Skip to content

security: stop leaking signing secrets via shell interpolation / argv (PER-8611, PER-8612)#2281

Open
Shivanshu-07 wants to merge 1 commit into
masterfrom
security/PER-8611-8612-release-secrets
Open

security: stop leaking signing secrets via shell interpolation / argv (PER-8611, PER-8612)#2281
Shivanshu-07 wants to merge 1 commit into
masterfrom
security/PER-8611-8612-release-secrets

Conversation

@Shivanshu-07

@Shivanshu-07 Shivanshu-07 commented Jun 14, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Fourth focused percy-cli security PR — two High-severity release-pipeline secret-handling findings (deadline 2026-06-16).

Ticket CWE Finding
PER-8611 CWE-532 GCP KMS key path interpolated into the signtool shell command
PER-8612 CWE-214 Apple app-specific password passed as a CLI argument to notarytool

Changes

.github/workflows/executable.yml (PER-8611): Moved GCP_KMS_KEY_PATH into the signing step's env: map and reference $env:GCP_KMS_KEY_PATH in the PowerShell command, instead of interpolating ${{ secrets.GCP_KMS_KEY_PATH }} into the run: string. GitHub's secret redaction now applies to the value in all (including error) log output.

scripts/executable.sh (PER-8612): xcrun notarytool submit now uses --password "@env:APPLE_ID_KEY" (notarytool's documented env-var form) instead of --password $APPLE_ID_KEY, so the Apple app-specific password — which grants notarization capability under BrowserStack's Developer ID — is no longer visible in the process table.

Scope note (flagged)

The .p12 import passphrase on security import -P $APPLE_CERT_KEY (executable.sh:59) is not changed here: security import has no env/stdin option for -P (confirmed against the macOS security man page), so the only real fix is a keychain-pre-population rework of the signing flow — deferred to avoid risking the release pipeline. The GitHub-hosted macOS runner is single-tenant and ephemeral, which limits that argv-exposure window. Tracked as a follow-up on PER-8612.

Verification

  • executable.yml parses as valid YAML; bash -n scripts/executable.sh passes.
  • Confirmed GCP_KMS_KEY_PATH now appears only in the env: binding (not inline in the command), and notarytool reads @env:APPLE_ID_KEY.

Closes PER-8611. Addresses the app-specific-password leg of PER-8612 (.p12 import passphrase rework flagged as follow-up).

Note: this PR also touches executable.yml, which #2278 SHA-pins — the two edit different regions and should merge cleanly; rebase if #2278 lands first.

🤖 Generated with Claude Code

@Shivanshu-07 @claude
security: stop leaking signing secrets via shell interpolation / argv…
88d1330 
… (PER-8611, PER-8612)

PER-8611 (CWE-532) — the GCP KMS key path was interpolated directly into the
signtool PowerShell command, so a signing failure could surface it in the job
log (bypassing GitHub's exact-string masking). Bind it via the step `env:` map
(GCP_KMS_KEY_PATH) and reference `$env:GCP_KMS_KEY_PATH` instead, so redaction
applies to all log output.

PER-8612 (CWE-214) — the Apple app-specific password was passed to
`xcrun notarytool` as a CLI argument, visible in the process table. Use
notarytool's `@env:APPLE_ID_KEY` form so it is read from the environment
instead of argv.

Note: the `.p12` import passphrase on `security import -P` (executable.sh:59)
is NOT changed here — `security import` has no env/stdin option for the
passphrase, and the safe fix (keychain pre-population) is a larger rework of
the signing pipeline. The GitHub-hosted macOS runner is single-tenant and
ephemeral, which limits that argv-exposure window; tracked as a follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Shivanshu-07 Shivanshu-07 requested a review from a team as a code owner June 14, 2026 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ninadbstack ninadbstack Awaiting requested review from ninadbstack ninadbstack is a code owner automatically assigned from percy/percy-product-reviewers

@aryanku-dev aryanku-dev Awaiting requested review from aryanku-dev aryanku-dev is a code owner automatically assigned from percy/percy-product-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Shivanshu-07