externalsignjob - External Code Signing Job (#6977)

* Moving external call back into meshcentral * Debugging logging * Moved the external call to the callback function * Updated codesigning.md * Move callback invoke of callExternalSignJob outside of err check * change console.log to obj.debug for external sign job call logging * obj debug signing failed using obj.debug and console.error inside callExternalSignJob
2025-10-29 23:35:02 -04:00 · 2025-04-21 11:49:28 -05:00 · 2025-04-21 11:49:28 -05:00 · 5b974e8226
commit 5b974e8226
parent 11ae3775d3
2 changed files with 75 additions and 0 deletions
--- a/docs/docs/meshcentral/codesigning.md
+++ b/docs/docs/meshcentral/codesigning.md
@ -99,3 +99,50 @@ Now that MeshCentral customizes and signs the agent, you can set that value to a
      }
 }
 ```
+
+## External Signing Job
+
+The externalsignjob feature allows you to perform additional operations on the agent after MeshCentral completes its code signing process. This is particularly useful for:
+
+1. Using hardware security tokens for signing
+2. Performing signing on a separate server or cloud host
+3. Archiving signed agents
+4. Adding additional security measures
+
+The externalsignjob is called after MeshCentral completes its entire code signing process, including:
+- Resource modification
+- Digital signature application
+- Timestamp application (if configured)
+
+To use this feature, add the following to your config.json:
+
+```json
+"settings": {
+    "externalsignjob": "path/to/your/script.bat"
+}
+```
+
+The script will receive the path to the agent as its first argument. Here are example scripts:
+
+### Batch File Example
+```batch
+@echo off
+Echo External Signing Job
+signtool sign /tr http://timestamp.sectigo.com /td SHA256 /fd SHA256 /a /v /f path/to/your/signing.cer /csp "eToken Base Cryptographic Provider" /k "[{{MyPassword}}]=PrivateKeyContainerName" "%~1"
+```
+
+### PowerShell Example
+```powershell
+$file = $args[0]
+signtool sign /tr http://timestamp.sectigo.com /td SHA256 /fd SHA256 /a /v /f path/to/your/signing.cer /csp "eToken Base Cryptographic Provider" /k "[{{MyPassword}}]=PrivateKeyContainerName" $file
+```
+
+The externalsignjob can be used for more than just signing. For example, you could:
+
+1. Archive signed agents to a secure location
+2. Upload signed agents to a distribution server
+3. Perform additional security checks
+4. Add custom metadata or watermarks
+5. Integrate with your organization's build pipeline
+
+Note: The script must return a success exit code (0) for the process to be considered successful. Any non-zero exit code will be treated as a failure and will be logged.
--- a/meshcentral.js
+++ b/meshcentral.js
@ -3415,6 +3415,7 @@ function CreateMeshCentralServer(config, args) {
                            // Failed to sign agent
                            addServerWarning('Failed to sign \"' + agentSignedFunc.objx.meshAgentsArchitectureNumbers[agentSignedFunc.archid].localname + '\": ' + err, 22, [agentSignedFunc.objx.meshAgentsArchitectureNumbers[agentSignedFunc.archid].localname, err]);
                        }
+                        obj.callExternalSignJob(agentSignedFunc.signingArguments); // Call external signing job regardless of success or failure
                        if (--pendingOperations === 0) { agentSignedFunc.func(); }
                    }
                    pendingOperations++;
@ -3470,7 +3471,10 @@ function CreateMeshCentralServer(config, args) {
                    }

                    const signingArguments = { out: signeedagentpath, desc: signDesc, url: signUrl, time: timeStampUrl, proxy: timeStampProxy }; // Shallow clone
+                    signingArguments.resChanges = resChanges;
+
                    obj.debug('main', "Code signing with arguments: " + JSON.stringify(signingArguments));
+                    xagentSignedFunc.signingArguments = signingArguments; // Attach the signing arguments to the callback function
                    if (resChanges == false) {
                        // Sign the agent the simple way, without changing any resources.
                        originalAgent.sign(agentSignCertInfo, signingArguments, xagentSignedFunc);
@ -3479,16 +3483,40 @@ function CreateMeshCentralServer(config, args) {
                        // NOTE: This is experimental and could corupt the agent.
                        originalAgent.writeExecutable(signingArguments, agentSignCertInfo, xagentSignedFunc);
                    }
+
                } else {
                    // Signed agent is already ok, use it.
                    originalAgent.close();
                }
+
+                
            }
        }

        if (--pendingOperations === 0) { func(); }
    }

+    obj.callExternalSignJob = function (signingArguments) {
+        if (obj.config.settings && !obj.config.settings.externalsignjob) {
+            return;
+        }
+        obj.debug('main', "External signing job called for file: " + signingArguments.out);
+        
+        const { spawnSync } = require('child_process');
+
+        const signResult = spawnSync('"' + obj.config.settings.externalsignjob + '"', ['"' + signingArguments.out + '"'], {
+            encoding: 'utf-8',
+            shell: true,
+            stdio: 'inherit'
+        }); 
+
+        if (signResult.error || signResult.status !== 0) {
+            obj.debug('main', "External signing failed for file: " + signingArguments.out);
+            console.error("External signing failed for file: " + signingArguments.out);
+            return;
+        }
+    }
+
    // Update the list of available mesh agents
    obj.updateMeshAgentsTable = function (domain, func) {
        // Check if a custom agent signing certificate is available