Skip to content

Commit

Permalink
ci: add support for signing Windows binaries
Browse files Browse the repository at this point in the history
  • Loading branch information
@agateau-gg
agateau-gg committed May 31, 2024
1 parent 2f5661d commit 5dbab08
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 10 deletions.
8 changes: 8 additions & 0 deletions .github/workflows/build_release_assets.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,14 @@ jobs:
MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }}
MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }}

- name: Install Windows dependencies
if: startsWith(matrix.os, 'windows-') && inputs.release_mode
shell: bash
run: |
scripts/build-os-packages/install-keylockertools
env:
SM_API_KEY: ${{ secrets.SM_API_KEY }}

- name: Build
shell: bash
run: |
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,3 +129,4 @@ test-secret-files.json

# cache
.cache_ggshield
*.msi
43 changes: 33 additions & 10 deletions scripts/build-os-packages/build-os-packages
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ MACOS_P12_PASSWORD_FILE=${MACOS_P12_PASSWORD_FILE:-}
# to generate one.
MACOS_API_KEY_FILE=${MACOS_API_KEY_FILE:-}

WINDOWS_CERT_FINGERPRINT=${WINDOWS_CERT_FINGERPRINT:-}

# Colors
C_RED="\e[31;1m"
C_GREEN="\e[32;1m"
Expand Down Expand Up @@ -123,6 +125,9 @@ init_system_vars() {
EXE_EXT=".exe"
HUMAN_OS=Windows
TARGET="$arch-pc-windows-msvc"
if [ "$DO_SIGN" -eq 1 ] ; then
REQUIREMENTS="$REQUIREMENTS smctl"
fi
;;
*)
die "Unknown OS. uname printed '$out'"
Expand Down Expand Up @@ -208,7 +213,13 @@ step_copy_files() {
esac
}

sign_file() {
macos_sign() {
macos_list_files_to_sign | while read path ; do
macos_sign_file "$path"
done
}

macos_sign_file() {
if [ -z "$MACOS_P12_FILE" ] ; then
die "\$MACOS_P12_FILE must be set to sign"
fi
Expand All @@ -223,24 +234,36 @@ sign_file() {
"$file"
}

list_files_to_sign() {
macos_list_files_to_sign() {
local archive_dir="$PACKAGES_DIR/$ARCHIVE_DIR_NAME"
echo "$archive_dir/$INSTALL_PREFIX/ggshield"
find "$archive_dir" -name '*.so' -o -name '*.dylib'
}

windows_sign() {
smctl healthcheck --all
smctl sign \
--fingerprint "$WINDOWS_CERT_FINGERPRINT" \
--tool signtool \
--input "$archive_dir/$INSTALL_PREFIX/ggshield.exe"
}

step_sign() {
if [ "$HUMAN_OS" != "macOS" ] ; then
info "Signing not supported on $HUMAN_OS, skipping step"
return
fi
if [ "$DO_SIGN" -eq 0 ] ; then
info "Skipping signing step"
return
fi
list_files_to_sign | while read path ; do
sign_file "$path"
done
case "$HUMAN_OS" in
macOS)
macos_sign
;;
Windows)
windows_sign
;;
*)
info "Signing not supported on $HUMAN_OS, skipping step"
;;
esac
}

step_test() {
Expand Down Expand Up @@ -289,7 +312,7 @@ step_create_archive() {
popd

if [ "$DO_SIGN" -eq 1 ] ; then
sign_file "$archive_path"
macos_sign_file "$archive_path"
fi
;;
Windows)
Expand Down
28 changes: 28 additions & 0 deletions scripts/build-os-packages/install-keylockertools
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/usr/bin/env bash
set -euo pipefail

DOWNLOAD_URL=https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download
KEYLOCKER_TOOLS_MSI_PATH=Keylockertools-windows-x64.msi
INSTALL_DIR="/c/Program Files/DigiCert/DigiCert Keylocker Tools"

if [ -f "$INSTALL_DIR/smctl.exe" ] ; then
echo "Skipping installation of Keylockertools, smctl is already there"
else
curl \
-H "x-api-key:$SM_API_KEY" \
-o "$KEYLOCKER_TOOLS_MSI_PATH" \
--continue-at - \
"$DOWNLOAD_URL"

# double '/' so that Git Bash does not turn them into paths
msiexec //passive //i "$KEYLOCKER_TOOLS_MSI_PATH"
fi

export PATH="$INSTALL_DIR:$PATH"

smksp_registrar list
smctl keypair ls
certutil.exe -csp "DigiCert Signing Manager KSP" -key -user

# Synchronize certificates with Windows certificate store
smctl windows certsync

0 comments on commit 5dbab08

Please sign in to comment.