New cloud HSMs

We’ve added support and documentation for the hosted HSM services of Google Cloud Platform and Azure.

Since the summer Microsoft has required that all new Windows code signing keys are kept inside a hardware security module. This makes it harder to steal keys and reduces the cost of revoking them, as in case of a hack you can just revoke the credentials to the HSM instead of keys that are in widely distributed certificates.

Previously we added support for the cloud signing services of DigiCert and SSL.com. These are great but are fully integrated services. It can be cheaper to supply your own HSM and then get a certificate authority to sign the key it generates. Conveyor has supported the use of arbitrary HSMs via their PKCS#11 drivers for a long time, but it’s not always obvious how to configure them and each brand has its own unique quirks. Sometimes it also requires changes in Conveyor itself.

Our documentation now shows how to configure HSMs for both Azure and Google, and we’ve added a discussion of how to get SSL.com to issue certificates for those keys using the HSM’s remote attestation features. This should make it much cheaper and easier to do code signing fully in the cloud, without needing special USB tokens.

Automatically fixing missing intermediate certificates

A common mistake people make when configuring certificates is to accidentally leave out a required intermediate certificate. This is especially easy to screw up even for TLS on websites because it can cause apparently random failures on Windows. On machines that have seen the intermediate before and have it cached things will work; on newer or less used machines things will fail.

Another case where intermediates get tricky is with the Google Cloud KMS, which doesn’t let you specify them at all.

Starting from version 13 Conveyor automatically downloads the Windows root certificate store, extracts it from its proprietary binary wrapper, and checks that your certificate chains to a known root certificate. If it doesn’t Conveyor will download and add the missing intermediate certificates for you. It’s fully automatic and you’ll never even know it’s happening, except if you try to use something that’s not Conveyor to package your software and wonder why it doesn’t work.

Alternative S3 API providers

Amazon S3 has come to define easy and reliable object storage, so it’s not a surprise that many of our users host their files there. Conveyor can upload to S3 at the end of a build for several versions now, but our support was previously fixed to AWS specifically. The S3 API has become a standard so now we let you configure an alternative S3 endpoint:

app {  
  site {
    copy-to = "s3:my-bucket/path/to/site"
    
    s3 {
      // Your bucket region.
      region = "us-east-1"
      access-key-id = ${env.S3_ACCESS_KEY_ID}
      secret-access-key = ${env.S3_SECRET_ACCESS_KEY}
      
      // Optional: override endpoint if using S3 from a different provider:
      endpoint = "s3.us-west-002.backblazeb2.com"      
    }
  }
}

Some alternative object storage providers are cheaper than Amazon for bulk file serving, so it’s worth checking them out!

Solid as a rock

This release also contains a variety of smaller usability improvements. We’ve always distinguished ourselves by investing heavily in high quality error messages, and this release is no different, with better errors being presented for various edge cases.

Last month we got an interesting support request: Conveyor was crashing with a variety of apparently impossible errors to do with files on disk being present but unexpectedly empty. The user’s disk cache was corrupted, but we initially couldn’t see any way that could happen. It didn’t take long to come up with the right question though: sure enough, when we asked the user if they’d had a blue screen of death recently (a kernel panic) they recalled that they had. Kernel panics can cause the operating system to lose disk writes, leading to files being randomly truncated or garbled. We’ve now robustified the code to handle this case by making Conveyor rebuild any tasks for which the cached data can’t be successfully loaded, and added handling in other parts of the code for where internal files exist but are empty.

Finally, we’ve fixed a few bugs such as restoring compatibility with old Windows 10 machines and fixing a conflict between the escape hatch feature and the Microsoft Store.