Add detail on code repository commit signing and OIDC federated authN (#274)

patrickmoore-nc · web-flow · commit ace3d126332d · 2022-09-28T08:12:04.000+01:00
* Add reasons for signing commits, and setup guide

* Create commit-signing.md

* Update security-repository.md

* Update security-repository.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update README.md

* Update README.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update security-repository.md

* Update security-repository.md

* Update commit-signing.md

* Update README.md

* Update README.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Markdown compliance updates

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Update commit-signing.md

* Markdown validation tweaks

* Markdown validation tweaks
diff --git a/practices/guides/commit-signing.md b/practices/guides/commit-signing.md
@@ -0,0 +1,185 @@
+# Git Commit Signing Setup Guide
+
+- [From Workstations](#from-workstations):
+  - [macOS](#macos)
+  - [Windows](#windows)
+- [From Pipelines](#from-pipelines):
+  - [GitHub Actions](#github-actions)
+  - [AWS CodePipeline](#aws-codepipeline)
+- [Troubleshooting](#troubleshooting)
+
+<br>
+
+## From Workstations
+
+### macOS
+
+- Install the [Brew package manager](https://brew.sh)
+
+```bash
+brew upgrade
+brew install gnupg pinentry-mac
+gpg --full-generate-key
+```
+
+- Accept the defaults, Curve 25519 etc.
+- Enter your GitHub account name as the Real Name
+- Enter your GitHub account email as the Email Address
+- You can use the privacy *@users.noreply.github.com* email address listed in the GitHub profile: *Settings > Email*
+- Define a passphrase for the key and keep it in your password manager
+
+```bash
+gpg --armor --export ${my_email_address} | pbcopy
+```
+
+- Public key is now in your clipboard - in your GitHub account add it to your profile via *Settings > SSH and GPG Keys> Add New GPG Key*
+- Paste it in
+
+```bash
+git config --global user.email ${my_email_address} # same one used during key generation
+git config --global user.name ${my_username}
+git config --global commit.gpgsign true
+echo export GPG_TTY=\$\(tty\) >> ~/.zshrc
+source ~/.zshrc
+echo "pinentry-program /opt/homebrew/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
+gpgconf --kill gpg-agent
+```
+
+The first time you commit you will be prompted to add the GPG key passphrase to the macOS Keychain. Thereafter signing will happen seamlessly without prompts.
+
+Most of the published solutions for this don't work because *brew* seems to have moved the default folder for binaries, plus many guides contain obsolete settings for *gpg-agent*.
+
+<br>
+
+### Windows
+
+- Install [Git for Windows](https://git-scm.com/download/win), which includes Bash and GnuPG
+- Right-click on the Desktop > *Git Bash Here*
+
+```bash
+gpg --full-generate-key
+```
+
+- Pick *RSA and RSA*, or *RSA (sign only)* - there is no elliptic curve cryptography (ECC) support at the time of writing
+- Set key size to 4096 bit, the minimum accepted for GitHub
+- Enter your GitHub account name as the Real Name
+- Enter your GitHub account email as the Email Address
+- You can use the privacy *@users.noreply.github.com* email address listed in the GitHub profile: *Settings > Email*
+- Define a passphrase for the key and keep it in your password manager
+
+```bash
+gpg --armor --export ${my_email_address} | clip
+```
+
+- Public key is now in your clipboard - in your GitHub account add it to your profile via *Settings > SSH and GPG Keys> Add New GPG Key*
+- Paste it in
+
+```bash
+git config --global user.email ${my_email_address} # same one used during key generation
+git config --global user.name ${my_username}
+git config --global commit.gpgsign true
+```
+
+When you commit you will be prompted to enter the GPG key passphrase into a Pinentry window.
+
+<br>
+
+## From Pipelines
+
+### GitHub Actions
+
+A GitHub Actions workflow will by default authenticate using a [GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) which is generated automatically.
+
