huanld
2fb067ecbf
checklocks / checklocks (push) Has been cancelled
CodeQL / Analyze (go) (push) Has been cancelled
natlab-integrationtest / natlab-integrationtest (push) Has been cancelled
CI / gomod-cache (push) Has been cancelled
CI / race-root-integration (1/4) (push) Has been cancelled
CI / race-root-integration (2/4) (push) Has been cancelled
CI / race-root-integration (3/4) (push) Has been cancelled
CI / race-root-integration (4/4) (push) Has been cancelled
CI / test (-race, amd64, 1/3) (push) Has been cancelled
CI / test (-race, amd64, 2/3) (push) Has been cancelled
CI / test (-race, amd64, 3/3) (push) Has been cancelled
CI / test (386) (push) Has been cancelled
CI / test (amd64) (push) Has been cancelled
CI / Windows (benchmarks) (push) Has been cancelled
CI / Windows (1/2) (push) Has been cancelled
CI / Windows (2/2) (push) Has been cancelled
CI / macos (push) Has been cancelled
CI / privileged (push) Has been cancelled
CI / vm (push) Has been cancelled
CI / cross (386, linux) (push) Has been cancelled
CI / cross (amd64, darwin) (push) Has been cancelled
CI / cross (amd64, freebsd) (push) Has been cancelled
CI / cross (amd64, openbsd) (push) Has been cancelled
CI / cross (amd64, windows) (push) Has been cancelled
CI / cross (arm, 5, linux) (push) Has been cancelled
CI / cross (arm, 7, linux) (push) Has been cancelled
CI / cross (arm64, darwin) (push) Has been cancelled
CI / cross (arm64, linux) (push) Has been cancelled
CI / cross (arm64, windows) (push) Has been cancelled
CI / cross (loong64, linux) (push) Has been cancelled
CI / ios (push) Has been cancelled
CI / crossmin (amd64, illumos) (push) Has been cancelled
CI / crossmin (amd64, plan9) (push) Has been cancelled
CI / crossmin (amd64, solaris) (push) Has been cancelled
CI / crossmin (ppc64, aix) (push) Has been cancelled
CI / android (push) Has been cancelled
CI / wasm (push) Has been cancelled
CI / tailscale_go (push) Has been cancelled
CI / fuzz (push) Has been cancelled
CI / depaware (push) Has been cancelled
CI / go_generate (push) Has been cancelled
CI / make_tidy (push) Has been cancelled
CI / licenses (push) Has been cancelled
CI / staticcheck (macOS) (push) Has been cancelled
CI / staticcheck (Linux) (push) Has been cancelled
CI / staticcheck (Windows) (push) Has been cancelled
CI / staticcheck (Portable (1/4)) (push) Has been cancelled
CI / staticcheck (Portable (2/4)) (push) Has been cancelled
CI / staticcheck (Portable (3/4)) (push) Has been cancelled
CI / staticcheck (Portable (4/4)) (push) Has been cancelled
CI / notify_slack (push) Has been cancelled
CI / merge_blocker (push) Has been cancelled
CI / check_mergeability_strict (push) Has been cancelled
CI / check_mergeability (push) Has been cancelled
Dockerfile build / deploy (push) Has been cancelled
test installer.sh / test (curl, alpine:3.21) (push) Has been cancelled
test installer.sh / test (curl, alpine:edge) (push) Has been cancelled
test installer.sh / test (curl, alpine:latest) (push) Has been cancelled
test installer.sh / test (curl, amazonlinux:latest) (push) Has been cancelled
test installer.sh / test (curl, archlinux:latest) (push) Has been cancelled
test installer.sh / test (curl, debian:oldstable-slim) (push) Has been cancelled
test installer.sh / test (curl, debian:sid-slim) (push) Has been cancelled
test installer.sh / test (curl, debian:stable-slim, 1.80.0) (push) Has been cancelled
test installer.sh / test (curl, debian:testing-slim) (push) Has been cancelled
