Replace scons app signing from signtool to signpath

[gerald-hartig]

Link to issue number:

n/a

Summary of the issue:

https://www.sslpoint.com/new-private-key-storage-requirement-for-standard-code-signing-certificates/
New requirements for Authenticode signing certificates which require a hardware token

Description of user facing changes

• None - only developers (see below)

Description of development approach

• SCons build pipeline modified to use SignPath's code signing pipeline

Testing strategy:

Build locally
Build on AppVeyor - in try branch: master...try-signpath-code-signing

Known issues with pull request:

• Need to check only the correct files are being signed. There's a lot more being signed (DLLs mostly) than originally planned for (just the PE/.exe files).
• Error in pipeline after signing the completed nvda_snapshot.exe: MakeAppx : error: Error info: error C00CE169: App manifest validation error: The app manifest must be valid as per schema: Line 11, Column 3, Reason: 'NV Access' violates pattern constraint of ...

Code Review Checklist:

• Documentation:
  • Change log entry
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• UX of all users considered:
  • Speech
  • Braille
  • Low Vision
  • Different web browsers
  • Localization in other languages / culture than English
• API is compatible with existing add-ons.
• Security precautions taken.

Summary by CodeRabbit

• Chores

  • Updated .gitignore to include appveyor-tools/.
  • Modified appveyor.yml to update secure keys and introduce a new authentication token.
  • Revised decryptFilesForSigning.ps1 to focus on decrypting an SSH private key.
  • Improved setSconsArgs.ps1 for enhanced security by using apiSigningToken.
  • Updated sign.ps1 script for file signing with an API token.
  • Modified various build scripts to utilize apiSigningToken for improved security.

• Documentation

  • Added TODO comment to update documentation for apiSigningToken in buildingNVDA.md.
  • Updated environment variables in buildingNVDAOnAppVeyor.md to ensure correct configurations.

[AppVeyorBot]

• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/i7i035y66ysxi68j/artifacts/output/
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 1.1,
  INSTALL_END 0.9,
  BUILD_START 0.0,
  FINISH_END 1.6

See test results for failed build of commit d3246af734

[AppVeyorBot]

• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/q4jvninhaa1qxi6d/artifacts/output/
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 1.2,
  INSTALL_END 0.9,
  BUILD_START 0.0,
  FINISH_END 1.4

See test results for failed build of commit c50fe0ece3

[coderabbitai]

Walkthrough

This update introduces a significant shift in handling build and signing processes in the project. Key changes include migrating from certificate-based signing to an API token-based system, enhancing security by replacing sensitive information with secure tokens, and configuring features through a unified configured setting approach. The .gitignore and documentation files have been updated accordingly.

Changes

Files (Grouped)	Change Summary
.gitignore	Added appveyor-tools/ directory to ignore list.
appveyor.yml	Updated secure keys, added apiSigningToken, modified feature settings, and added module installation step.
appveyor/scripts/decryptFilesForSigning.ps1	Removed authenticode certificate decryption and focused on SSH private key decryption with validation.
appveyor/scripts/setSconsArgs.ps1	Replaced certFile and certTimestampServer with apiSigningToken.
appveyor/scripts/sign.ps1	Added support for signing files using an API token.
appx/sconscript, nvdaHelper/.../sconscript	Updated signExec assignment logic to check for either certFile or apiSigningToken.
projectDocs/dev/...	Updated documentation to include apiSigningToken and reflect changes in feature configuration.
sconstruct	Introduced apiSigningToken variable, updated signing logic, and added distinct signing functions for API and cert.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 8

Outside diff range and nitpick comments (1)

sconstruct (1)

98-98: Ensure that the description for apiSigningToken is clear and comprehensive.

Consider enhancing the description for apiSigningToken to provide more context on how and where this token is used, especially since it's a security-sensitive item.

[seanbudd]

@dpy013 - can you please avoid triggering AI reviews of clear drafts/WIP, particularly if they are not your own. the comments here are not helpful and add noise. The AI tool only reviews diffs from each review, so now the "first" AI review will ignore the initial code, and the initial comments aren't helpful as this is a clear draft.

[gerald-hartig]

@coderabbitai full review

[coderabbitai]

Actionable comments posted: 5

Outside diff range and nitpick comments (2)

appveyor/scripts/decryptFilesForSigning.ps1 (1)

Line range hint 3-6: Ensure robust error handling for SSH key decryption failures.

