From RFE template: > 3. What is the nature and description of the request? Please digitally sign the oc binary with a microsoft recognised code signing certificate. Please provide a property signed MSI to install the oc binary 4. Why does the customer need this? (List the business requirements here) Corporate policy makes it extremely difficult to run unsigned / ad-hoc installed binaries on our Corporate network. 5. How would the customer like to achieve this? (List the functional requirements here) Produce a signed MSI installer that installs a signed oc binary. 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Click on MSI, authorise computer to install application provided by "Redhat Software". Goto where oc binary was installed, right click and get properties of binary. Verify that this binary is signed by "Redhat Software". 10. List any affected packages or components. OpenShift client binary for Windows.
Additional info: Generally speaking, the code signing guarantees the developer of the binary (preventing impersonation) and there's no change after the binary is signed. The requirement for code signing is to confirm the binary is coming from a known trusted source, and that it has not been modified since. Producing an MSI will allow us to pass it to our corporate support folk for installation on corporate machines without any hassle.
RFE, created a new backlog story to track this: https://trello.com/c/Cn8IaH8g/925-properly-sign-and-package-oc-binary-for-windows
I got this request from the customer again. They have to install the signed binary. I raised the severity of this ticket, since it is obviously reasonable that the customer asks software vendor to release the singed binary.
Fabiano, it seems like we need to use a library such as https://github.com/josephspurrier/goversioninfo to set the needed windows versioninfo metadata.
WIP: https://github.com/openshift/origin/pull/14862
Created attachment 1300976 [details] Details From QE side, QE done smoke test with oc.exe from comment 53 per test cases in comment 23. Function works well. And now the program has more info in Details and Digital Signatures see attachment.
Created attachment 1300979 [details] Digital Signatures
Bug mostly could be moved to VERIFIED. But before doing that, better to check minor issues: 3. In comment 23, I concerned "I guess it needs wait for MSI available to test this check" per comment 0. Brenton/Fabiano, could pls double confirm if oc MSI is available currently? 4. In comment 61, it mentions product and file version. What's difference? Per UX, displaying 2 "version"s is confusing. Besides, the "Details" screenshot in comment 54 shows Product version is v3.6.153 but the other is v3.6.153.0. However, the sigcheck64.exe output will show both are v3.6.153, no ".0". Would you plan to fix this issue?
Ah, I thought Takayoshi's concern talks about the output of `oc.exe version` which includes "v". It seems to talk about the "v" display after right-click. If so, it catches one thing I missed: between product and file version, besides inconsistency in having ".0" or not, there's also inconsistency in having "v" or not
We definitely appreciate this attention to detail. :) I think we should clone this bug and handle the MSI installer separately. Perhaps we could use https://github.com/mh-cbon/go-msi. For now I think it's acceptable to have the file version and Product version be slightly different formats. I think a new bug could track this minor problem which could be fixed post GA. Honestly, I'd probably just mention it in the MSI installer bug so that it could be fixed at the same time.
Thanks! Opened bug 1477229 for it
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716
Brenton, the errata has been released today (10/Aug), but the latest binary has been uploaded on Aug 3 as: https://mirror.openshift.com/pub/openshift-v3/clients/3.6.173.0.5/windows/ So, you have already uploaded windows signed binary since v3.6.153? Also, OpenShift Dedicated links to the binary download link which matches to the version. For example, OSD v3.5.3.1 is linked to: https://mirror.openshift.com/pub/openshift-v3/clients/3.5.5.31/windows/oc.zip , which has not been signed yet. So, it is difficult to find signed binary by users if you haven't uploaded the binary which matches to Dedicated cluster.
Also, the customer checked the binary provided via https://access.redhat.com/errata/RHEA-2017:1716 - * atomic-openshift-clients-redistributable-3.6.173.0.5-1.git.0.f30b99e.el7.x86_64.rpm File: oc.exe Reported Version: "v3.6.173.0.5" CRC-32: 9ba47e2d SHA-1: bd80ed4f2a24a2a624f0e92dd18cfdfe78abe0bd SHA-256: 033ad44c6315263b5209934444687e6090d37b93dea95cb78977e0bc73ed9db3 SHA-512: 68f7bf2cfb586221dca3f06c7bf9ae017b26863f367058d06024b759c5ad0d8040c839f1d012f2f97fe506bf83e00eb7a537cb4cf74143651e5909bc2bdd17e7 And he said that it is not signed. I am re-opening this ticket.
Hi Kenjiro, I realize this is confusing, but the signed osx and windows binaries can only be downloaded from the customer portal: https://access.redhat.com/downloads/content/290/ver=3.6/rhel---7/3.6.173.0.5/x86_64/product-software If that windows client isn't signed let me know and I'll open a ticket with our release engineering team.
Hi Brenton, I see. The binary which is on https://mirror.openshift.com/pub/openshift-v3/clients/3.6.173.0.5/windows/ also signed, isn't it? Please note that dedicated/online users doesn't access right to the customer portal you mentioned.
Ahh, It's early in the morning here and I forgot you were dealing with Dedicated customers. If the client on the mirror isn't signed just let me know and we'll make sure the Ops team sync's out the signed binaries now that they exist.
@Brenton, could you please tell us where did you sync the signed binary? It was for 3.6 or 3.5? For 3.5, the modified date is 23-Mar-2017, so it is obviously you haven't sync it. If you synced the binary on 3.6, please let us know. https://mirror.openshift.com/pub/openshift-v3/clients/3.6.173.0.7/ https://mirror.openshift.com/pub/openshift-v3/clients/3.5.5/
Here is the latest signed binary for 3.5: https://mirror.openshift.com/pub/openshift-v3/clients/3.5.5.31.24/windows/oc-3.5.5.31.24-windows.zip