Protect the ssh key with stronger encryption, similar to the authenti…

…code certificate. (#12635) Appveyor contains an ssh private key that allows it to log into an NV Access server to deploy snapshots / releases. The current ssh key in the repository, although encrypted with an appveyor secret variable, was not as strong as it could have been, and during decryption, in the appveyor build, openssl would warn about this. This pr replaces the ssh key with a newly generated one, encrypted using a new appveyor secret variable, and the encryption of the key is also significantly stronger as it uses SHA256 instead of md5, a salt is now used, and a newer secret key derivation algorithm is now used, as recommended by openssl. This ssh key is now encrypted just as strongly as the authenticode certificate also in this repository.
nvaccess · Jul 12, 2021 · 257905c · 257905c
1 parent b8b88b0
commit 257905c
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 3 deletions.
diff --git a/appveyor/config-non-tagged.yml b/appveyor/config-non-tagged.yml
@@ -16,7 +16,7 @@ environment:
  secure_authenticode_pass:
   secure: Way+hJyhbiLG/cmCo4+dHHzS5DiSvk/45o6frnIQ27GBX6nVDsh7jwQ7fSnqxBRP
  secure_ssh_pass:
-  secure: ekOvuyywHuDdGZmRmoj+b3jfrq39A2xlx4RD5ZUGd/8=
+  secure: Iql/RhSathGacONacsyr6gis+rjL75UFZ/R+nPAJpo3asAzQSQQd8hfxq0iv8+Th
  mozillaSymsAuthToken:
   secure: p37Fxo78fsRdmR8v8TPz978QvVaqvbjdIBzFe8ZOpX0FUprm46rkhd374QM1CqMO
  symstore: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symstore.exe

diff --git a/appveyor/config-tagged.yml b/appveyor/config-tagged.yml
@@ -16,7 +16,7 @@ environment:
  secure_authenticode_pass:
   secure: Way+hJyhbiLG/cmCo4+dHHzS5DiSvk/45o6frnIQ27GBX6nVDsh7jwQ7fSnqxBRP
  secure_ssh_pass:
-  secure: ekOvuyywHuDdGZmRmoj+b3jfrq39A2xlx4RD5ZUGd/8=
+  secure: Iql/RhSathGacONacsyr6gis+rjL75UFZ/R+nPAJpo3asAzQSQQd8hfxq0iv8+Th
  mozillaSymsAuthToken:
   secure: p37Fxo78fsRdmR8v8TPz978QvVaqvbjdIBzFe8ZOpX0FUprm46rkhd374QM1CqMO
  symstore: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symstore.exe

diff --git a/appveyor/scripts/decryptFilesForSigning.ps1 b/appveyor/scripts/decryptFilesForSigning.ps1
@@ -4,7 +4,7 @@ if(!$env:APPVEYOR_PULL_REQUEST_NUMBER) {
 		$errorCode=$LastExitCode
 		Add-AppveyorMessage "Unable to decrypt authenticode certificate"
 	}
-	openssl enc -md md5 -aes-256-cbc -d -pass pass:$env:secure_ssh_pass -in appveyor\ssh_id_rsa.enc -out appveyor\ssh_id_rsa
+	openssl enc -d -md sha256 -aes-256-cbc -pbkdf2 -salt -pass pass:$env:secure_ssh_pass -in appveyor\ssh_id_rsa.enc -out appveyor\ssh_id_rsa
 	if($LastExitCode -ne 0) {
 		$errorCode=$LastExitCode
 		Add-AppveyorMessage "Unable to decrypt ssh key"

diff --git a/appveyor/ssh_id_rsa.enc b/appveyor/ssh_id_rsa.enc