Consider adding a more detailed error message or logging mechanism to help diagnose decryption failures more effectively.

sconstruct (1)

Line range hint 393-411: Ensure consistent post-action signing across different build artifacts.

The post-action signing steps for different artifacts like the uninstaller and launcher should be consistent and correctly configured to use the new apiSigningToken if available. This ensures that all parts of the application are securely signed.

- if certFile or apiSigningToken:
-     env.AddPostAction(uninstaller, [env['signExec']])
- if certFile or apiSigningToken:
-     env.AddPostAction(launcher, [env['signExec']])
+ if apiSigningToken:
+     env.AddPostAction(uninstaller, [env['signExecApi']])
+     env.AddPostAction(launcher, [env['signExecApi']])
+ elif certFile:
+     env.AddPostAction(uninstaller, [env['signExecCert']])
+     env.AddPostAction(launcher, [env['signExecCert']])

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• PASS: Lint check.
• FAIL: System tests (tags: installer NVDA). See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/quo1vripmhhf41p3/artifacts/output/nvda_snapshot_pr16673-32408,e5cd6de1.exe
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 1.1,
  INSTALL_END 1.0,
  BUILD_START 0.0,
  BUILD_END 11.6,
  TESTSETUP_START 0.0,
  TESTSETUP_END 0.3,
  TEST_START 0.0,
  TEST_END 16.9,
  FINISH_END 0.2

See test results for failed build of commit e5cd6de11d

[XLTechie]

Should the organizationId be passable instead of hardcoded? Then it could be drawn from a variable like scons_publisher is, as @seanbudd pointed out.

[gerald-hartig]

It could certainly be passable, that isn't too much of an issue. At the moment it's hard coded because I haven't been able to come up with any circumstances under which it would be changed. It would require someone to have an account with SignPath, have their EV/OV hosted by them, and want to sign with their organisation/account. It makes more sense to me that the developer would simply have a locally signed authenticode certificate that they would use.

[seanbudd]

Perhaps it would need to be changed by the NVDA-jp fork? I'm curious as to how they plan to handle the changes to software signing

[gerald-hartig]

I've reached out to NVDA-jp and they're now aware of this PR. Discussions are happening via email.

If we're concerned about hard-coded values here we'd also need to look at -ProjectSlug "NVDA" and -SigningPolicySlug "release_signing_policy". Both of those are defined inside the SignPath web interface and would be set to different values for different forks / projects.

My current opinion is that org ID, project, and signing policy are all fine to be hard coded since they're specific to NV Access and won't change. A variable is better for the API key, since it is likely to be rotated and in any case needs to be passed securely. If another fork wants to sign their code using SignPath, they will put their own org/project/policy information in there. But I'm happy for arguments against this approach too.

[seanbudd]

@coderabbitai full review

[coderabbitai]

Actionable comments posted: 3

Outside diff range and nitpick comments (3)

appveyor/scripts/decryptFilesForSigning.ps1 (2)

Line range hint 1-10: Ensure the SSH key decryption process is necessary and secure given the new signing method.

The decryption of SSH keys in this script is potentially redundant with the introduction of apiSigningToken. Verify if this step is still required, and if not, consider removing it to simplify the process and reduce the attack surface.

---

Line range hint 3-6: Review error handling for SSH key decryption failures.

The script should handle errors more robustly. Currently, it only logs a message but does not stop execution or clean up potentially sensitive files. Consider adding more comprehensive error handling, such as deleting the decrypted key if it's not needed anymore or ensuring the script exits immediately upon failure.

projectDocs/dev/buildingNVDAOnAppVeyor.md (1)

Line range hint 316-316: This word is normally spelled as one: "troubleshooting".

- ### Trouble shooting
+ ### Troubleshooting

Tools

LanguageTool

[typographical] ~284-~284: Conjunctions like ‘but’ should not follow semicolons. Consider using a comma, or removing the conjunction. (CONJUNCTION_AFTER_SEMICOLON)
Context: ...icant modifications to the build scripts; but that is beyond the scope of this how-to. The...

---

[grammar] ~287-~287: Using ‘couple’ without ‘of’ is considered to be informal. (PLENTY_OF_NOUNS)
Context: ...l. In the environment section, after a couple lines of comment about what these variables d...

---

[style] ~287-~287: Try using a synonym here to strengthen your wording. (COMMENT_REMARK)
Context: ...onment section, after a couple lines of comment about what these variables do, you will...

Markdownlint

289-289: null (MD032, blanks-around-lists)
Lists should be surrounded by blank lines

[seanbudd]

very approved - thanks github!