Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SignerSigningJob module #991

Merged
merged 5 commits into from
May 24, 2023
Merged

Add SignerSigningJob module #991

merged 5 commits into from
May 24, 2023

Conversation

gsoria
Copy link
Contributor

@gsoria gsoria commented May 2, 2023

This PR includes a new module to handle signer signing jobs.

Signing jobs are viewable by the ListSigningJobs operation for two years after they are performed

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/signer/start-signing-job.html

As a precaution we are updating Signing jobs statuses to revoked. This indicates that the signature is no longer valid.

Testing

Signing jobs were started using the setup code mentioned below, and then AWS Nuke was used to clean these resources up, specifying SignerSigningJob. The resource was handle as expected:

us-east-1 - SignerSigningJob - [CreatedAt: "2023-04-28T22:03:08Z", JobId: "db882524-902e-4bd6-ac03-a66df08e73a0", JobInvoker: "430037344291", JobOwner: "430037344291", PlatformDisplayName: "AWS Lambda", PlatformId: "AWSLambda-SHA384-ECDSA", ProfileName: "profile_pl42eg", ProfileVersion: "ELAcw04kNv"] - would remove
us-east-1 - SignerSigningJob - [CreatedAt: "2023-04-28T22:03:08Z", JobId: "db882524-902e-4bd6-ac03-a66df08e73a0", JobInvoker: "430037344291", JobOwner: "430037344291", PlatformDisplayName: "AWS Lambda", PlatformId: "AWSLambda-SHA384-ECDSA", ProfileName: "profile_pl42eg", ProfileVersion: "ELAcw04kNv"] - removed

Setup code

# generate lambda function
echo "def lambda_handler(event, context):
    print('AWS Cookbook Function run at {}'.format(str(datetime.now())))" >> lambda_function.py

# zip up the code
zip lambda_function.zip lambda_function.py

RANDOM_STRING=$(aws secretsmanager get-random-password \
--exclude-punctuation --exclude-uppercase \
--password-length 6 --require-each-included-type \
--output text \
--query RandomPassword)

# Create a Destination S3 bucket to store the signed code:
aws s3api create-bucket --bucket bucket-$RANDOM_STRING

# Create a Source S3 Bucket to store the raw code:
aws s3api create-bucket --bucket bucket-$RANDOM_STRING

# Enable Versioning for the Source S3 bucket (this is required by AWS Signer):
aws s3api put-bucket-versioning \
--bucket bucket-$RANDOM_STRING \
--versioning-configuration Status=Enabled

# Copy the provided lambda_function.zip file that contains the source code to the Source S3 bucket:
aws s3 cp ./lambda_function.zip s3://bucket-$RANDOM_STRING

# Get the version of the object in S3 that you will use. This is a zip of the code to be used in your Lambda function. You’ll need this when you are starting the signing job:
OBJ_VER_ID=$(aws s3api list-object-versions \
--bucket bucket-$RANDOM_STRING \
--prefix lambda_function.zip \
--output text --query Versions[0].VersionId)

# Create a signing profile:
SIGNING_PROFILE_ARN=$(aws signer put-signing-profile \
--profile-name profile-$RANDOM_STRING \
--platform AWSLambda-SHA384-ECDSA \
--output text --query arn)

# You can find a list of the available signing platforms by running this command:
aws signer list-signing-platforms

# Create a code signing configuration for Lambda that refers to the signing profile:
CODE_SIGNING_CONFIG_ARN=$(aws lambda create-code-signing-config \
--allowed-publishers SigningProfileVersionArns=$SIGNING_PROFILE_ARN \
--output text --query CodeSigningConfig.CodeSigningConfigArn)

# Start the signing job:
SIGNING_JOB_ID=$(aws signer start-signing-job \
--source 's3={bucketName=bucket-'"${RANDOM_STRING}"',key=lambda_function.zip,version='"$OBJ_VER_ID"'}' \
--destination 's3={bucketName=bucket-'"${RANDOM_STRING}"',prefix=signed-}' \
--profile-name profile_$RANDOM_STRING \
	--output text --query jobId)

# Wait a few moments and then verify that the signing job was successful with:
sleep 5
aws signer list-signing-jobs --status Succeeded

gsoria added 4 commits May 2, 2023 08:39
@gsoria
CL-522 | Add SignerSigningJob module to revoke signing jobs
cb37bf9 
Signing jobs are viewable by the ListSigningJobs operation for two years after they are performed [1]
As a precaution we are updating Signing jobs statuses to revoked. This indicates that the signature is no longer valid.

[1] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/signer/start-signing-job.html

Signed-off-by: Gabriela S. Soria <gsoria@oreilly.com>
@gsoria
CL-522 | update revoking reason
7d2939c 
Signed-off-by: Gabriela S. Soria <gsoria@oreilly.com>
@gsoria
CL-522 | filter already revoked jobs in the Filter function
c15b216 
Signed-off-by: Gabriela S. Soria <gsoria@oreilly.com>
@gsoria
CL-522 | include more job properties available for filters
7c2b11c 
Signed-off-by: Gabriela S. Soria <gsoria@oreilly.com>
@gsoria gsoria requested a review from a team as a code owner May 2, 2023 16:04
@sstoops
Copy link
Contributor

sstoops commented May 23, 2023

@svenwltr, @gsoria is another Sr. Engineer on the team here at O'Reilly Media. The module introduced here is one we've been using in our own builds for a few weeks now.

@svenwltr svenwltr merged commit 02900da into rebuy-de:main May 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@svenwltr svenwltr svenwltr approved these changes

@der-eismann der-eismann der-eismann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gsoria @sstoops @svenwltr @der-eismann