Rotate our Windows signing certificates (#5196)

- The certificate pfx file is now read from WINDOWS_CERT_PFX
- The password to decode the pfx is in WINDOWS_CERT_PASSWORD
- Quit reading from desktop-secrets repo
- Switch osslsigncode to take in pfx instead of individual certs
- 🔥 obsolete setup scripts

.github/workflows/releases.yml

@@ -27,6 +27,13 @@ jobs:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       - name: Install osslsigncode
         run: sudo apt-get install -y osslsigncode
+      - name: Obtain signing cert
+        run: |
+          cert="$(mktemp -t cert.XXX)"
+          base64 -d <<<"$CERT_CONTENTS" > "$cert"
+          echo "CERT_FILE=$cert" >> $GITHUB_ENV
+        env:
+          CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -35,8 +42,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
-          GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
-          DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
+          CERT_PASSWORD: ${{secrets.WINDOWS_CERT_PASSWORD}}
       - name: Checkout documentation site
         uses: actions/checkout@v2
         with:
@@ -147,15 +153,18 @@ jobs:
           "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$PWD" -p:OutputPath="$PWD" -p:OutputName="$name" -p:ProductVersion="$version"
       - name: Obtain signing cert
         id: obtain_cert
+        shell: bash
+        run: |
+          base64 -d <<<"$CERT_CONTENTS" > ./cert.pfx
+          printf "::set-output name=cert-file::%s\n" ".\\cert.pfx"
         env:
-          DESKTOP_CERT_TOKEN: ${{ secrets.DESKTOP_CERT_TOKEN }}
-        run: .\script\setup-windows-certificate.ps1
+          CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
       - name: Sign MSI
         env:
           CERT_FILE: ${{ steps.obtain_cert.outputs.cert-file }}
           EXE_FILE: ${{ steps.buildmsi.outputs.msi }}
-          GITHUB_CERT_PASSWORD: ${{ secrets.GITHUB_CERT_PASSWORD }}
-        run: .\script\sign.ps1 -Certificate $env:CERT_FILE -Executable $env:EXE_FILE
+          CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
+        run: .\script\signtool sign /d "GitHub CLI" /f $env:CERT_FILE /p $env:CERT_PASSWORD /fd sha256 /tr http://timestamp.digicert.com /v $env:EXE_FILE
       - name: Upload MSI
         shell: bash
         run: |

.goreleaser.yml

@@ -9,7 +9,6 @@ before:
   hooks:
     - go mod tidy
     - make manpages GH_VERSION={{.Version}}
-    - ./script/prepare-windows-cert.sh '{{ if index .Env "GITHUB_CERT_PASSWORD"  }}{{ .Env.GITHUB_CERT_PASSWORD}}{{ end }}' '{{ if index .Env "DESKTOP_CERT_TOKEN"  }}{{ .Env.DESKTOP_CERT_TOKEN}}{{ end }}'
 
 builds:
   - <<: &build_defaults

script/prepare-windows-cert.sh

@@ -1,19 +0,0 @@
-#!/bin/bash
-set -e
-
-GITHUB_CERT_PASSWORD=$1
-DESKTOP_CERT_TOKEN=$2
-
-if [[ -z "$GITHUB_CERT_PASSWORD" || -z "$DESKTOP_CERT_TOKEN" ]]; then
-  echo "skipping windows signing prep; cert password or token not found"
-  exit 0
-fi
-
-curl \
-  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
-  -H "Accept: application/vnd.github.v3.raw" \
-  --output windows-certificate.pfx \
-  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
-
-openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
-openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}

script/setup-windows-certificate.ps1

@@ -1,12 +0,0 @@
-$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
-$certFile = "$scriptPath\windows-certificate.pfx"
-
-$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
-$headers.Add("Authorization", "token $env:DESKTOP_CERT_TOKEN")
-$headers.Add("Accept", 'application/vnd.github.v3.raw')
-
-Invoke-WebRequest 'https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx' `
-              -Headers $headers `
-              -OutFile "$certFile"
-
-Write-Output "::set-output name=cert-file::$certFile"

script/sign-windows-executable.sh

@@ -1,26 +1,25 @@
 #!/bin/bash
 set -e
 
-if [[ ! -e certificate.pem || ! -e private-key.pem ]]; then
-  echo "skipping windows signing; cert or key not found"
+EXE="$1"
+
+if [ -z "$CERT_FILE" ]; then
+  echo "skipping Windows code-signing; CERT_FILE not set" >&2
   exit 0
 fi
 
-EXECUTABLE_PATH=$1
-ARCH="386"
-
-if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then
-  ARCH="amd64"
+if [ ! -f "$CERT_FILE" ]; then
+  echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
+  exit 1
 fi
 
-OUT_PATH=gh_signed-${ARCH}.exe
+if [ -z "$CERT_PASSWORD" ]; then
+  echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
+  exit 1
+fi
 
-osslsigncode sign \
-  -certs certificate.pem \
-  -key private-key.pem \
-  -n "GitHub CLI" \
-  -t http://timestamp.digicert.com \
-  -in $EXECUTABLE_PATH \
-  -out $OUT_PATH
+osslsigncode sign -n "GitHub CLI" -t http://timestamp.digicert.com \
+  -pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
+  -in "$EXE" -out "$EXE"~
 
-mv $OUT_PATH $EXECUTABLE_PATH
+mv "$EXE"~ "$EXE"

script/sign.ps1

@@ -6,12 +6,7 @@ param (
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 
-$thumbprint = "fb713a60a7fa79dfc03cb301ca05d4e8c1bdd431"
-$passwd = $env:GITHUB_CERT_PASSWORD
 $ProgramName = "GitHub CLI"
-
 $scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
 
-& $scriptPath\signtool.exe sign /d $ProgramName /f $Certificate /p $passwd `
-    /sha1 $thumbprint /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v `
-    $Executable
+& $scriptPath\signtool.exe sign /d $ProgramName /f $Certificate /p $env:CERT_PASSWORD /fd sha256 /tr http://timestamp.digicert.com /v $Executable