Merge pull request #2160 from mbpreble/sign-windows-executables

Sign Windows .exes in a post-build hook
2022-01-18 09:13:33 -06:00 · 2022-01-18 09:13:33 -06:00 · 8c862bbb3a
commit 8c862bbb3a
parent c8fef47a36 2ade4e5608
4 changed files with 53 additions and 1 deletions
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@ -25,6 +25,8 @@ jobs:
            -q .body > CHANGELOG.md
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Install osslsigncode
+        run: sudo apt-get install -y osslsigncode
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v2
        with:
@ -33,6 +35,8 @@ jobs:
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
+          GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
+          DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
      - name: Checkout documentation site
        uses: actions/checkout@v2
        with:
@ -61,7 +65,6 @@ jobs:
            api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
          done
          echo "moved ${#cards[@]} cards to the Done column"
-      
      - name: Install packaging dependencies
        run: sudo apt-get install -y rpm reprepro
      - name: Set up GPG
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -9,6 +9,7 @@ before:
  hooks:
    - go mod tidy
    - make manpages GH_VERSION={{.Version}}
+    - ./script/prepare-windows-cert.sh '{{ if index .Env "GITHUB_CERT_PASSWORD"  }}{{ .Env.GITHUB_CERT_PASSWORD}}{{ end }}' '{{ if index .Env "DESKTOP_CERT_TOKEN"  }}{{ .Env.DESKTOP_CERT_TOKEN}}{{ end }}'

 builds:
  - <<: &build_defaults
@ -32,6 +33,9 @@ builds:
    id: windows
    goos: [windows]
    goarch: [386, amd64]
+    hooks:
+      post:
+        - ./script/sign-windows-executable.sh '{{ .Path }}'

 archives:
  - id: nix
--- a/script/prepare-windows-cert.sh
+++ b/script/prepare-windows-cert.sh
@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+GITHUB_CERT_PASSWORD=$1
+DESKTOP_CERT_TOKEN=$2
+
+if [[ -z "$GITHUB_CERT_PASSWORD" || -z "$DESKTOP_CERT_TOKEN" ]]; then
+  echo "skipping windows signing prep; cert password or token not found"
+  exit 0
+fi
+
+curl \
+  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
+  -H "Accept: application/vnd.github.v3.raw" \
+  --output windows-certificate.pfx \
+  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+
+openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
--- a/script/sign-windows-executable.sh
+++ b/script/sign-windows-executable.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+if [[ ! -e certificate.pem || ! -e private-key.pem ]]; then
+  echo "skipping windows signing; cert or key not found"
+  exit 0
+fi
+
+EXECUTABLE_PATH=$1
+ARCH="386"
+
+if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then
+  ARCH="amd64"
+fi
+
+OUT_PATH=gh_signed-${ARCH}.exe
+
+osslsigncode sign \
+  -certs certificate.pem \
+  -key private-key.pem \
+  -n "GitHub CLI" \
+  -t http://timestamp.digicert.com \
+  -in $EXECUTABLE_PATH \
+  -out $OUT_PATH
+
+mv $OUT_PATH $EXECUTABLE_PATH