wazuh / wazuh-packages

Wazuh - Tools for packages creation

https://wazuh.com

GNU General Public License v2.0

98 stars 89 forks source link

Windows Agent signing procedure only supports undocumented Certificate Store #2826

Open jnasselle opened 4 months ago

jnasselle commented 4 months ago

Wazuh version	Install type	Action performed	Platform
up to master	Agent	Signing	Windows

Description

It was found that PS script responsible for signing Wazuh Agent installer for Windows Systems uses Singtool as-it, picking the certificates from the Certificate Store without being able to select one of those certificates (picking the "best match" using /a flag)

From an end-user perspective, this is not clear enough and we should, at least, provide one of the next options

Documentation of how to import a cert to Certificate Store and make (somehow) the best candidate for /a signtool parameter
Add an optional parameter to generate_wazuh_msi.ps1 that allows using pfx files or selecting a specific cert stored in the Certificate Store

cc: @sebastiandbustos

jnasselle commented 4 months ago

@rauldpm This should be taken into consideration for https://github.com/wazuh/internal-devel-requests/issues/187

rauldpm commented 4 months ago

Thanks, @jnasselle, I will take it into account, as the MSI will be created through GHA and the files need to be signed before the MSI package is created, this should be added to the CORE team

jotacarma90 commented 3 months ago

Hi team

We are going to analyze this issue and possibly include the necessary development in the package migration, specifically in the issue dedicated to the signed functionality of the Windows agent: https://github.com/wazuh/wazuh/issues/22839

jotacarma90 commented 6 days ago

Update 03/07/2024

Added new parameters to determine the name of the .pfx file and the password of that file, when these parameters are specified, the signtool will be executed using the /f and /p parameters, so that we can select the certificate manually.
If none of these parameters is set, the /a (automatic certificate selection) will be used in the script.
Working with certificates, testing with a personal certificate created on my local machine.
Pending to dump all the commands to generate the certificate and test it both ways in the script.
Pending to run the corresponding workflow to create the signed Windows package.

jotacarma90 commented 5 days ago

Update 04/07/2024

Added manual testing in the PR: https://github.com/wazuh/wazuh/pull/24402#issue-2388447230
Created docu PR: https://github.com/wazuh/wazuh-documentation/pull/7501
Executing workflow generate Windows package to check normal behaviour: https://github.com/wazuh/wazuh-agent-packages/actions/runs/9791598396