test installer.sh / test (curl, elementary/docker:stable) (push) Has been cancelled
test installer.sh / test (curl, elementary/docker:unstable) (push) Has been cancelled
test installer.sh / test (curl, fedora:latest, 1.80.0) (push) Has been cancelled
test installer.sh / test (curl, kalilinux/kali-dev) (push) Has been cancelled
test installer.sh / test (curl, kalilinux/kali-rolling) (push) Has been cancelled
test installer.sh / test (curl, opensuse/leap:latest) (push) Has been cancelled
test installer.sh / test (curl, opensuse/tumbleweed:latest) (push) Has been cancelled
test installer.sh / test (curl, oraclelinux:8) (push) Has been cancelled
test installer.sh / test (curl, oraclelinux:9) (push) Has been cancelled
test installer.sh / test (curl, parrotsec/core:latest) (push) Has been cancelled
test installer.sh / test (curl, rockylinux:8.7) (push) Has been cancelled
test installer.sh / test (curl, rockylinux:9) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:20.04) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:22.04) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:24.04, 1.80.0) (push) Has been cancelled
test installer.sh / test (wget, debian:oldstable-slim) (push) Has been cancelled
test installer.sh / test (wget, debian:sid-slim) (push) Has been cancelled
update-flake / update-flake (push) Has been cancelled
tailscale.com/cmd/vet / vet (push) Has been cancelled
test installer.sh / notify-slack (push) Has been cancelled
Client security fixes (cmd/tailscale-tray/main.go): - SSRF protection in Add Server dialog (validateControlURL): reject private/loopback/link-local/cloud-metadata IPs via DNS resolution - RCE gate on AuthURL/BrowseToURL exec paths (validateAuthURL) - Sanitized URL logging (sanitizeURLForLog drops query auth tokens) - Error handling on exec.Command with user-facing showError() Admin panel security (web-admin): - Bcrypt password hashing (replaces SHA256) - Rate limiting: 5 failed logins → 15-min lockout - Session + login attempt cleanup goroutine (hourly) - url.QueryEscape / encodeURIComponent for all API params - Fail-hard startup when no TLS and non-loopback bind - ADMIN_PASSWORD required (no default), password min 12 chars - Username regex whitelist Installer hardening (Setup.wxs): - util:PermissionEx restricts SCM access: only Administrators + SYSTEM can start/stop/reconfigure service. Authenticated Users limited to QueryStatus/QueryConfig/Interrogate - Vital="yes" on ServiceInstall Docs & roadmap: - PRODUCTION_ROADMAP.md: 5-milestone plan (security + features + distribution + ops) with granular tasks, effort, done-when - CLIENT_SECURITY_AUDIT.md, SECURITY_FIXES.md, DEPLOYMENT.md - AI assistant rules (.cursorrules, .antigravityrules, etc.) Build & distribution: - build-msi.ps1, deploy-and-sign.ps1, sign-release.ps1 - redeploy.ps1, tray-deploy.ps1, test-msi.ps1 - installer/msi/ alternative WXS setup - Restored .github/workflows/ removed in mirror cleanup .gitignore hardened: *.pfx, *.p12, *.key, *.pem, .env*
193 lines
9.2 KiB
PowerShell
193 lines
9.2 KiB
PowerShell
# sign-release.ps1
|
|
# Tạo self-signed code signing certificate và ký các file .exe release
|
|
# Cần chạy với quyền Administrator
|
|
|
|
param(
|
|
[string]$Subject = "CN=Tailscale-Custom, O=SoftsBusiness, C=VN",
|
|
[string]$PfxPath = "$PSScriptRoot\tailscale-custom-codesign.pfx",
|
|
[string]$CertPassword = "TailscaleCustomSign@2026",
|
|
[string[]]$FilesToSign = @(
|
|
"C:\Program Files\Tailscale-Custom\tailscaled.exe",
|
|
"C:\Program Files\Tailscale-Custom\tailscale.exe"
|
|
),
|
|
