feat: sign Windows binary

.github/workflows/build_release_assets.yml

@@ -154,6 +154,48 @@ jobs:
           MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }}
           MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }}
 
+      - name: Setup Windows environment
+        if: startsWith(matrix.os, 'windows-') && inputs.release_mode
+        shell: bash
+        run: |
+          signtool_install_dir="/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64"
+          smctl_install_dir="/c/Program Files/DigiCert/DigiCert Keylocker Tools"
+
+          # Add signtool dir to $PATH
+          if [ ! -x "$signtool_install_dir/signtool.exe" ] ; then
+            echo "signtool.exe is not in '$signtool_install_dir'"
+            exit 1
+          fi
+          echo "$signtool_install_dir" >> $GITHUB_PATH
+
+          # Add smctl dir to $PATH
+          # Don't test if smctl is there: it is installed by the next step
+          echo "$smctl_install_dir" >> $GITHUB_PATH
+
+          # Decode our password file
+          echo "$WINDOWS_P12_FILE" | base64 --decode > "$TMPDIR/cert.p12"
+
+          # Add secrets to env
+          cat >> $GITHUB_ENV <<EOF
+          WINDOWS_CERT_FINGERPRINT=$WINDOWS_CERT_FINGERPRINT
+          SM_API_KEY=$SM_API_KEY
+          SM_HOST=$SM_HOST
+          SM_CLIENT_CERT_FILE=$TMPDIR/cert.p12
+          SM_CLIENT_CERT_PASSWORD=$SM_CLIENT_CERT_PASSWORD
+          EOF
+        env:
+          WINDOWS_P12_FILE: ${{ secrets.WINDOWS_P12_FILE }}
+          WINDOWS_CERT_FINGERPRINT: ${{ secrets.WINDOWS_CERT_FINGERPRINT }}
+          SM_API_KEY: ${{ secrets.SM_API_KEY }}
+          SM_HOST: ${{ secrets.SM_HOST }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+
+      - name: Install Windows dependencies
+        if: startsWith(matrix.os, 'windows-') && inputs.release_mode
+        shell: bash
+        run: |
+          scripts/build-os-packages/install-keylockertools
+
       - name: Build
         shell: bash
         run: |

.gitignore

@@ -129,3 +129,4 @@ test-secret-files.json
 
 # cache
 .cache_ggshield
+*.msi

scripts/build-os-packages/build-os-packages

@@ -132,6 +132,9 @@ load_os_specific_code() {
     macOS)
         . "$SCRIPT_DIR/macos-functions.bash"
         ;;
+    Windows)
+        . "$SCRIPT_DIR/windows-functions.bash"
+        ;;
     *)
         ;;
     esac
@@ -142,6 +145,9 @@ add_os_specific_sign_requirements() {
     macOS)
         macos_add_sign_dependencies
         ;;
+    Windows)
+        windows_add_sign_dependencies
+        ;;
     *)
         ;;
     esac
@@ -233,6 +239,9 @@ step_sign() {
     macOS)
         macos_sign
         ;;
+    Windows)
+        windows_sign
+        ;;
     *)
         info "Signing not supported on $HUMAN_OS, skipping step"
         ;;
@@ -324,6 +333,9 @@ cd "$ROOT_DIR"
 read_version
 init_system_vars
 load_os_specific_code
+if [ "$DO_SIGN" -eq 1 ] ; then
+    add_os_specific_sign_requirements
+fi
 
 if [ -z "$steps" ] ; then
     steps=$DEFAULT_STEPS

scripts/build-os-packages/install-keylockertools

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DOWNLOAD_URL=https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download
+KEYLOCKER_TOOLS_MSI_PATH=Keylockertools-windows-x64.msi
+
+if command -v smctl.exe > /dev/null ; then
+    echo "Skipping installation of Keylockertools, smctl is already there"
+else
+    curl \
+        -H "x-api-key:$SM_API_KEY" \
+        -o "$KEYLOCKER_TOOLS_MSI_PATH" \
+        --continue-at - \
+        "$DOWNLOAD_URL"
+
+    # double '/' so that Git Bash does not turn them into paths
+    msiexec //passive //i "$KEYLOCKER_TOOLS_MSI_PATH"
+fi
+
+if ! command -v smctl.exe > /dev/null ; then
+    echo "smctl.exe not found after installation. Make sure its installation dir is in \$PATH"
+    exit 1
+fi
+
+smksp_registrar list
+smctl keypair ls
+certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+
+# Synchronize certificates with Windows certificate store
+smctl windows certsync
+
+smctl healthcheck --tools

scripts/build-os-packages/windows-functions.bash

@@ -0,0 +1,27 @@
+WINDOWS_CERT_FINGERPRINT=${WINDOWS_CERT_FINGERPRINT:-}
+
+windows_add_sign_dependencies() {
+    REQUIREMENTS="$REQUIREMENTS smctl signtool"
+}
+
+windows_sign() {
+    check_var WINDOWS_CERT_FINGERPRINT
+
+    # All the SM_* vars are required by smctl
+    check_var SM_API_KEY
+    check_var SM_HOST
+    check_var SM_CLIENT_CERT_FILE
+    check_var SM_CLIENT_CERT_PASSWORD
+
+    if [ ! -f "$SM_CLIENT_CERT_FILE" ] ; then
+        die "$SM_CLIENT_CERT_FILE does not exist"
+    fi
+
+    local archive_dir="$PACKAGES_DIR/$ARCHIVE_DIR_NAME"
+    smctl sign \
+        --verbose \
+        --fingerprint "$WINDOWS_CERT_FINGERPRINT" \
+        --tool signtool \
+        --input "$archive_dir/$INSTALL_PREFIX/ggshield.exe"
+}
+