osquery manual release notes

README.md

Manual osquery release process

These are some notes about the manual osquery release process (circa 2019-12)

While our goal is to replace this with ci/cd, this is what today is.

References:

• https://github.com/osquery/osquery/blob/master/.github/ISSUE_TEMPLATE/New_Release.md
• Old Script: https://github.com/theopolis/osquery/blob/experimental-portable/tools/release/new_release.sh
• @theopolis's scripts https://gist.github.com/theopolis/1638221811ad04d1787c72a51728e2c8
• Discussions / Planning
  • osquery/osquery#5689
  • osquery/osquery#6005

Process

1. Make release issue, and go through it

Use the template to make a release ticket

Then, go through it's steps.

2. Builds

Refer also to https://osquery.readthedocs.io/en/latest/development/building/

Our current intent it have reproducible builds. So ideally, build twice, and verify. (Update: we're not actually reproducible)

Platforms:

• macs -- see [mac.sh]
• linux -- see [linux.sh]
• windows -- see [windows.md]

3. Signing

Apple signing has been a manual Teddy process. Windows signing has been Nick

seph has been doing notarization once the packages are uploaded.

4. Upload

5. Website As beta

Use the json generator to build the website schema and make a PR.

This used to be https://github.com/osquery/osquery/blob/4.1.0/tools/release/new_release.sh but has moved into the osquery-site repo osquery/osquery-site#160

6. Testing

People should test stuff.

Website links and shas, but also the release. This is generally pretty manual

7. Mark as stable

• toggle the website's stable version here
• Uncheck the "pre-release" part of the github release page
• upload to package repos

linux.sh

#!/bin/bash

# Docker does not have great performance for this build. Instead, we
# recommend spinning up a reasonable VM. ubuntu 18.04
#
# Assume:
#  osquery is cloned to /build/usr/src/debug/osquery
#  osquery-toolchain is cloned to /usr/local/osquery-toolchain

# Create VM
gcloud --project kolide-private-containers \
       compute instances create osquery-builder \
       --zone us-east1-d \
       --image-project ubuntu-os-cloud --image-family ubuntu-1804-lts \
       --machine-type n1-standard-8


gcloud --project kolide-private-containers \
       compute ssh osquery-builder

# Run build as below

mkdir -p  /tmp/osquery-builds
gcloud --project kolide-private-containers \
       compute scp osquery-builder:osquery-builds/\* /tmp/osquery-builds/


gcloud --project kolide-private-containers \
       compute instances delete osquery-builder

# Build on VM
set -e

sudo apt-get update && sudo apt-get dist-upgrade -y
sudo apt-get install -y --no-install-recommends \
     git python3 bison flex make \
     curl wget xz-utils rpm file elfutils


cd /tmp
wget https://github.com/osquery/osquery-toolchain/releases/download/1.0.0/osquery-toolchain-1.0.0.tar.xz
sudo tar xf osquery-toolchain-1.0.0.tar.xz -C /usr/local

cd /tmp/
wget https://github.com/Kitware/CMake/releases/download/v3.14.6/cmake-3.14.6-Linux-x86_64.tar.gz
sudo tar xf cmake-3.14.6-Linux-x86_64.tar.gz -C /usr/local --strip 1


sudo mkdir -p /build/usr/src/debug/
sudo chown $USER /build/usr/src/debug/
cd /build/usr/src/debug/
git clone https://github.com/osquery/osquery.git

mkdir  /build/usr/src/debug/osquery/build
cd  /build/usr/src/debug/osquery/build
mkdir ~/osquery-builds

# The packaging build looks for objdump in the system path, instead use the toolchain.
# This needs patching in the cmake files
export PATH=$PATH:/usr/local/osquery-toolchain/usr/bin/

# make rpms
cmake -DOSQUERY_BUILD_TESTS=OFF -DOSQUERY_TOOLCHAIN_SYSROOT=/usr/local/osquery-toolchain -DPACKAGING_SYSTEM=RPM  ..
make -j15 package
mv osquery-debuginfo*rpm $(basename osquery-debuginfo*rpm .x86_64.rpm).linux.x86_64.rpm
du -sh *rpm  # osquery should be 10meg, debug 30meg
mv *rpm ~/osquery-builds

# make debs
cmake -DOSQUERY_BUILD_TESTS=OFF -DOSQUERY_TOOLCHAIN_SYSROOT=/usr/local/osquery-toolchain -DPACKAGING_SYSTEM=DEB  ..
make -j15 package
ls *deb
mv *amd64-dbgsym.ddeb $(echo *.amd64-dbgsym.ddeb | sed -e  's/osquery_/osquery-dbgsym_/; s/-dbgsym.ddeb/.deb/')
du -sh *deb
mv *deb ~/osquery-builds

# make linux
cmake -DOSQUERY_BUILD_TESTS=OFF -DOSQUERY_TOOLCHAIN_SYSROOT=/usr/local/osquery-toolchain -DPACKAGING_SYSTEM=TGZ  ..
make -j15 package
ls *.tar.gz
mv *tar.gz ~/osquery-builds

# Look at checksums
cd ~/osquery-builds
tar xf osquery-*.linux_x86_64.tar.gz usr/local/bin/osqueryd --to-stdout | md5sum

mac.sh

#!/bin/bash

mkdir build
cd build

cmake -DCMAKE_OSX_DEPLOYMENT_TARGET=10.11 ..

make -j15 package

ls osquery-4.1.2.pkg

# look at checksums
tar xf osquery-4.1.2.pkg --to-stdout Payload \
    | tar xf - --to-stdout ./usr/local/bin/osqueryd \
    | md5

windows.md

Building the signed osquery.msi package:

• First build the binaries, obvi.

PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake -DOSQUERY_BUILD_TESTS=ON -G "Visual Studio 16 2019" -A x64 -T v141 ..\..\                                       -- Selecting Windows SDK version 10.0.18362.0 to target Windows 10.0.19041.
-- osquery version: 4.4.0
-- Build type:
-- Shared libraries: OFF
-- Importing: source/boost
-- Importing: source/bzip2
-- Importing: source/gflags
...

PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake --build . --config Release -j24 

...


PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake --build . --config Release -j24 --target run_tests

...

• Next up, for the MSI, I believe we can sign the binaries right now:

# "Dot source" the `osquery_utils.ps1` script:
PS C:\Users\Nicholas\work\repos\osquery> . .\tools\deployment\chocolatey\tools\osquery_utils.ps1

# I use a helper function for setting the authenticode signature:
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> function Set-AuthenticodeSignature() {
  param(
    [string] $binpath = '',
    [string] $certpath = '',
    [string] $certpw = ''
  )

  if (-not (Get-Command 'signtool.exe' -ErrorAction SilentlyContinue)) {
    Write-Host '[-] signtool.exe was not found in system path' -ForegroundColor Red
    exit
  }
  $signtool = (Get-Command 'signtool.exe').Source

  $signtool_args = @(
    'sign',
    "/f $certpath",
    "/p `"$certpw`"",
    '/tr http://timestamp.digicert.com',
    '/td sha256',
    '/fd sha256',
    "$binpath"
  )

  $null = Start-OsqueryProcess $signtool $signtool_args $false
}

# Now you can actually sign the binaries. I have my certs on a bitlocker encrypted thumb drive:
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> Set-AuthenticodeSignature 'C:\Users\Nicholas\work\repos\osquery\build\windows10\osquery\Release\osqueryd.exe' F:\Path\To\signing_cert.p12 '<CODE SIGNING CERT PW>'
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> Set-AuthenticodeSignature 'C:\Users\Nicholas\work\repos\osquery\build\windows10\osquery\Release\osqueryd.exe' F:\Path\To\signing_cert.p12 '<CODE SIGNING CERT PW>'

# Next, build the MSI and sign it:
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake --build . --config Release -j24 --target package
Microsoft (R) Build Engine version 16.3.2+e481bbf88 for .NET Framework
Copyright (C) Microsoft Corporation. All rights reserved.

  Generating ../../test_configs/aws
  Generating ../test_configs/specs/darwin
  Generating .
  Generating ../../test_configs/test.config.d

...

PS C:\Users\Nicholas\work\repos\osquery\build\windows10> Set-AuthenticodeSignature 'C:\Users\Nicholas\work\repos\osquery\build\windows10\osquery-4.4.0.msi' F:\Path\To\signing_cert.p12 '<CODE SIGNING CERT PW>'

# That's it, distribute the signed MSI
# You can check your work by verifying that the MSI has a digital signature
# and further that after you install from said MSI, both the osqueryd.exe and osqueryi.exe
# binaries have digital signatures. I like to do this process both from an upgrade
# and clean install stand point.

Building and signing the osquery Chocolatey packages:

• Run the cmake generation with the nupkg build target, and build the binaries:

PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake -DPACKAGING_SYSTEM=NuGet -DOSQUERY_BUILD_TESTS=ON -G "Visual Studio 16 2019" -A x64 -T v141 ..\..\
...

PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake --build . --config Release -j24

...

• Similar to the MSI, sign the osqueryi and osqueryd binaries, and then produce the chocolatey package with the package target of cmake:

PS C:\Users\Nicholas\work\repos\osquery\build\windows10> Set-AuthenticodeSignature 'C:\Users\Nicholas\work\repos\osquery\build\windows10\osquery\Release\osqueryd.exe' F:\Path\To\signing_cert.p12 '<CODE SIGNING CERT PW>'
PS C:\Users\Nicholas\work\repos\osquery\build\windows10> Set-AuthenticodeSignature 'C:\Users\Nicholas\work\repos\osquery\build\windows10\osquery\Release\osqueryd.exe' F:\Path\To\signing_cert.p12 '<CODE SIGNING CERT PW>'

...

PS C:\Users\Nicholas\work\repos\osquery\build\windows10> cmake --build . --config Release -j24 --target package 
...
 CPack: - package: C:/Users/Nicholas/work/repos/osquery/build/windows10/osquery.4.4.0.nupkg generated.

• Lastly, verify the install by installing the choco package. Again I like to verify both the clean install and upgrade workflows:

PS C:\Users\Nicholas\Desktop\osquery-release-bins\osquery-4.4.0> choco install -yf --version 4.4.0 osquery -s . --params='/InstallService'
Chocolatey v0.10.15
Installing the following packages:
osquery
By installing you accept licenses for the packages.

osquery v4.4.0 (forced)
osquery package files install completed. Performing other installation steps.
C:\Program Files\osquery\log
True
osqueryd
PATH environment variable does not have C:\Program Files\osquery in it. Adding...
Environment Vars (like PATH) have changed. Close/reopen your shell to
 see the changes (or in powershell/cmd.exe just type `refreshenv`).
 ShimGen has successfully created a shim for osqueryi.exe
 ShimGen has successfully created a shim for osqueryd.exe
 The install of osquery was successful.
  Software install location not explicitly set, could be in package or
  default install location if installer.

Chocolatey installed 1/1 packages.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

• This should install osquery as a system service, and you should see the digital signature on both the osqueryi and osqueryd binaries, and the service should be running

PS C:\Users\Nicholas\Desktop\osquery-release-bins\osquery-4.4.0> Get-service osqueryd
Status   Name               DisplayName
------   ----               -----------
Running  osqueryd           osqueryd