certificate bundle at */usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem*:
```sh
cat sectigo.pem >> /usr/share/dotnet/sdk/8.0.303/trustedroots/codesignctl.pem
```
After that, nuget packages signed by Duende can be successfully verified, even if they are not distributed by nuget.org:
After that, NuGet packages signed by Duende can be successfully verified, even if they are not distributed by nuget.org:
```sh
dotnet nuget verify Duende.IdentityServer.7.0.x.nupkg
```
2 changes: 1 addition & 1 deletion IdentityServer/v7/docs/content/upgrades/is4_v3_to_dis_v6.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,4 +137,4 @@ At this point, you should be able to query your migrated database and see your d
## Step 4: Move onto the upgrade guide for Duende IdentityServer v6

Once your project has been updated to IdentityServer4 v4, then you can work through the guide to update from IdentityServer4 v4 to Duende IdentityServer v6 (which should be far easier).
Here is the [link to the next upgrade guide]({{< ref "/is4_v4_to_dis_v6" >}}).
Here is the [link to the next upgrade guide]({{< ref "is4_v4_to_dis_v6" >}}).
Loading