From 4753f7d921259c386a8b8bfecc4d96216b7271a0 Mon Sep 17 00:00:00 2001 From: Aurelien Gateau Date: Mon, 3 Jun 2024 16:38:46 +0200 Subject: [PATCH] feat: sign Windows binary --- .github/workflows/build_release_assets.yml | 37 ++++++++++++++ .gitignore | 1 + doc/dev/os-packages.md | 48 ++++++++++++++----- scripts/build-os-packages/build-os-packages | 12 +++++ .../build-os-packages/install-keylockertools | 33 +++++++++++++ .../build-os-packages/windows-functions.bash | 27 +++++++++++ 6 files changed, 146 insertions(+), 12 deletions(-) create mode 100755 scripts/build-os-packages/install-keylockertools create mode 100644 scripts/build-os-packages/windows-functions.bash diff --git a/.github/workflows/build_release_assets.yml b/.github/workflows/build_release_assets.yml index 551a9b6ced..f27901ec93 100644 --- a/.github/workflows/build_release_assets.yml +++ b/.github/workflows/build_release_assets.yml @@ -154,6 +154,43 @@ jobs: MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }} + - name: Setup Windows environment + if: startsWith(matrix.os, 'windows-') && inputs.release_mode + shell: bash + run: | + signtool_install_dir="/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64" + smctl_install_dir="/c/Program Files/DigiCert/DigiCert Keylocker Tools" + + # Add signtool dir to $PATH + if [ ! -x "$signtool_install_dir/signtool.exe" ] ; then + echo "signtool.exe is not in '$signtool_install_dir'" + exit 1 + fi + echo "$signtool_install_dir" >> $GITHUB_PATH + + # Add smctl dir to $PATH + # Don't test if smctl is there: it is installed by the next step + echo "$smctl_install_dir" >> $GITHUB_PATH + + # Create our certificate file + cert_file="$TMPDIR/cert.p12" + echo "${{ secrets.SM_CLIENT_CERT_FILE }}" | base64 --decode > "$cert_file" + + # Add secrets to env + cat >> $GITHUB_ENV < /dev/null ; then + echo "Skipping installation of Keylockertools, smctl is already there" +else + curl \ + -H "x-api-key:$SM_API_KEY" \ + -o "$KEYLOCKER_TOOLS_MSI_PATH" \ + --continue-at - \ + "$DOWNLOAD_URL" + + # double '/' so that Git Bash does not turn them into paths + msiexec //passive //i "$KEYLOCKER_TOOLS_MSI_PATH" +fi + +if ! command -v smctl.exe > /dev/null ; then + echo "smctl.exe not found after installation. Make sure its installation dir is in \$PATH" + exit 1 +fi + +set -x # Log commands before running them +smksp_registrar list +smctl keypair ls +certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + +# Synchronize certificates with Windows certificate store +smctl windows certsync + +smctl healthcheck --tools diff --git a/scripts/build-os-packages/windows-functions.bash b/scripts/build-os-packages/windows-functions.bash new file mode 100644 index 0000000000..1463f24254 --- /dev/null +++ b/scripts/build-os-packages/windows-functions.bash @@ -0,0 +1,27 @@ +WINDOWS_CERT_FINGERPRINT=${WINDOWS_CERT_FINGERPRINT:-} + +windows_add_sign_dependencies() { + REQUIREMENTS="$REQUIREMENTS smctl signtool" +} + +windows_sign() { + check_var WINDOWS_CERT_FINGERPRINT + + # All the SM_* vars are required by smctl + check_var SM_API_KEY + check_var SM_HOST + check_var SM_CLIENT_CERT_FILE + check_var SM_CLIENT_CERT_PASSWORD + + if [ ! -f "$SM_CLIENT_CERT_FILE" ] ; then + die "$SM_CLIENT_CERT_FILE does not exist" + fi + + local archive_dir="$PACKAGES_DIR/$ARCHIVE_DIR_NAME" + smctl sign \ + --verbose \ + --fingerprint "$WINDOWS_CERT_FINGERPRINT" \ + --tool signtool \ + --input "$archive_dir/$INSTALL_PREFIX/ggshield.exe" +} +