Change code signer from Microsoft to be vendor-neutral (issue #2780)


Dave Thaler
 

Kicking off discussion https://github.com/openenclave/openenclave/issues/2780 ...

Currently the VS Extension and the VS Code Extension are both signed by Microsoft and hence
show up in the marketplace as Publisher:Microsoft as seen on the right side of:
https://marketplace.visualstudio.com/items?itemName=ms-iot.msiot-vscode-openenclave
https://marketplace.visualstudio.com/items?itemName=MS-TCPS.OpenEnclaveSDK-VSIX
Now that this is a CCC project not a Microsoft project, I believe these entries should be deprecated now and replaced by entries with a vendor-neutral publisher, being the Open Enclave org. (It's not feasible to change the publisher of an existing VS marketplace entry, you have to create a new entry.) There’s no specific deadline for doing this, as we can continue to use Microsoft signing in the meantime, but I believe we should move to a non-Microsoft key when one is available. Since we have to create a new entry, there’s some friction to users if we deprecate an old package and tell them to install a new package instead, so I think this ought to be done before declaring v1.0.

Nuget packages on the other hand work differently. As seen at
https://www.nuget.org/packages/open-enclave/
the OE SDK nuget package shows a set of individual owners, and the list CAN change without creating a new entry, as explained at
https://docs.microsoft.com/en-us/nuget/nuget-org/publish-a-package#managing-package-owners-on-nugetorg
Nuget packets get signed with the nuget.org key, and so nuget can accept unsigned packages from any authorized package owner. Thus, an OE signing key is not needed for nuget packages. All that is required is that OE maintain the set of authorized owners of the package.

So, two questions:

1) How do we get a signing usable with binary distribution mechanisms that require signed binaries to be submitted, such as VS Marketplace.

2) Is our existing process for nuget sufficient for now, of making the authorized owners of the nuget package be release managers (or individual members of the Release SIG)? Do we have adequate protections if two individuals simultaneously disappear? Do we need some group account that can be shared somehow?

I think these are all questions for the Release SIG to answer, who are probably much more knowledgeable than I am on this topic, but I wanted to introduce the questions here per Aeva’s request during the triage meeting.

Dave

Join oesdk@lists.confidentialcomputing.io to automatically receive all group messages.