Update HSM test using Desktop approach

This update leverages GitHub Desktop approach of downloading Azure Code Signing DLL and wiring it up as part of the existing signing process used by Windows builds.
2023-12-08 17:27:22 -05:00 · 2023-12-08 17:27:22 -05:00 · 5e8e645a7f
commit 5e8e645a7f
parent dea2cd5fe1
3 changed files with 170 additions and 0 deletions
--- a/.github/workflows/deployment-hsm-testing.yml
+++ b/.github/workflows/deployment-hsm-testing.yml
@ -0,0 +1,151 @@
 name: Deployment
 run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }}
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref_name }}
  cancel-in-progress: true
 permissions:
  contents: write
 on:
  workflow_dispatch:
    inputs:
      tag_name:
        required: true
        type: string
      go_version:
        default: "1.21"
        type: string
 jobs:
  windows:
    runs-on: windows-latest
    environment: production
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Go
        uses: actions/setup-go@v4
        with:
          go-version: ${{ inputs.go_version }}
      - name: Install GoReleaser
        uses: goreleaser/goreleaser-action@v5
        with:
          version: "~1.17.1"
          install-only: true
      - name: Install Azure Code Signing Client
        shell: pwsh
        env:
          ACS_DIR: ${{ runner.temp }}\acs
          ACS_ZIP: ${{ runner.temp }}\acs.zip
          CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
        run: |
          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose
          Expand-Archive $acsZip -Destination $Env:ACS_DIR acsDir -Force -Verbose
          # Replace ancient signtool in scripts with one that supports ACS
          Copy-Item -Path "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\*" -Include signtool.exe,signtool.exe.manifest,Microsoft.Windows.Build.Signing.mssign32.dll.manifest,mssign32.dll,Microsoft.Windows.Build.Signing.wintrust.dll.manifest,wintrust.dll,Microsoft.Windows.Build.Appx.AppxSip.dll.manifest,AppxSip.dll,Microsoft.Windows.Build.Appx.AppxPackaging.dll.manifest,AppxPackaging.dll,Microsoft.Windows.Build.Appx.OpcServices.dll.manifest,OpcServices.dll -Destination scripts -Verbose
          # Generate metadata file for signtool
          @{
            CertificateProfileName = "GitHubInc"
            CodeSigningAccountName = "GitHubInc"
            CorrelationId = $Env:CORRELATION_ID
            Description = "GitHub CLI"
            Endpoint =  "https://wus.codesigning.azure.net/
            # Unused metadata configuration:
            # AppendSignature
            # DescriptionUrl
            # EnhancedKeyUsage
            # ExcludeAzureCliCredential
            # ExcludeAzurePowerShellCredential
            # ExcludeEnvironmentCredential
            # ExcludeInteractiveBrowserCredential
            # ExcludeManagedIdentityCredential
            # ExcludeSharedTokenCacheCredential
            # ExcludeVisualStudioCodeCredential
            # ExcludeVisualStudioCredential
            # FileDigest
            # FilesCatalog
            # FilesFolder
            # FilesFolderDepth
            # FilesFolderFilter
            # FilesFolderRecurse
            # GenerateDigestPath
            # GenerateDigestXml
            # GeneratePageHashes
            # GeneratePkcs7
            # IngestDigestPath
            # Pkcs7Oid
            # Pkcs7Options
            # SignDigest
            # SuppressPageHashes
            # Timeout
            # TimestampDigest
            # TimestampRfc3161
          } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
      - name: Build release binaries
        shell: bash
        env:
          DLIB_PATH: ${{ runner.temp }}\acs\bin/x64/Azure.CodeSigning.Dlib.dll
          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
          TAG_NAME: ${{ inputs.tag_name }}
        run: script/release-hsm --local "$TAG_NAME" --platform windows --config .goreleaser-hsm.yml
      - name: Set up MSBuild
        id: setupmsbuild
        uses: microsoft/setup-msbuild@v1.3.1
      - name: Build MSI
        shell: bash
        env:
          MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }}
        run: |
          for ZIP_FILE in dist/gh_*_windows_*.zip; do
            MSI_NAME="$(basename "$ZIP_FILE" ".zip")"
            MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)"
            case "$MSI_NAME" in
            *_386 )
              source_dir="$PWD/dist/windows_windows_386"
              platform="x86"
              ;;
            *_amd64 )
              source_dir="$PWD/dist/windows_windows_amd64_v1"
              platform="x64"
              ;;
            *_arm64 )
              echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2
              continue
              #source_dir="$PWD/dist/windows_windows_arm64"
              #platform="arm64"
              ;;
            * )
              printf "unsupported architecture: %s\n" "$MSI_NAME" >&2
              exit 1
              ;;
            esac
            "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
          done
      - name: Sign .msi release binaries
        uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601
        with:
            azure-tenant-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_TENANT_ID }}
            azure-client-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_CLIENT_ID }}
            azure-client-secret: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO }}
            endpoint: https://wus.codesigning.azure.net/
            code-signing-account-name: GitHubInc
            certificate-profile-name: GitHubInc
            files-folder: ${{ github.workspace }}/dist
            files-folder-filter: msi
            file-digest: SHA256
            timestamp-rfc3161: http://timestamp.acs.microsoft.com
            timestamp-digest: SHA256
      - uses: actions/upload-artifact@v3
        with:
          name: windows
          if-no-files-found: error
          retention-days: 7
          path: |
            dist/*.zip
            dist/*.msi
--- a/.goreleaser-hsm.yml
+++ b/.goreleaser-hsm.yml
@ -38,6 +38,11 @@ builds:
  - id: windows #build:windows
    goos: [windows]
    goarch: [386, amd64, arm64]
    hooks:
      post:
        - cmd: >-
            {{ if eq .Runtime.Goos "windows" }}.\script\sign-hsm{{ else }}./script/sign{{ end }} '{{ .Path }}'
          output: true
    binary: bin/gh
    main: ./cmd/gh
    ldflags:
--- a/script/sign-hsm.bat
+++ b/script/sign-hsm.bat
@ -0,0 +1,14 @@
@echo off
 if "%DLIB_PATH%" == "" (
    echo skipping Windows code-signing; DLIB_PATH not set
    exit /b
 )
 if "%METADATA_PATH%" == "" (
    echo skipping Windows code-signing; METADATA_PATH not set
    exit /b
 )
 REM For more information on signtool, see https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
 .\script\signtool sign /d "GitHub CLI" /fd sha256 /td sha256 /tr http://timestamp.acs.microsoft.com /v /dlib "%DLIB_PATH%" /dmdf "%METADATA_PATH%" "%1"