From 5debf6ace06f97d4e7acb03d2e3a8d999e1ed2a1 Mon Sep 17 00:00:00 2001 From: Jan De Dobbeleer Date: Tue, 9 Jul 2024 09:52:49 +0200 Subject: [PATCH] feat(build): sign windows binaries on release --- .github/workflows/release.yml | 35 +++++++++++++++++++++++++++-------- packages/inno/build.ps1 | 4 ++-- packages/inno/oh-my-posh.iss | 2 +- src/.goreleaser.yml | 9 +++++++-- 4 files changed, 37 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 08c1a0f684a5..e17a620fd1b3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,9 +32,7 @@ jobs: artifacts: needs: changelog if: ${{ needs.changelog.outputs.skipped == 'false' }} - runs-on: ubuntu-latest - env: - SIGNING_KEY_LOCATION: "/tmp/private_key.pem" + runs-on: windows-latest defaults: run: shell: pwsh @@ -49,12 +47,31 @@ jobs: git config --global user.name "GitHub Actions" git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" git tag ${{ needs.changelog.outputs.tag }} - - name: Private Key 🔐 + - name: Prerequisites 🔐 run: | $PSDefaultParameterValues['Out-File:Encoding']='UTF8' - $env:SIGNING_KEY > $env:SIGNING_KEY_LOCATION + + $shaSigningKeyLocation = Join-Path -Path $env:RUNNER_TEMP -ChildPath sha_signing_key.pem + $env:SIGNING_KEY > $shaSigningKeyLocation + Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + + # create a base64 encoded value of your certificate using + # [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream)) + $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx" + $encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE) + Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream + Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + + # requires Windows Dev Kit 10.0.22621.0 + $signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe' + Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + + # openssl + $openssl = 'C:/Program Files/Git/usr/bin/openssl.exe' + Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append env: - SIGNING_KEY: ${{secrets.SIGNING_KEY}} + SIGNING_KEY: ${{ secrets.SIGNING_KEY }} + SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }} - name: Run GoReleaser 🚀 uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 with: @@ -62,6 +79,8 @@ jobs: version: latest args: release --clean --skip publish workdir: src + env: + SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} - name: Zip theme files 🤐 run: | $compress = @{ @@ -70,8 +89,8 @@ jobs: DestinationPath = "./dist/themes.zip" } Compress-Archive @compress - - name: Add hashes 🤫 - run: | + run: | + - name: Add hashes 🤫 Get-ChildItem ./dist -Exclude *.yaml,*.sig | Get-Unique | Foreach-Object { $zipHash = Get-FileHash $_.FullName -Algorithm SHA256 diff --git a/packages/inno/build.ps1 b/packages/inno/build.ps1 index 6e1b1ba86066..b9c41a571c71 100644 --- a/packages/inno/build.ps1 +++ b/packages/inno/build.ps1 @@ -10,10 +10,10 @@ Param # Get signing certificate $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx" -$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe' +$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe' # create a base64 encoded value of your certificate using # [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream)) -# requires Windows Dev Kit 10.0.22000.0 +# requires Windows Dev Kit 10.0.22621.0 $encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE) Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream diff --git a/packages/inno/oh-my-posh.iss b/packages/inno/oh-my-posh.iss index 1d18f12b708c..60510827acd0 100644 --- a/packages/inno/oh-my-posh.iss +++ b/packages/inno/oh-my-posh.iss @@ -17,7 +17,7 @@ SignedUninstaller=yes CloseApplications=no [Files] -Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"; Flags: sign +Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin" Source: "bin\themes\*"; DestDir: "{app}\themes" [Registry] diff --git a/src/.goreleaser.yml b/src/.goreleaser.yml index cafdf802da28..c82ccaea962b 100644 --- a/src/.goreleaser.yml +++ b/src/.goreleaser.yml @@ -37,6 +37,9 @@ builds: goarch: arm - goos: windows goarch: arm + hooks: + post: + - pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }" archives: - id: oh-my-posh format: binary @@ -44,8 +47,10 @@ archives: checksum: name_template: 'checksums.txt' signs: - - cmd: openssl - args: [ "pkeyutl", "-sign", "-inkey", "{{ .Env.SIGNING_KEY_LOCATION }}", "-out", "${artifact}.sig", "-rawin", "-in", "${artifact}" ] + - cmd: pwsh + args: + - "-c" + - "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'" artifacts: checksum changelog: disable: true