[string]$TimestampUrl = "http://timestamp.digicert.com",
|
|
[switch]$RenewCert
|
|
)
|
|
|
|
Set-StrictMode -Version Latest
|
|
$ErrorActionPreference = "Stop"
|
|
|
|
# Self-elevate nếu chưa chạy với quyền Administrator
|
|
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
|
|
[Security.Principal.WindowsBuiltInRole]::Administrator
|
|
)
|
|
if (-not $isAdmin) {
|
|
Write-Host "[..] Cần quyền Administrator, đang tự nâng quyền..." -ForegroundColor Yellow
|
|
$logFile = "$env:TEMP\sign-release-log.txt"
|
|
Remove-Item $logFile -ErrorAction SilentlyContinue
|
|
$argString = "-ExecutionPolicy Bypass -File `"$PSCommandPath`""
|
|
Start-Process powershell -Verb RunAs -ArgumentList $argString -Wait
|
|
# Hiện log sau khi elevated process hoàn thành
|
|
Start-Sleep -Milliseconds 500
|
|
if (Test-Path $logFile) {
|
|
Get-Content $logFile
|
|
} else {
|
|
Write-Warning "UAC bị từ chối hoặc script lỗi — không có log"
|
|
}
|
|
exit
|
|
}
|
|
|
|
# Ghi transcript ngay khi chạy với quyền Admin
|
|
$transcriptFile = "$env:TEMP\sign-release-log.txt"
|
|
Start-Transcript -Path $transcriptFile -Force | Out-Null
|
|
|
|
# ─────────────────────────────────────────────────────────────
|
|
# 1. Tạo hoặc load certificate
|
|
# ─────────────────────────────────────────────────────────────
|
|
$securePass = ConvertTo-SecureString $CertPassword -AsPlainText -Force
|
|
|
|
# Kiểm tra cert đã có trong store chưa
|
|
$existingCert = Get-ChildItem Cert:\LocalMachine\My |
|
|
Where-Object { $_.Subject -eq $Subject -and $_.HasPrivateKey } |
|
|
Sort-Object NotAfter -Descending |
|
|
Select-Object -First 1
|
|
|
|
if ($existingCert -and -not $RenewCert) {
|
|
Write-Host "[OK] Dùng cert hiện có: $($existingCert.Thumbprint) (hết hạn $($existingCert.NotAfter.ToString('yyyy-MM-dd')))" -ForegroundColor Green
|
|
$cert = $existingCert
|
|
} else {
|
|
Write-Host "[..] Tạo self-signed code signing certificate..." -ForegroundColor Yellow
|
|
|
|
$cert = New-SelfSignedCertificate `
|
|
-Subject $Subject `
|
|
-Type CodeSigningCert `
|
|
-KeyUsage DigitalSignature `
|
|
-KeyAlgorithm RSA `
|
|
-KeyLength 4096 `
|
|
-HashAlgorithm SHA256 `
|
|
-NotAfter (Get-Date).AddYears(10) `
|
|
-CertStoreLocation "Cert:\LocalMachine\My" `
|
|
-FriendlyName "Tailscale-Custom Code Signing"
|
|
|
|
Write-Host "[OK] Cert tạo xong: $($cert.Thumbprint)" -ForegroundColor Green
|
|
Write-Host " Subject : $($cert.Subject)"
|
|
Write-Host " Hết hạn : $($cert.NotAfter.ToString('yyyy-MM-dd'))"
|
|
|
|
# Export PFX (chứa private key)
|
|
Export-PfxCertificate -Cert $cert -FilePath $PfxPath -Password $securePass | Out-Null
|
|
Write-Host "[OK] PFX đã lưu: $PfxPath" -ForegroundColor Green
|
|
}
|
|
|
|
# ─────────────────────────────────────────────────────────────
|
|
# 2. Tin tưởng cert (Trusted Root CA + Trusted Publishers)
|
|
# Cần thiết để Windows không báo "Unknown Publisher"
|
|
# ─────────────────────────────────────────────────────────────
|
|
function Add-CertToStore {
|
|
param(
|
|
[System.Security.Cryptography.X509Certificates.StoreName]$StoreName,
|
|
[System.Security.Cryptography.X509Certificates.StoreLocation]$StoreLocation,
|
|
[System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate
|
|
)
|
|
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store($StoreName, $StoreLocation)
|
|
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
|
|
$existing = $store.Certificates | Where-Object { $_.Thumbprint -eq $Certificate.Thumbprint }
|
|
if (-not $existing) {
|
|
$store.Add($Certificate)
|
|
