From 5e8e645a7f9a24a18d4e287369cd4dfb63094ef9 Mon Sep 17 00:00:00 2001 From: Andy Feller Date: Fri, 8 Dec 2023 17:27:22 -0500 Subject: [PATCH] Update HSM test using Desktop approach This update leverages GitHub Desktop approach of downloading Azure Code Signing DLL and wiring it up as part of the existing signing process used by Windows builds. --- .github/workflows/deployment-hsm-testing.yml | 151 +++++++++++++++++++ .goreleaser-hsm.yml | 5 + script/sign-hsm.bat | 14 ++ 3 files changed, 170 insertions(+) create mode 100644 .github/workflows/deployment-hsm-testing.yml create mode 100644 script/sign-hsm.bat diff --git a/.github/workflows/deployment-hsm-testing.yml b/.github/workflows/deployment-hsm-testing.yml new file mode 100644 index 000000000..ba1e97c3f --- /dev/null +++ b/.github/workflows/deployment-hsm-testing.yml @@ -0,0 +1,151 @@ +name: Deployment +run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: true + +permissions: + contents: write + +on: + workflow_dispatch: + inputs: + tag_name: + required: true + type: string + go_version: + default: "1.21" + type: string + +jobs: + windows: + runs-on: windows-latest + environment: production + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: ${{ inputs.go_version }} + - name: Install GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: "~1.17.1" + install-only: true + - name: Install Azure Code Signing Client + shell: pwsh + env: + ACS_DIR: ${{ runner.temp }}\acs + ACS_ZIP: ${{ runner.temp }}\acs.zip + CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + METADATA_PATH: ${{ runner.temp }}\acs\metadata.json + run: | + Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose + Expand-Archive $acsZip -Destination $Env:ACS_DIR acsDir -Force -Verbose + + # Replace ancient signtool in scripts with one that supports ACS + Copy-Item -Path "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\*" -Include signtool.exe,signtool.exe.manifest,Microsoft.Windows.Build.Signing.mssign32.dll.manifest,mssign32.dll,Microsoft.Windows.Build.Signing.wintrust.dll.manifest,wintrust.dll,Microsoft.Windows.Build.Appx.AppxSip.dll.manifest,AppxSip.dll,Microsoft.Windows.Build.Appx.AppxPackaging.dll.manifest,AppxPackaging.dll,Microsoft.Windows.Build.Appx.OpcServices.dll.manifest,OpcServices.dll -Destination scripts -Verbose + + # Generate metadata file for signtool + @{ + CertificateProfileName = "GitHubInc" + CodeSigningAccountName = "GitHubInc" + CorrelationId = $Env:CORRELATION_ID + Description = "GitHub CLI" + Endpoint = "https://wus.codesigning.azure.net/ + + # Unused metadata configuration: + # AppendSignature + # DescriptionUrl + # EnhancedKeyUsage + # ExcludeAzureCliCredential + # ExcludeAzurePowerShellCredential + # ExcludeEnvironmentCredential + # ExcludeInteractiveBrowserCredential + # ExcludeManagedIdentityCredential + # ExcludeSharedTokenCacheCredential + # ExcludeVisualStudioCodeCredential + # ExcludeVisualStudioCredential + # FileDigest + # FilesCatalog + # FilesFolder + # FilesFolderDepth + # FilesFolderFilter + # FilesFolderRecurse + # GenerateDigestPath + # GenerateDigestXml + # GeneratePageHashes + # GeneratePkcs7 + # IngestDigestPath + # Pkcs7Oid + # Pkcs7Options + # SignDigest + # SuppressPageHashes + # Timeout + # TimestampDigest + # TimestampRfc3161 + } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH + - name: Build release binaries + shell: bash + env: + DLIB_PATH: ${{ runner.temp }}\acs\bin/x64/Azure.CodeSigning.Dlib.dll + METADATA_PATH: ${{ runner.temp }}\acs\metadata.json + TAG_NAME: ${{ inputs.tag_name }} + run: script/release-hsm --local "$TAG_NAME" --platform windows --config .goreleaser-hsm.yml + - name: Set up MSBuild + id: setupmsbuild + uses: microsoft/setup-msbuild@v1.3.1 + - name: Build MSI + shell: bash + env: + MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }} + run: | + for ZIP_FILE in dist/gh_*_windows_*.zip; do + MSI_NAME="$(basename "$ZIP_FILE" ".zip")" + MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)" + case "$MSI_NAME" in + *_386 ) + source_dir="$PWD/dist/windows_windows_386" + platform="x86" + ;; + *_amd64 ) + source_dir="$PWD/dist/windows_windows_amd64_v1" + platform="x64" + ;; + *_arm64 ) + echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2 + continue + #source_dir="$PWD/dist/windows_windows_arm64" + #platform="arm64" + ;; + * ) + printf "unsupported architecture: %s\n" "$MSI_NAME" >&2 + exit 1 + ;; + esac + "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform" + done + - name: Sign .msi release binaries + uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601 + with: + azure-tenant-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_TENANT_ID }} + azure-client-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_CLIENT_ID }} + azure-client-secret: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO }} + endpoint: https://wus.codesigning.azure.net/ + code-signing-account-name: GitHubInc + certificate-profile-name: GitHubInc + files-folder: ${{ github.workspace }}/dist + files-folder-filter: msi + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + - uses: actions/upload-artifact@v3 + with: + name: windows + if-no-files-found: error + retention-days: 7 + path: | + dist/*.zip + dist/*.msi \ No newline at end of file diff --git a/.goreleaser-hsm.yml b/.goreleaser-hsm.yml index 7d3b975a5..a48de4c7a 100644 --- a/.goreleaser-hsm.yml +++ b/.goreleaser-hsm.yml @@ -38,6 +38,11 @@ builds: - id: windows #build:windows goos: [windows] goarch: [386, amd64, arm64] + hooks: + post: + - cmd: >- + {{ if eq .Runtime.Goos "windows" }}.\script\sign-hsm{{ else }}./script/sign{{ end }} '{{ .Path }}' + output: true binary: bin/gh main: ./cmd/gh ldflags: diff --git a/script/sign-hsm.bat b/script/sign-hsm.bat new file mode 100644 index 000000000..0b3512710 --- /dev/null +++ b/script/sign-hsm.bat @@ -0,0 +1,14 @@ +@echo off + +if "%DLIB_PATH%" == "" ( + echo skipping Windows code-signing; DLIB_PATH not set + exit /b +) + +if "%METADATA_PATH%" == "" ( + echo skipping Windows code-signing; METADATA_PATH not set + exit /b +) + +REM For more information on signtool, see https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool +.\script\signtool sign /d "GitHub CLI" /fd sha256 /td sha256 /tr http://timestamp.acs.microsoft.com /v /dlib "%DLIB_PATH%" /dmdf "%METADATA_PATH%" "%1" \ No newline at end of file