Skip to content

Move secrets to Azure Key Vault#738

Merged
mjcheetham merged 5 commits intovfs-2.49.0from
keyvault
Apr 3, 2025
Merged

Move secrets to Azure Key Vault#738
mjcheetham merged 5 commits intovfs-2.49.0from
keyvault

Conversation

@mjcheetham
Copy link
Member

@mjcheetham mjcheetham commented Mar 26, 2025
edited
Loading

We should standardise on a location (and naming convention) to store secrets used as part of the build process for microsoft/git. Azure Key Vault is an approved store for secrets inside of Microsoft, and so we should migrate any existing secrets from GitHub environment secrets to AKV. Access to the AKV is via Managed Identity and federated authentication through GitHub Actions.

The names of the secrets, and other configuration for accessing the Key Vault, remain in GitHub environment secrets. Forks of the project can therefore define the same set of environment secrets pointing at their own AKV to utilise the same build process.

For reference, the set of secrets that must be defined for the workflow are as follows:

Secret Name Description
AZURE_VAULT Name of the Azure Key Vault containing build secrets.
AZURE_CLIENT_ID Client ID of the Managed Identity with access to the Key Vault.
AZURE_TENANT_ID Tenant ID where the Managed Identity resides.
AZURE_SUBSCRIPTION_ID Subscription ID where the Key Vault resides.
WIN_CODESIGN_CERT_SECRET_NAME Name of the AKV secret containing the base64 encoded Windows Authenticode signing certificate.
WIN_CODESIGN_PASS_SECRET_NAME Name of the AKV secret containing the password for the Windows Authenticode signing certificate.
WIN_GPG_PRIVATE_SECRET_NAME Name of the AKV secret containing the GPG private key used to sign the Windows package.
WIN_GPG_KEYGRIP_SECRET_NAME Name of the AKV secret containing the keygrip for the GPG key used to sign the Windows package.
WIN_GPG_PASSPHRASE_SECRET_NAME Name of the AKV secret containing the passphrase for the GPG private key used to sign the Windows package.
APPLE_APPCERT_SECRET_NAME Name of the AKV secret containing the base64 encoded Apple Application Certificate for macOS.
APPLE_APPCERT_PASS_SECRET_NAME Name of the AKV secret containing the password for the Apple Application Certificate.
APPLE_INSTCERT_SECRET_NAME Name of the AKV secret containing the base64 encode Apple InstallationCertificate for macOS.
APPLE_INSTCERT_PASS_SECRET_NAME Name of the AKV secret containing the password for the Apple Installation Certificate.
APPLE_TEAM_ID_SECRET_NAME Name of the AKV secret containing the Apple Developer Team ID.
APPLE_DEVELOPER_ID_SECRET_NAME Name of the AKV secret containing the Apple Developer ID account email address for developer signing.
APPLE_DEVELOPER_PASSWORD_SECRET_NAME Name of the AKV secret containing the Apple Developer ID account password for developer signing.
APPLE_APPSIGN_ID_SECRET_NAME Name of the AKV secret containing the Apple Application Signing ID.
APPLE_INSTSIGN_ID_SECRET_NAME Name of the AKV secret containing the Apple Installation Signing ID.
LINUX_GPG_PUBLIC_SECRET_NAME Name of the AKV secret containing the base64 encoded GPG public key used for Debian package signing.
LINUX_GPG_PRIVATE_SECRET_NAME Name of the AKV secret containing the base64 encoded GPG private key used for Debian package signing.
LINUX_GPG_PASSPHRASE_SECRET_NAME Name of the AKV secret containing the password for the GPG signing key used for the Debian package.
LINUX_GPG_KEYGRIP_SECRET_NAME Name of the AKV secret containing the keygrip of the GPG signing key used for the Debian package.

@mjcheetham mjcheetham requested review from dscho and mpysson March 26, 2025 14:45
@mjcheetham mjcheetham force-pushed the keyvault branch 4 times, most recently from 643ddbd to 22a910a Compare March 26, 2025 16:18
dscho
dscho reviewed Mar 26, 2025
View reviewed changes
Copy link
Member

@dscho dscho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much! This is already looking great, my only remaining concern is how to ensure that the secret values are masked in the log output (in case future tired me adds set -x for debugging, for example). Once this is resolved, I think this is good to go!