Write-Host "[OK] Đã thêm cert vào store: $StoreName" -ForegroundColor Green
|
|
} else {
|
|
Write-Host "[--] Cert đã có trong store: $StoreName" -ForegroundColor DarkGray
|
|
}
|
|
$store.Close()
|
|
}
|
|
|
|
Add-CertToStore -StoreName Root -StoreLocation LocalMachine -Certificate $cert
|
|
Add-CertToStore -StoreName TrustedPublisher -StoreLocation LocalMachine -Certificate $cert
|
|
|
|
# ─────────────────────────────────────────────────────────────
|
|
# 3. Ký từng file bằng Set-AuthenticodeSignature (built-in)
|
|
# ─────────────────────────────────────────────────────────────
|
|
Write-Host "`n[..] Bắt đầu ký file..." -ForegroundColor Yellow
|
|
$signed = 0
|
|
$skipped = 0
|
|
$failed = 0
|
|
|
|
foreach ($file in $FilesToSign) {
|
|
if (-not (Test-Path $file)) {
|
|
Write-Warning "Không tìm thấy file: $file (bỏ qua)"
|
|
$skipped++
|
|
continue
|
|
}
|
|
|
|
Write-Host " Đang ký: $file"
|
|
try {
|
|
# Thử ký với timestamp server trước
|
|
$result = Set-AuthenticodeSignature `
|
|
-FilePath $file `
|
|
-Certificate $cert `
|
|
-TimestampServer $TimestampUrl `
|
|
-HashAlgorithm SHA256 `
|
|
-ErrorAction Stop
|
|
|
|
if ($result.Status -eq "Valid") {
|
|
Write-Host " [OK] Ký thành công: $(Split-Path $file -Leaf)" -ForegroundColor Green
|
|
$signed++
|
|
} else {
|
|
# Fallback: ký không có timestamp
|
|
Write-Warning " Timestamp lỗi ($($result.StatusMessage)), thử lại không có timestamp..."
|
|
$result = Set-AuthenticodeSignature `
|
|
-FilePath $file `
|
|
-Certificate $cert `
|
|
-HashAlgorithm SHA256 `
|
|
-ErrorAction Stop
|
|
|
|
if ($result.Status -eq "Valid") {
|
|
Write-Host " [OK] Ký thành công (no timestamp): $(Split-Path $file -Leaf)" -ForegroundColor Yellow
|
|
$signed++
|
|
} else {
|
|
Write-Host " [FAIL] Ký thất bại: $(Split-Path $file -Leaf) — $($result.StatusMessage)" -ForegroundColor Red
|
|
$failed++
|
|
}
|
|
}
|
|
} catch {
|
|
Write-Host " [FAIL] Exception: $_" -ForegroundColor Red
|
|
$failed++
|
|
}
|
|
}
|
|
|
|
# ─────────────────────────────────────────────────────────────
|
|
# 4. Xác nhận chữ ký
|
|
# ─────────────────────────────────────────────────────────────
|
|
if ($signed -gt 0) {
|
|
Write-Host "`n[..] Xác nhận chữ ký..." -ForegroundColor Yellow
|
|
foreach ($file in $FilesToSign) {
|
|
if (-not (Test-Path $file)) { continue }
|
|
$sig = Get-AuthenticodeSignature -FilePath $file
|
|
$leaf = Split-Path $file -Leaf
|
|
if ($sig.Status -eq "Valid") {
|
|
Write-Host " [OK] Hợp lệ : $leaf" -ForegroundColor Green
|
|
} elseif ($sig.Status -in @("UnknownError", "HashMismatch", "NotSigned")) {
|
|
Write-Host " [~] Signed (self-signed): $leaf — $($sig.StatusMessage)" -ForegroundColor Yellow
|
|
} else {
|
|
Write-Warning " Trạng thái: $($sig.Status) — $leaf"
|
|
}
|
|
}
|
|
}
|
|
|
|
# ─────────────────────────────────────────────────────────────
|
|
# 5. Tóm tắt
|
|
# ─────────────────────────────────────────────────────────────
|
|
Write-Host "`n════════════════════════════════════════" -ForegroundColor Cyan
|
|
Write-Host " KẾT QUẢ KÝ FILE" -ForegroundColor Cyan
|
|
Write-Host "════════════════════════════════════════" -ForegroundColor Cyan
|
|
Write-Host " Ký thành công : $signed"
|
|
Write-Host " Bỏ qua : $skipped (file không tồn tại)"
|
|
Write-Host " Thất bại : $failed"
|
|
Write-Host " Thumbprint : $($cert.Thumbprint)"
|
|
Write-Host " PFX file : $PfxPath"
|
|
Write-Host "════════════════════════════════════════" -ForegroundColor Cyan
|
|
|
|
Stop-Transcript | Out-Null
|
|
|
|
if ($failed -gt 0) { exit 1 }
|
|
|