Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Venafi CodeSign Protect #286

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Add support for Venafi CodeSign Protect #286

wants to merge 12 commits into from

Conversation

zosocanuck
Copy link

This PR adds support for Venafi CodeSign Protect.

@ebourg
Copy link
Owner

ebourg commented Feb 15, 2025

Thank you very much for the PR, I'll review it

@zosocanuck zosocanuck requested a review from ebourg February 18, 2025 04:34
@zosocanuck zosocanuck requested a review from ebourg February 18, 2025 15:17
@ebourg
Copy link
Owner

ebourg commented Feb 18, 2025

Thank you for the quick fixes, but I'm a bit concerned that it doesn't compile. Did you really test it against a real instance of Venafi CodeSign Protect?

@zosocanuck
Copy link
Author

I just compiled and packaged and didn't run into any issues, and yes I'm testing in a local development environment against a test instance of Venafi.

@zosocanuck zosocanuck requested a review from ebourg February 18, 2025 18:02
@zosocanuck zosocanuck requested a review from ebourg February 18, 2025 20:34
@zosocanuck zosocanuck requested a review from ebourg February 19, 2025 14:38
@ebourg
Copy link
Owner

ebourg commented Feb 19, 2025

Thank you, there are still some changes necessary but I'll take care of them.

Could you please provide the JSON response to the /vedhsm/api/getobjects request for your RSA test key?

Ideally, if you could import the Jsign test keys and certificates in Venafi and use them to capture the API responses that would be awesome. The keys are in the test resources directory:

RSA: https://github.com/ebourg/jsign/blob/master/jsign-core/src/test/resources/keystores/keystore.p12
EC: https://github.com/ebourg/jsign/blob/master/jsign-core/src/test/resources/keystores/keystore-ec.p12

The password is "password".

@ebourg
Copy link
Owner

ebourg commented Feb 19, 2025

Alternatively, do you think I could access a Venafi test environment?

@zosocanuck
Copy link
Author

Here is the vedhsm/api/getobjects response for the test RSA key.
venafi-rsa-getobjects.json

@zosocanuck
Copy link
Author

Let me know what else is missing or any other tests that need to be added and I'll get it done 😃

@zosocanuck
Copy link
Author

@ebourg just curious if there was anything missing or requires an update.

@ebourg
Copy link
Owner

ebourg commented Mar 5, 2025

@zosocanuck The application id "VenafiCodeSignClient" is hardcoded in the VenafiCredentials class. Shouldn't this be user configurable? For example with an extra parameter to the storepass parameter, something like this:

 jsign --storetype VENAFI \
       --keystore https://example.tpp.local \
       --storepass "<application>|<username>|<password>" \
       --alias my-certificate-label \
       application.exe

@zosocanuck
Copy link
Author

@ebourg I was trying to balance the amount of configuration with out-of-the-box defaults in the Venafi platform so that is why this is hardcoded. This is a standard client ID that ships with the product and there is a preference to avoid the customization of API integration client IDs for code signing. My preference is to keep as is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebourg ebourg Awaiting requested review from ebourg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zosocanuck @ebourg