tufup hangs on windows image in aws codebuild

[dennisvang]

When setting up a CI/CD workflow on AWS Codebuild, using Powershell on the aws/codebuild/windows-base:2019-3.0 image, all tufup commands in the buildspec.yml that require signing appear to hang indefinitely, without showing any errors.

The required private keys (unencrypted) are obtained from the aws parameter store and written to disk using Out-File.

How to fix this?

[dennisvang]

The default shell used by the aws/codebuild/windows-base:2019-3.0 image is windows powershell, i.e. powershell version 5.

This can be verified by running $PSversionTable and checking the logs.

If your key files are written using Out-File in powershell 5, the default encoding for that file will be utf-8 with BOM (byte-order-mark).
This raises an error when securesystemslib (<1.0) tries to read the private key file:

JSONDecodeError: Unexpected UTF-8 BOM (decode using utf-8-sig)

However, this error is silently caught by tufup, and tufup then makes another attempt to read the private key, this time with a password prompt.
The password prompt causes the build to hang, because it's waiting for user input.

One workaround is to write the key files using New-Item, which writes utf8 without BOM, as explained here.

$null = New-Item -Force <path-to-file> -Value <content-of-private-key-file>

Another option would be to call powershell core (6+) which is also available on the image, but not the default. Powershell 6+ allows us to specify utf8nobom encoding for Out-File.