+However, at the time of writing, to sign commits the workflow will need to use a dedicated GitHub identity (in which to register the GPG public key).
+
+The workflow would then use a Personal Access Token, stored with the GPG private key in the repo secrets, like so:
+
+```yaml
+steps:
+  - name: Checkout
+    uses: actions/checkout@v3
+    with:
+      token: ${{ secrets.BOT_PAT }}
+      ref: main
+```
+
+Example run action script excerpt:
+
+```bash
+# Configure GPG Key for signing GitHub commits
+if [ -n "${{ secrets.BOT_GPG_KEY }}" ]; then
+  echo "GPG secret key found in repo secrets, enabling GitHub commmit signing"
+  GITHUB_SIGNING_OPTION="-S"
+  echo "${BOT_GPG_KEY}" | gpg --import
+  # Highlight any expiry date
+  gpg --list-secret-keys
+fi
+git add .
+git config --global user.name "${GITHUB_USER_NAME}"
+git config --global user.email "${GITHUB_USER_EMAIL}"
+git commit ${GITHUB_SIGNING_OPTION} -am "Automated commit from GitHub Actions: ${WORKFLOW_URL}"
+git push
+```
+
+<br>
+
+### AWS CodePipeline
+
+The cryptographic libraries in the default Amazon Linux 2 distro are very old, and do not support elliptic curve cryptography. When using pre-existing solution elements updating the build container is not always an option. This restricts the GPG key algorithm to RSA. You should use RSA-4096, which is the required minimum for GitHub.
+
+Furthermore, the Systems Manager Parameter Store will not accept a key that is generated for both signing and encrypting (which will contain a second key for the encryption). It will be too large to be pasted in as a valid parameter. So when generating the GPG key you must select type RSA (sign only) if you intend to use Parameter Store rather than AWS Secrets Manager.
+
+Example AWS CodeBuild Buildspec excerpt:
+
+```bash
+# Create SSH identity for connecting to GitHub 
+BOT_SSH_KEY=$(aws ssm get-parameter --name "/keys/ssh-key" --query "Parameter.Value" --output text --with-decryption 2> /dev/null || echo "None")
+if [[ ${BOT_SSH_KEY} != "None" ]]; then
+  mkdir -p ~/.ssh
+  echo "Host *" >> ~/.ssh/config
+  echo "StrictHostKeyChecking yes" >> ~/.ssh/config
+  echo "UserKnownHostsFile=~/.ssh/known_hosts" >> ~/.ssh/config
+  echo "${BOT_SSH_KEY}" > ~/.ssh/ssh_key
+  echo -e "\n\n" >>  ~/.ssh/ssh_key
+  chmod 600 ~/.ssh/ssh_key
+  eval "$(ssh-agent -s)"
+  ssh-add ~/.ssh/ssh_key
+fi
+
+gpg --version
+echo
+BOT_GPG_KEY=$(aws ssm get-parameter --name "/keys/gpg-key" --query "Parameter.Value" --output text --with-decryption 2> /dev/null || echo "None")
+if [ "${BOT_GPG_KEY}" != "None" ]; then
+  echo "Encrypted GPG secret key found in the Parameter Store, enabling GitHub commmit signing" 
+  GITHUB_SIGNING_OPTION="-S"
+  echo "${BOT_GPG_KEY}" | gpg --import
+  # Highlight any expiry date
+  gpg --list-secret-keys
+  gpg-agent --daemon
+  echo
+fi
+
+# GitHub publishes its public key fingerprints here:
+# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
+# The known_hosts entry below was obtained by validating the fingerprint on a separate computer
+echo "github.com ssh-ed25519 ${GITHUB_FINGERPRINT}" >> ~/.ssh/known_hosts
+
+git config --global advice.detachedHead false
+git config --global user.name "${GITHUB_USER_NAME}"
+git config --global user.email "${GITHUB_USER_EMAIL}" # same one used during key generation
+git clone git@github.com:${GITHUB_ORG_NAME}/${GITHUB_REPO_NAME}.git
+
+# Make git repository source code changes here
+
+git add .
+git commit ${GITHUB_SIGNING_OPTION} -am "Automated commit from ${SCRIPT_URL}"
+git push
+```
+
+<br>
+
+## Troubleshooting
+
+Re-run your git command prefixed with GIT_TRACE=1
+
+A failure to sign a commit is usually because the name or email does not quite match those which were used to generate the GPG key, so git cannot auto-select a key. Ensure that these are indeed consistent. You are able to [force a choice of signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key), though this should not be necessary.
diff --git a/practices/security-repository.md b/practices/security-repository.md
@@ -53,6 +53,6 @@ Depending on your use case, you may want to create additional teams (e.g. a read
 ### Branch protection
 
