{cmd/dist,release/dist}: add support for intermediary QNAP signing certificates

Updates #23528

Signed-off-by: Percy Wegmann <[email protected]>

cmd/dist/dist.go

@@ -21,12 +21,13 @@ import (
 )
 
 var (
-	synologyPackageCenter   bool
-	gcloudCredentialsBase64 string
-	gcloudProject           string
-	gcloudKeyring           string
-	qnapKeyName             string
-	qnapCertificateBase64   string
+	synologyPackageCenter               bool
+	gcloudCredentialsBase64             string
+	gcloudProject                       string
+	gcloudKeyring                       string
+	qnapKeyName                         string
+	qnapCertificateBase64               string
+	qnapCertificateIntermediariesBase64 string
 )
 
 func getTargets() ([]dist.Target, error) {
@@ -47,11 +48,11 @@ func getTargets() ([]dist.Target, error) {
 	// To build for package center, run
 	// ./tool/go run ./cmd/dist build --synology-package-center synology
 	ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
-	qnapSigningArgs := []string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64}
+	qnapSigningArgs := []string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64, qnapCertificateIntermediariesBase64}
 	if cmp.Or(qnapSigningArgs...) != "" && slices.Contains(qnapSigningArgs, "") {
-		return nil, errors.New("all of --gcloud-credentials, --gcloud-project, --gcloud-keyring, --qnap-key-name and --qnap-certificate must be set")
+		return nil, errors.New("all of --gcloud-credentials, --gcloud-project, --gcloud-keyring, --qnap-key-name, --qnap-certificate and --qnap-certificate-intermediaries must be set")
 	}
-	ret = append(ret, qnap.Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64)...)
+	ret = append(ret, qnap.Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, qnapKeyName, qnapCertificateBase64, qnapCertificateIntermediariesBase64)...)
 	return ret, nil
 }
 
@@ -65,6 +66,7 @@ func main() {
 			subcmd.FlagSet.StringVar(&gcloudKeyring, "gcloud-keyring", "", "path to keyring in GCP KMS (used when signing QNAP builds)")
 			subcmd.FlagSet.StringVar(&qnapKeyName, "qnap-key-name", "", "name of GCP key to use when signing QNAP builds")
 			subcmd.FlagSet.StringVar(&qnapCertificateBase64, "qnap-certificate", "", "base64 encoded certificate to use when signing QNAP builds")
+			subcmd.FlagSet.StringVar(&qnapCertificateIntermediariesBase64, "qnap-certificate-intermediaries", "", "base64 encoded intermediary certificate to use when signing QNAP builds")
 		}
 	}
 

release/dist/qnap/files/scripts/sign-qpkg.sh

@@ -24,7 +24,9 @@ MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEtfLbXkHUVc9oUPTNyaEK3hIwmuGRoTtd
 -----END PUBLIC KEY-----" > pkcs11-release-signing-key.pem
 openssl dgst -sha384 -verify pkcs11-release-signing-key.pem -signature "$PKCS11_MODULE_PATH.sig" "$PKCS11_MODULE_PATH"
 
-echo "$QNAP_SIGNING_CERT_BASE64" | base64 --decode > cert.crt
+echo "$QNAP_SIGNING_CERT_BASE64" | base64 --decode > signer.pem
+
+echo "$QNAP_SIGNING_CERT_INTERMEDIARIES_BASE64" | base64 --decode > certs.pem
 
 openssl cms \
 	-sign \
@@ -35,6 +37,7 @@ openssl cms \
 	-inkey "pkcs11:object=$QNAP_SIGNING_KEY_NAME" \
 	-keyopt rsa_padding_mode:pss \
 	-keyopt rsa_pss_saltlen:digest \
-	-signer cert.crt \
+	-signer signer.pem \
+	-certfile certs.pem \
 	-in "$1" \
 	-out -

release/dist/qnap/pkgs.go

@@ -27,11 +27,12 @@ type target struct {
 }
 
 type signer struct {
-	gcloudCredentialsBase64 string
-	gcloudProject           string
-	gcloudKeyring           string
-	keyName                 string
-	certificateBase64       string
+	gcloudCredentialsBase64         string
+	gcloudProject                   string
+	gcloudKeyring                   string
+	keyName                         string
+	certificateBase64               string
+	certificateIntermediariesBase64 string
 }
 
 func (t *target) String() string {
@@ -90,6 +91,7 @@ func (t *target) buildQPKG(b *dist.Build, qnapBuilds *qnapBuilds, inner *innerPk
 			"-e", fmt.Sprintf("GCLOUD_KEYRING=%s", t.signer.gcloudKeyring),
 			"-e", fmt.Sprintf("QNAP_SIGNING_KEY_NAME=%s", t.signer.keyName),
 			"-e", fmt.Sprintf("QNAP_SIGNING_CERT_BASE64=%s", t.signer.certificateBase64),
+			"-e", fmt.Sprintf("QNAP_SIGNING_CERT_INTERMEDIARIES_BASE64=%s", t.signer.certificateIntermediariesBase64),
 			"-e", fmt.Sprintf("QNAP_SIGNING_SCRIPT=%s", "/sign-qpkg.sh"),
 			"-v", fmt.Sprintf("%s:/sign-qpkg.sh", filepath.Join(qnapBuilds.tmpDir, "files/scripts/sign-qpkg.sh")),
 		)

release/dist/qnap/targets.go

@@ -18,15 +18,16 @@ import (
 // gcloudKeyring is the full path to the Google Cloud keyring containing the signing key.
 // keyName is the name of the key.
 // certificateBase64 is the PEM certificate to use in the signature, base64 encoded.
-func Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, keyName, certificateBase64 string) []dist.Target {
+func Targets(gcloudCredentialsBase64, gcloudProject, gcloudKeyring, keyName, certificateBase64, certificateIntermediariesBase64 string) []dist.Target {
 	var signerInfo *signer
-	if !slices.Contains([]string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, keyName, certificateBase64}, "") {
+	if !slices.Contains([]string{gcloudCredentialsBase64, gcloudProject, gcloudKeyring, keyName, certificateBase64, certificateIntermediariesBase64}, "") {
 		signerInfo = &signer{
-			gcloudCredentialsBase64: gcloudCredentialsBase64,
-			gcloudProject:           gcloudProject,
-			gcloudKeyring:           gcloudKeyring,
-			keyName:                 keyName,
-			certificateBase64:       certificateBase64,
+			gcloudCredentialsBase64:         gcloudCredentialsBase64,
+			gcloudProject:                   gcloudProject,
+			gcloudKeyring:                   gcloudKeyring,
+			keyName:                         keyName,
+			certificateBase64:               certificateBase64,
+			certificateIntermediariesBase64: certificateIntermediariesBase64,
 		}
 	}
 	return []dist.Target{