From 88d13301168f22cb78654383d9806d9133bc1a7b Mon Sep 17 00:00:00 2001
From: Shivanshu07 <shivanshu.si@browserstack.com>
Date: Sun, 14 Jun 2026 22:18:38 +0530
Subject: [PATCH] security: stop leaking signing secrets via shell
 interpolation / argv (PER-8611, PER-8612)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PER-8611 (CWE-532) — the GCP KMS key path was interpolated directly into the
signtool PowerShell command, so a signing failure could surface it in the job
log (bypassing GitHub's exact-string masking). Bind it via the step `env:` map
(GCP_KMS_KEY_PATH) and reference `$env:GCP_KMS_KEY_PATH` instead, so redaction
applies to all log output.

PER-8612 (CWE-214) — the Apple app-specific password was passed to
`xcrun notarytool` as a CLI argument, visible in the process table. Use
notarytool's `@env:APPLE_ID_KEY` form so it is read from the environment
instead of argv.

Note: the `.p12` import passphrase on `security import -P` (executable.sh:59)
is NOT changed here — `security import` has no env/stdin option for the
passphrase, and the safe fix (keychain pre-population) is a larger rework of
the signing pipeline. The GitHub-hosted macOS runner is single-tenant and
ephemeral, which limits that argv-exposure window; tracked as a follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/executable.yml | 7 ++++++-
 scripts/executable.sh            | 5 ++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/executable.yml b/.github/workflows/executable.yml
index 44de17fc8..c6bd44e0a 100644
--- a/.github/workflows/executable.yml
+++ b/.github/workflows/executable.yml
@@ -79,11 +79,16 @@ jobs:
         env:
           CERT_B64: ${{ secrets.WIN_CODESIGN_CERT_CHAIN_B64 }}
       - name: Sign binary with Google Cloud KMS
+        env:
+          # Bind the secret to an env var instead of interpolating it into the
+          # PowerShell command string, so GitHub's log redaction applies to it
+          # in all (incl. error) output (CWE-532).
+          GCP_KMS_KEY_PATH: ${{ secrets.GCP_KMS_KEY_PATH }}
         run: |
           $env:GOOGLE_APPLICATION_CREDENTIALS = "$PWD\gcp-sa-key.json"
           $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits" -Filter signtool.exe -Recurse | Where-Object { $_.FullName -match "x64" } | Select-Object -First 1
           Write-Host "Using signtool: $($signtool.FullName)"
-          & $signtool.FullName sign /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f comodo_signing_cert.crt /csp "Google Cloud KMS Provider" /kc "${{ secrets.GCP_KMS_KEY_PATH }}" percy.exe
+          & $signtool.FullName sign /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f comodo_signing_cert.crt /csp "Google Cloud KMS Provider" /kc "$env:GCP_KMS_KEY_PATH" percy.exe
           if ($LASTEXITCODE -ne 0) { Write-Error "Code signing failed!"; exit 1 }
           Write-Host "Code signing succeeded."
           & $signtool.FullName verify /pa /v percy.exe
diff --git a/scripts/executable.sh b/scripts/executable.sh
index 655a564bb..836a4b0be 100755
--- a/scripts/executable.sh
+++ b/scripts/executable.sh
@@ -70,6 +70,9 @@ zip percy-linux.zip percy
 mv percy-osx percy
 zip percy-osx.zip percy
 
-xcrun notarytool submit --apple-id "$APPLE_ID_USERNAME" --password $APPLE_ID_KEY --team-id $APPLE_TEAM_ID percy-osx.zip --wait
+# Read the Apple app-specific password from the environment via notarytool's
+# `@env:` prefix instead of passing it as a CLI argument, so it is not visible
+# in the process table / `ps aux` (CWE-214).
+xcrun notarytool submit --apple-id "$APPLE_ID_USERNAME" --password "@env:APPLE_ID_KEY" --team-id "$APPLE_TEAM_ID" percy-osx.zip --wait
 
 cleanup