 - Require <!-- markdown-link-check-disable -->[pull request code reviews](https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-pull-request-reviews-before-merging)<!-- markdown-link-check-enable -->, by at least one code owner, to merge a branch.
-- Require <!-- markdown-link-check-disable -->[signed commits](https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits)<!-- markdown-link-check-enable -->, and, accordingly, check that commits are verified before merging.
+- Require <!-- markdown-link-check-disable -->[signed commits](https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits)<!-- markdown-link-check-enable -->, and, accordingly, check that commits are verified before merging. Git treats authentication and identity separately - any authenticated user can impersonate another developer when committing code. This means that even if a junior account is compromised it could have significant consequences, for example impersonating the lead developer in the hope of an easy merge. Only by requiring signing can identity truly be verified. [Setup Guides](guides/commit-signing.md) for macOS, Windows, GitHub Actions, and AWS CodePipeline.
 - Invalidate existing reviews when new commits are pushed (`fresh-commits-invalidate-existing-reviews` option).
 - Require adequate automated status checks prior to merging. This should always include checking that branches are up to date.
diff --git a/tools/nhsd-git-secrets/README.md b/tools/nhsd-git-secrets/README.md
@@ -1,17 +1,52 @@
 # Git-Secrets examples
+
 This folder comprises examples for implementing AWSLabs Git-Secrets, which is our default implementation for [secrets scanning](../../quality-checks.md). As with any default, we expect teams to resolve any caveats as they best see fit, and of course to contribute to these examples.
 
-# Why secrets scanning
+## Why secrets scanning
+
 Although we might be re-stating the obvious here, there's two main goals to consistent secrets scanning:
+
 1. Remove any secrets that may have been checked into the codebase in the past.
 2. Prevent any new secrets from making it into the codebase.
 
 Essentially, we want to avoid the NHS facing [potentially dire consequences](https://www.zdnet.com/article/data-of-243-million-brazilians-exposed-online-via-website-source-code/) due to exposure of secrets.
 
-# How to get started
+## How to get started
+
 If your team isn't doing secrets scanning at all yet, the fundamental first step is to understand the current state of the art. Use the [Macbook](README-mac-workstation.md) or Windows (coming soon...) guides to set up and run Git-Secrets for a nominated team member. Run the tooling, and ascertain whether there's any immediate actions to be taken.
 
-# Getting to green
+## Getting to green
+
 Once you've verified there's no urgent actions on your code, the next steps towards getting to green are:
+
 1. Ensure every team member is doing local scans. Stopping secrets before code has been committed is cheap, removing them from git history is expensive.
 2. Run these same scripts as part of your deployment pipelines as a second line of defence.
+
+## Consider using OIDC instead of secrets
+
+OpenID Connect allows federated authentication from pipeline workflows to AWS and Azure without storing credentials in repository secrets at all, so no expiry to manage. GitHub documentation for achieving this for:
+
+- [AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+- [Azure](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)
+- [Google](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform)
+
+Configuration for OIDC is light. See the below example GitHub Actions workflow excerpt which connects to both AWS and Azure:
+
+```yaml
+steps:
+  - name: Checkout
+    uses: actions/checkout@v3
+
+  - name: Configure AWS STS credentials via OIDC
+    uses: aws-actions/configure-aws-credentials@v1
+    with:
+      role-to-assume: ${{ secrets.AWS_ROLE_ID }}
+      aws-region: eu-west-2
+
+  - name: Configure Azure identity token via OIDC
+    uses: azure/login@v1
+    with:
+      client-id: ${{ secrets.AZ_CLIENT_ID }}
+      tenant-id: ${{ secrets.AZ_TENANT_ID }}
+      allow-no-subscriptions: true
+ ```
