search

wazuh / wazuh-agent

Wazuh agent, the Wazuh agent for endpoints.
GNU Affero General Public License v3.0
32 stars 18 forks source link

Port commit from wazuh/wazuh - Add certificate name parameters to Windows msi package script #331

Closed jotacarma90 closed 1 day ago

jotacarma90 commented 1 day ago
Related issue
https://github.com/wazuh/wazuh-packages/issues/2826

Port

After introducing some changes in the wazuh/wazuh repo, we want to bring those changes to the new wazuh-agent repository for version 5.0. We cherry-picked the same commits (the only differences were the path of some modified files, there were no conflicts).

Description

In this PR we have included some changes in the generate_wazuh_msi.ps1 script, which we use to generate the package and sign all the necessary files with the certificates. We have added two new parameters to the script so that if the user prefers, he can directly indicate the name of the certificate and its password for the signtool. Since by default the /a parameter is used, which automatically selects the best available certificate.

Test workflow

Manual testing

C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(115) : warning LGHT1076 : ICE03: String overflow (greater than length permitted in column); Table: CustomAction, Column: Target, Key(s): SetCustomActionDataValue C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(116) : warning LGHT1076 : ICE03: String overflow (greater than length permitted in column); Table: CustomAction, Column: Target, Key(s): SetCustomActionDataForSetWazuhPermissions C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(262) : warning LGHT1076 : ICE30: The target file 'ekhl4joq.exe|wazuh-agent.exe' might be installed in '[ProgramFilesFolder]\ossec-agent\' by two different conditionalized components on an LFN system: 'WAZUH_AGENT_EVENTCHANNEL.EXE' and 'WAZUH_AGENT.EXE'. If the conditions are not mutually exclusive, this will break the component reference counting system. C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(256) : warning LGHT1076 : ICE30: The target file 'ekhl4joq.exe|wazuh-agent.exe' might be installed in '[ProgramFilesFolder]\ossec-agent\' by two different conditionalized components on an LFN system: 'WAZUH_AGENT_EVENTCHANNEL.EXE' and 'WAZUH_AGENT.EXE'. If the conditions are not mutually exclusive, this will break the component reference counting system. C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(700) : warning LGHT1076 : ICE61: This product should remove only older versions of itself. No Maximum version was detected for the current product. (WIX_UPGRADE_DETECTED) C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(113) : warning LGHT1076 : ICE68: Even though custom action 'CheckSvcRunning' is marked to be elevated (with attribute msidbCustomActionTypeNoImpersonate), it will not be run with elevated privileges because it's not deferred (with attribute msidbCustomActionTypeInScript). Signing wazuh-agent.msi... Done Adding Additional Store Successfully signed: wazuh-agent.msi


- Finally, we will install this personal certificate in the Windows Certificate Store:

$certPassword = ConvertTo-SecureString -String "xxx" -Force -AsPlainText Import-PfxCertificate -FilePath "./certificado.pfx" -CertStoreLocation Cert:\CurrentUser\My -Password $certPassword $certPassword = ConvertTo-SecureString -String "xxx" -Force -AsPlainText Import-PfxCertificate -FilePath "./certificado.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $certPassword


- Testing `/a` parameter to select the best match (our stored certificate):

PS C:\testingCA\wazuh\src\win32> .\generate_wazuh_msi.ps1 -SIGN yes MSI_NAME = wazuh-agent.msi Signing .*.exe... Done Adding Additional Store Successfully signed: .\agent-auth.exe Successfully signed: .\manage_agents.exe Successfully signed: .\netsh.exe Successfully signed: .\os_win32ui.exe Successfully signed: .\restart-wazuh.exe Successfully signed: .\route-null.exe Successfully signed: .\setup-iis.exe Successfully signed: .\setup-syscheck.exe Successfully signed: .\setup-windows.exe Successfully signed: .\wazuh-agent-4.10.0.exe Successfully signed: .\wazuh-agent-eventchannel.exe Successfully signed: .\wazuh-agent.exe Signing .\InstallerScripts.vbs... Done Adding Additional Store Successfully signed: .\InstallerScripts.vbs Signing ..*.dll... Done Adding Additional Store Successfully signed: ..\libwazuhext.dll Successfully signed: ..\libwazuhshared.dll Signing .*.dll... Done Adding Additional Store Successfully signed: .\libgcc_s_dw2-1.dll Successfully signed: .\libstdc++-6.dll Successfully signed: .\libwinpthread-1.dll Signing ..\data_provider\build\bin\sysinfo.dll... Done Adding Additional Store Successfully signed: ..\data_provider\build\bin\sysinfo.dll Signing ..\shared_modules\dbsync\build\bin\dbsync.dll... Done Adding Additional Store Successfully signed: ..\shared_modules\dbsync\build\bin\dbsync.dll Signing ..\shared_modules\rsync\build\bin\rsync.dll... Done Adding Additional Store Successfully signed: ..\shared_modules\rsync\build\bin\rsync.dll Signing ..\wazuh_modules\syscollector\build\bin\syscollector.dll... Done Adding Additional Store Successfully signed: ..\wazuh_modules\syscollector\build\bin\syscollector.dll Signing ..\syscheckd\build\bin\libfimdb.dll... Done Adding Additional Store Successfully signed: ..\syscheckd\build\bin\libfimdb.dll Building MSI installer... wazuh-installer.wxs C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(66) : warning CNDL1077 : The 'WixShellExecTarget' Property contains '[APPLICATIONFOLDER]' in its value which is an illegal reference to another property. If this value is a string literal, not a property reference, please ignore this warning. To set a property with the value of another property, use a CustomAction with Property and Value attributes. Windows Installer XML Toolset Linker version 3.14.0.8606 Copyright (c) .NET Foundation and contributors. All rights reserved.

C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(115) : warning LGHT1076 : ICE03: String overflow (greater than length permitted in column); Table: CustomAction, Column: Target, Key(s): SetCustomActionDataValue C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(116) : warning LGHT1076 : ICE03: String overflow (greater than length permitted in column); Table: CustomAction, Column: Target, Key(s): SetCustomActionDataForSetWazuhPermissions C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(262) : warning LGHT1076 : ICE30: The target file 'ekhl4joq.exe|wazuh-agent.exe' might be installed in '[ProgramFilesFolder]\ossec-agent\' by two different conditionalized components on an LFN system: 'WAZUH_AGENT_EVENTCHANNEL.EXE' and 'WAZUH_AGENT.EXE'. If the conditions are not mutually exclusive, this will break the component reference counting system. C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(256) : warning LGHT1076 : ICE30: The target file 'ekhl4joq.exe|wazuh-agent.exe' might be installed in '[ProgramFilesFolder]\ossec-agent\' by two different conditionalized components on an LFN system: 'WAZUH_AGENT_EVENTCHANNEL.EXE' and 'WAZUH_AGENT.EXE'. If the conditions are not mutually exclusive, this will break the component reference counting system. C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(700) : warning LGHT1076 : ICE61: This product should remove only older versions of itself. No Maximum version was detected for the current product. (WIX_UPGRADE_DETECTED) C:\testingCA\wazuh\src\win32\wazuh-installer.wxs(113) : warning LGHT1076 : ICE68: Even though custom action 'CheckSvcRunning' is marked to be elevated (with attribute msidbCustomActionTypeNoImpersonate), it will not be run with elevated privileges because it's not deferred (with attribute msidbCustomActionTypeInScript). Signing wazuh-agent.msi... Done Adding Additional Store Successfully signed: wazuh-agent.msi