Deploy Files v2

Note

Deploy File Plugin is not a feature in the CC evaluation, so it cannot be used by public institutions that require CC authentication.

The Deploy Files Plugin runs a file or downloads it to a specific location. The policy server can communicate with the agent to deploy, run and install files to the device.

  • Deploying files for your device
  • Installing software on the device

Deploy Files v2 Plugin is added with a focus on security enhancement in the existing Deploy Files Plugin.

Deploy Files v2 Plugin provides file integrity verification and distributor identification for secure file distribution.

  • Perform three steps of integrity verification
  • Identifying and approving end-user distributors

Deploy Files v2 Plugin requires an digital signature for the file you deploy, and it uses the Sigstore Signing method designed for supply chain security for digital signatures and signature verification. Deploy Files v2 Plugin uses Sigstore Signing to selectively use two methods: Sigstore Keyless Signing and Public Key Signing

Sigstore Keyless Signing Method

Sigstore uses OpenID Connect(OIDC) to generate a short expiration certificate.
This certificate will be used to sign software, and the signed software can be publicly verified through cosign.

OIDC is an extension of OAuth 2.0, a framework that uses login authentication to provide users with access to resources. OIDC can generate certificates without requiring a user's password, it is used by Sigstore to generate certificates with a short expiration date.

How to use Sigstore Keyless Signing

Step1. Digital signature of distribution file

  1. Download the cosign and store it in the directory that you want to use for the digital signature of the distribution file.
  2. Change the file name to cosign.
  3. Copy the file to be digitally signed to the directory.
  4. From the termianl, navigate to the directory where the cosign file is located.
  5. Enter the following command to perform the digital signature.
> cosign sign-blob {FILE_NAME} --output-certificate {CERT_FILE_NAME.cert} --output-signature {SIG_FILE_NAME.sig}
  1. After a while, in ther terminal, enter y in Acceptance of the Terms of Service.
  2. When the URL for authentication opens in the browser, select one of the three OIDCs: Git, Google, Microsoft and perform authentication.
  3. Check that the file Cert, Sig is successfully created within the directory.

Step2. Verifying digital signature

  1. Enter the following command in the terminal:
> cosign verify-blob {FILE_NAME} --certificate {CERT_FILE_NAME.cert} --signature {SIG_FILE_NAME.sig} --certificate-identity={AUTH_USER_ID} --certificate-oidc-issuer={OIDC 발행자}
Example> cosign verify-blob agent.zip --certificate agent.cert --signature agent.sig --certificate-identity=genian@genians.com --certificate-oidc-issuer=https://accounts.google.com
  1. If the digital signature is valid, it will display Verified OK.

Step3. Creating Node Actions

  1. Access the Policy Server Web Console and navigate to Policy at the top.
  2. Go to Node Policy > Agent Actions from the left menu.
  3. Click on Actions Selection > Create at the top.

Below are the Basic Settings.

  1. For Action Name, use the format "(Purpose) Action Name" to easily differentiate node actions during operation.
  2. Description can be used to differentiate node actions based on their purpose.
  3. Adding Labels allows custom labels to be displayed in the Description input field, facilitating plugin categorization.

Configure the Action Execution Settings below.

  1. Choose the appropriate OS type for macOS, Linux, or Windows targets under OS Type.
  2. Condition Settings are typically used to deploy to specific users based on certain conditions during deployment.
Example: "c:\%ProgramFiles%\abc.exe 가 존재하지 않는 경우" 라는 조건을 사용하여 배포하게 되면 abc.exe 가 존재하지 않는 단말에만 배포가 가능합니다.
  1. Select File Deployment V2 in Plugin Selection.
  2. Click the Upload button under Deployment File to select the file.
  3. Choose Sigstore Keyless Signing for Deployment File Verification Method.
  4. Select the OIDC (Github, Google, Microsoft) used for authentication during digital signing in Trusted OIDC Issuer.
  5. Enter the ID (in email address format) used for authentication during digital signing in Trusted ID.
  6. Click the Read File button on the right side of Certificate to add the cert file generated during digital signing.
  7. Click the Read File button on the right side of Signature to add the sig file generated during digital signing.
  8. In Deployment Options, configure the deployment method:
  • Run App: Execute macOS app file(.app).
  • Execute File: If it's a compressed file, set the "File Path" to the file to execute, configure "Execution Options," and specify the "Execution Account" to run the file. Set the "Reboot Option" to specify whether to reboot after executing the file.
  • Download: Specify the file and folder path where the deployment file will be copied.
  • Install Package: Install macOS package file (.pkg).
  • Open File: Open the uploaded file.
  • Run Script: Runs the uploaded script file.
  1. Click the Edit button.
  2. Navigate from the left policy menu to Node Policy, then click on Target Policy ID.
  3. Find Agent Action Settings, click the Assign button.
  4. In the Available section, locate File Deployment, drag it to the Selected section.
  5. Click the Edit button, then click Update.

Note

For Sigstore Keyless Signing, communication with the following domains is essential for electronic signature/signature verification.
(Source: Policy Server, Agent), (Service Port: TCP/443)
rekor.sigstore.dev: Ledger Record System
oauth2.sigstore.dev: Sigstore OAuth Flow Provider
accounts.google.com: OIDC Provider (for other OIDCs, use the respective OIDC domain)
fulcio.sigstore.dev: Sigstore CA Server
tuf-repo-cdn.sigstore.dev: SLSA Verification

Public Key Signing Method

Sigstore cosign also provides a self-managed key digital signature method.
Public Key Signing involves creating a key directly for digital signature or using an existing key for digital signature.

Usage of Public Key Signing

Step 1. Digital Signature of Deployment File

  1. Perform Steps 1 to 4 of Sigstore Keyless Signing Method, then proceed with the following.
  2. If you don't have a separate digital signing key, generate an digital signing private key and public key using the following command:
> cosign generate-key-pair
> Enter passphrase for key
> Confirm passphrase for key
> Type ls to verify that the private key (key) and public key (pub) files are created.
  1. If the keys are generated, sign the deployment file using the generated key as follows:
> cosign sign-blob {FILE_NAME} --key cosign.key --tlog-upload=false --output-signature {SIG_FILE_NAME.sig}
Example> cosign sign-blob agent.zip --key cosign.key --tlog-upload=false --output-signature agent.sig

Step 2. Verifying Digital Signature

  1. Enter the following command in the termianl:
> cosign verify-blob {FILE_NAME} --key {PUB_FILE_NAME.pub} --signature {SIG_FILE_NAME.sig} --insecure-ignore-tlog=true --insecure-ignore-sct=true
Example> cosign verify-blob agent.zip --key cosign.pub --signature agent.sig --insecure-ignore-tlog=true --insecure-ignore-sct=true
  1. If the digital signature is valid, it will display Verified OK.

Step 3. Creating Node Actions

  1. Perform Steps 1 to 10 of Sigstore Keyless Signing Method, then proceed with the following.
  2. Select Public Key Signing for Deployment File Verification Method.
  3. Click the Read File button on the right side of Trusted Public Key to add the pub file generated during key creation.
  4. Click the Read File button on the right side of Signature to add the sig file generated during electronic signature.
  5. Perform steps 16 to 21 of Sigstore Keyless Signing Method in Step 3.

Danger

Changing the initially configured deployment method and deployer is not possible, so the private key used during the initial node action creation must be safely stored to prevent loss.
Registered deployer information can be found in Web Console Preferences > General > Agent > Deploy options section.