From e01809c075e9e64cd84335eccee4515522899c0c Mon Sep 17 00:00:00 2001 From: Andy Feller Date: Wed, 13 Dec 2023 10:19:36 -0500 Subject: [PATCH 1/2] Unify Windows sign process on signtool - converts the process from using script/sign.bat to script/sign.ps1 for supportability and capability - resolves signtool on runner in order to run rather than hardcoded path --- .github/workflows/deployment-hsm-testing.yml | 29 ++++++++++---------- .goreleaser-hsm.yml | 2 +- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/workflows/deployment-hsm-testing.yml b/.github/workflows/deployment-hsm-testing.yml index 2d586a79c..c3e8f24e4 100644 --- a/.github/workflows/deployment-hsm-testing.yml +++ b/.github/workflows/deployment-hsm-testing.yml @@ -1,4 +1,4 @@ -name: Deployment +name: Deployment HSM Testing run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }} concurrency: @@ -42,10 +42,11 @@ jobs: CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} METADATA_PATH: ${{ runner.temp }}\acs\metadata.json run: | + # Download Azure Code Signing client containing the DLL needed for signtool in script/sign Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose Expand-Archive $Env:ACS_ZIP -Destination $Env:ACS_DIR -Force -Verbose - # Generate metadata file for signtool + # Generate metadata file for signtool, used in signing box .exe and .msi @{ CertificateProfileName = "GitHubInc" CodeSigningAccountName = "GitHubInc" @@ -100,19 +101,17 @@ jobs: "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform" done - name: Sign .msi release binaries - uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601 - with: - azure-tenant-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }} - azure-client-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }} - azure-client-secret: ${{ secrets.SPN_GITHUB_CLI_SIGNING }} - endpoint: https://wus.codesigning.azure.net/ - code-signing-account-name: GitHubInc - certificate-profile-name: GitHubInc - files-folder: ${{ github.workspace }}/dist - files-folder-filter: msi - file-digest: SHA256 - timestamp-rfc3161: http://timestamp.acs.microsoft.com - timestamp-digest: SHA256 + shell: pwsh + env: + AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }} + AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }} + AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }} + DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll + METADATA_PATH: ${{ runner.temp }}\acs\metadata.json + run: | + Get-ChildItem "$Env:GITHUB_WORKSPACE/dist" -Filter *.msi | Foreach-Object { + .\script\sign.ps1 $_.FullName + } - uses: actions/upload-artifact@v3 with: name: windows diff --git a/.goreleaser-hsm.yml b/.goreleaser-hsm.yml index a48de4c7a..2faafdd5c 100644 --- a/.goreleaser-hsm.yml +++ b/.goreleaser-hsm.yml @@ -41,7 +41,7 @@ builds: hooks: post: - cmd: >- - {{ if eq .Runtime.Goos "windows" }}.\script\sign-hsm{{ else }}./script/sign{{ end }} '{{ .Path }}' + {{ if eq .Runtime.Goos "windows" }}.\script\sign.ps1{{ else }}./script/sign{{ end }} '{{ .Path }}' output: true binary: bin/gh main: ./cmd/gh From d3d4a681f2216d7bc72e09e8e7672dd67cb47f0f Mon Sep 17 00:00:00 2001 From: Andy Feller Date: Wed, 13 Dec 2023 10:21:02 -0500 Subject: [PATCH 2/2] Add missing PowerShell file from previous commit --- script/sign.ps1 | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 script/sign.ps1 diff --git a/script/sign.ps1 b/script/sign.ps1 new file mode 100644 index 000000000..3195cbe66 --- /dev/null +++ b/script/sign.ps1 @@ -0,0 +1,11 @@ +if ($null -ne $env:DLIB_PATH) { + Write-Host "Skipping Windows code signing; DLIB_PATH not set" + exit +} + +if ($null -ne $env:METADATA_PATH) { + Write-Host "Skipping Windows code signing; METADATA_PATH not set" + exit +} + +& (Resolve-Path "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe") sign /d "GitHub CLI" /fd sha256 /td sha256 /tr http://timestamp.acs.microsoft.com /v /dlib "$Env:DLIB_PATH" /dmdf "$Env:METADATA_PATH" "$args[0]"