Signing plugins

Overview

Private/public key pairs and keyrings are generated by GPG toolset. The plugin is signed with the private key and the public key needs to be added to the user's keyring. The signing is an armored detached signature in the form of a .asc file.

Default SWISnap installation comes with all binaries singed and also public keyring to verify binaries. If you don't use custom plugins, there is no need to generate additional GPG signatures.

Signing plugins with GnuPG

1. Install GnuPG (https://gnupg.org/download/index.html)

2. %echo Generating a default key
   Key-Type: RSA
   Key-Length: 4096
   Subkey-Type: RSA
   Subkey-Length: 4096
   Name-Real: John Doe
   Name-Comment: Plugin signing key
   Name-Email: john.doe@solarwinds.com
   Expire-Date: 0
   Passphrase: swisnap
   %pubring swisnap.pubring
   %secring swisnap.secring
   %commit
   %echo done

3. Generate the key using batch mode

   gpg --batch --gen-key gpg-batch

4. List keys

   gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --list-keys

   In the following output:

   pub  rsa4096 2020-05-19 [SCEA]
     7D06EC3B1E270B98508D198375D15475C940CB4F
   uid  [ unknown] John Doe (Plugin signing key) <john.doe@solarwinds.com>
   sub  rsa4096 2020-05-19 [SEA]

   copy 7D06EC3B1E270B98508D198375D15475C940CB4F

5. Make the key ultimately trusted (use remembered key). Answer with: 5, y and enter quit

   gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --edit-key 789522F00692E4789E8908090242D094292BE4A2 trust

    

   ...
   Your decision? `5`
   Do you really want to set this key to ultimate trust? (y/N) `y`
   
   sec rsa4096/0242D094292BE4A2
       created: 2020-05-19 expires: never    usage: SCEA
       trust: ultimate   validity: unknown
   ssb rsa4096/1C4003110C70206F
       created: 2020-05-19 expires: never    usage: SEA
   [ unknown] (1). John Doe (Plugin signing key) <john.doe@solarwinds.com>
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
   gpg> `quit`

6. Export public key from keyring

   gpg --no-default-keyring --armor --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --export john.doe@solarwinds.com > pubkeys.gpg

7. Sign binary (ie. snap-plugin-collector-example) providing passphrase (from gpg-batch: swisnap)

   gpg --no-default-keyring --armor --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --output snap-plugin-collector-example.asc --detach-sig snap-plugin-collector-example

8. (optional) Verify signature using keyring

   gpg --no-default-keyring --secret-keyring ./swisnap.secring --keyring ./swisnap.pubring --verify snap-plugin-collector-example.asc snap-plugin-collector-example

Manual adding signed plugins to snap

1. Copy the ".asc" and binary files into SWIsnap bin folder and append "pubkeys.gpg" file into keyring_paths entry:

   On Linux:

   control:
   plugin_trust_level: 1
   keyring_paths: "/opt/SolarWinds/Snap/bin/.gnupg/swisnap.gpg:/home/MyUser/pubkeys.gpg"

   On Windows:

   control:
   plugin_trust_level: 1
   keyring_paths: "C:/Program Files/SolarWinds/Snap/.gnupg/swisnap.gpg;C:/Users/MyUser/pubkeys.gpg"

2. Restart swisnapd
3. Verify with swisnap plugin list that your plugin is signed and running.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.