Merge pull request cli#2160 from mbpreble/sign-windows-executables

Sign Windows .exes in a post-build hook
sskycn · Jan 18, 2022 · 8c862bb · 8c862bb
2 parents c8fef47 + 2ade4e5
commit 8c862bb
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 1 deletion.
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
@@ -25,6 +25,8 @@ jobs:
             -q .body > CHANGELOG.md
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Install osslsigncode
+        run: sudo apt-get install -y osslsigncode
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -33,6 +35,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
+          GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
+          DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
       - name: Checkout documentation site
         uses: actions/checkout@v2
         with:
@@ -61,7 +65,6 @@ jobs:
             api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
           done
           echo "moved ${#cards[@]} cards to the Done column"
-      
       - name: Install packaging dependencies
         run: sudo apt-get install -y rpm reprepro
       - name: Set up GPG

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -9,6 +9,7 @@ before:
   hooks:
     - go mod tidy
     - make manpages GH_VERSION={{.Version}}
+    - ./script/prepare-windows-cert.sh '{{ if index .Env "GITHUB_CERT_PASSWORD"  }}{{ .Env.GITHUB_CERT_PASSWORD}}{{ end }}' '{{ if index .Env "DESKTOP_CERT_TOKEN"  }}{{ .Env.DESKTOP_CERT_TOKEN}}{{ end }}'
 
 builds:
   - <<: &build_defaults
@@ -32,6 +33,9 @@ builds:
     id: windows
     goos: [windows]
     goarch: [386, amd64]
+    hooks:
+      post:
+        - ./script/sign-windows-executable.sh '{{ .Path }}'
 
 archives:
   - id: nix

diff --git a/script/prepare-windows-cert.sh b/script/prepare-windows-cert.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+GITHUB_CERT_PASSWORD=$1
+DESKTOP_CERT_TOKEN=$2
+
+if [[ -z "$GITHUB_CERT_PASSWORD" || -z "$DESKTOP_CERT_TOKEN" ]]; then
+  echo "skipping windows signing prep; cert password or token not found"
+  exit 0
+fi
+
+curl \
+  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
+  -H "Accept: application/vnd.github.v3.raw" \
+  --output windows-certificate.pfx \
+  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+
+openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
diff --git a/script/sign-windows-executable.sh b/script/sign-windows-executable.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+if [[ ! -e certificate.pem || ! -e private-key.pem ]]; then
+  echo "skipping windows signing; cert or key not found"
+  exit 0
+fi
+
+EXECUTABLE_PATH=$1
+ARCH="386"
+
+if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then
+  ARCH="amd64"
+fi
+
+OUT_PATH=gh_signed-${ARCH}.exe
+
+osslsigncode sign \
+  -certs certificate.pem \
+  -key private-key.pem \
+  -n "GitHub CLI" \
+  -t http://timestamp.digicert.com \
+  -in $EXECUTABLE_PATH \
+  -out $OUT_PATH
+
+mv $OUT_PATH $EXECUTABLE_PATH