@mjcheetham mjcheetham force-pushed the keyvault branch 5 times, most recently from 4e81bc4 to 030b28a Compare April 1, 2025 14:24
dscho
dscho previously approved these changes Apr 1, 2025
View reviewed changes
Copy link
Member

@dscho dscho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice!

I could imagine that the resulting workflow definition would be even nicer to read if the convention was introduced that in addition to setting outputs via NAME => OUTPUT, secrets could also be downloaded via NAME ENCODING> FILENAME (e.g. ${{ secrets.LINUX_GPG_PUBLIC_SECRET_NAME }} base64> msft-git-public.asc or ${{ secrets.WIN_CODESIGN_PASS_SECRET_NAME }} ascii> .sig/codesign.pass).

This would probably make even more sense in the context of using the same Action also in other workflow definitions.

What do you think?

dscho
dscho reviewed Apr 2, 2025
View reviewed changes
Copy link
Member

@dscho dscho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really like where this is going!

@mjcheetham mjcheetham force-pushed the keyvault branch 2 times, most recently from 4354a3f to 4af03aa Compare April 3, 2025 08:38
@mjcheetham mjcheetham requested a review from dscho April 3, 2025 08:42
dscho
dscho reviewed Apr 3, 2025
View reviewed changes
Copy link
Member

@dscho dscho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! I am a bit embarrassed to ask for yet more changes, but I am confident that this is the last round!

.github/workflows/build-git-installers.yml
Comment on lines +11 to +13
env:
DO_WIN_CODESIGN: ${{ secrets.WIN_CODESIGN_CERT_SECRET_NAME != '' && secrets.WIN_CODESIGN_PASS_SECRET_NAME != '' }}
DO_WIN_GPGSIGN: ${{ secrets.WIN_GPG_KEYGRIP_SECRET_NAME != '' && secrets.WIN_GPG_PRIVATE_SECRET_NAME != '' && secrets.WIN_GPG_PASSPHRASE_SECRET_NAME != '' }}
Copy link
Member

@dscho dscho Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very, very nice!

@mjcheetham
.github/actions/akv-secret: add action to get secrets
7089111 
Add a new JavaScript GitHub Action to download secrets from Azure Key
Vault using the `az` CLI, mask the secret values, and store them as:
 * outputs,
 * environment variables, or
 * files;

Values are all masked for safe consumption by other steps in a workflow.

Callers of this action can optionally perform base64 decoding of secret
values using the syntax: `INPUT base64> OUTPUT`.

It is assumed that the `az login` command has already been run prior to
this action being invoked.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
@mjcheetham
fixup! release: create initial Windows installer build workflow
11ca3f2 
Migrate secrets to Azure Key Vault. Names of the secrets in the AKV, and
the AKV and Managed Identity IDs themselves are stored in GitHub
environment secrets. This indirection allows for an easy way to re-point
these to different Key Vault secrets without modifying the workflow file
itself. In forks, this would allow others to use their own AKV and
sercrets with the same workflow.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
@mjcheetham
fixup! release: add Mac OSX installer build
7d8e44d 
Continue to migrate secrets to AKV for the macOS build steps.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
@mjcheetham
fixup! release: add signing step for .deb package
f941a18 
Continue to migrate secrets to AKV for the Debian package
build steps.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
@mjcheetham
fixup! build-git-installers: publish gpg public key
c056b79 
Use the `akv-secret` action rather than `az keyvault secret show
| base64 -d` for downloading the Debian package public GPG key.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
dscho
dscho approved these changes Apr 3, 2025
View reviewed changes
Copy link
Member

@dscho dscho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for indulging me!

@mjcheetham mjcheetham merged commit 25202f8 into vfs-2.49.0 Apr 3, 2025
120 checks passed
@mjcheetham mjcheetham deleted the keyvault branch April 3, 2025 11:28
@mjcheetham mjcheetham mentioned this pull request Apr 8, 2025
Merged
mjcheetham added a commit that referenced this pull request Apr 9, 2025
@mjcheetham
Fix various issues with build-git-installers.yml (#741)
e92e23d 
There are several issues that have been uncovered with the changes made
in #738. Let's fix them!

* Check out `akv-secret` action before it is used.
* Log in to Azure before accessing the Key Vault.
* Don't mask empty lines.
* Use a buffer to fix encoding issues when writing binary data.
* Correctly mask multi-line secret values.
* Add missing `require('path')` statement.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dscho dscho dscho approved these changes

@mpysson mpysson Awaiting requested review from mpysson

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mjcheetham @dscho