feat(sign): use Azure Code Signing

JanDeDobbeleer · Nov 16, 2024 · 6903642 · 6903642
1 parent 1cbefb1
commit 6903642
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 40 deletions.
diff --git a/.github/workflows/inno.yml b/.github/workflows/inno.yml
@@ -19,8 +19,9 @@ jobs:
     - name: Build installer 📦
       id: build
       env:
-        CERTIFICATE: ${{ secrets.CERTIFICATE }}
-        CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
+        AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
       run: |
         $version = $env:GITHUB_REF.TrimStart("refs/tags/v")
         ./build.ps1 -Architecture ${{ matrix.arch }}  -Version $version

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -55,23 +55,19 @@ jobs:
           $env:SIGNING_KEY > $shaSigningKeyLocation
           Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
 
-          # create a base64 encoded value of your certificate using
-          # [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
-          $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
-          $encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
-          Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
-          Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          # install code signing dlib
+          nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.60 -x
+          Write-Output "SIGNTOOLDLIB=$PWD/Microsoft.Trusted.Signing.Client/bin/x64/Azure.CodeSigning.Dlib.dll" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
 
           # requires Windows Dev Kit 10.0.22621.0
-          $signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
+          $signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe'
           Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
 
           # openssl
           $openssl = 'C:/Program Files/Git/usr/bin/openssl.exe'
           Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
         env:
           SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
-          SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
       - name: Run GoReleaser 🚀
         uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf
         with:
@@ -80,7 +76,9 @@ jobs:
           args: release --clean --skip publish
           workdir: src
         env:
-          SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
       - name: Zip theme files 🤐
         run: |
           $compress = @{

diff --git a/packages/inno/build.ps1 b/packages/inno/build.ps1
@@ -8,14 +8,12 @@ Param
     $Version
 )
 
-# Get signing certificate
-$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
-$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
-# create a base64 encoded value of your certificate using
-# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
-# requires Windows Dev Kit 10.0.22621.0
-$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
-Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
+$PSDefaultParameterValues['Out-File:Encoding']='UTF8'
+
+# setup dependencies
+nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.60 -x
+$signtoolDlib = "$PWD/Microsoft.Trusted.Signing.Client/bin/x64/Azure.CodeSigning.Dlib.dll"
+$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe'
 
 New-Item -Path "." -Name "bin" -ItemType Directory
 Copy-Item -Path "../../themes" -Destination "./bin" -Recurse
@@ -35,7 +33,7 @@ $content | Out-File -Encoding 'UTF8' $ISSName
 
 # package content
 $installer = "install-$Architecture"
-ISCC.exe /F$installer "/Ssigntool=$signtool sign /f $pfxPath /p $env:CERTIFICATE_PASSWORD /fd SHA256 /t http://timestamp.digicert.com `$f" $ISSName
+ISCC.exe /F$installer "/Ssigntool=$signtool sign /v /debug /fd SHA256 /tr 'http://timestamp.acs.microsoft.com' /td SHA256 /dlib $signtoolDlib /dmdf './metadata.json' `$f" $ISSName
 # get hash
 $zipHash = Get-FileHash "Output/$installer.exe" -Algorithm SHA256
 $zipHash.Hash | Out-File -Encoding 'UTF8' "Output/$installer.exe.sha256"
diff --git a/src/.goreleaser.yml b/src/.goreleaser.yml
@@ -25,36 +25,36 @@ builds:
     env:
       - CGO_ENABLED=0
     goos:
-      - linux
+      # - linux
       - windows
-      - darwin
-      - freebsd
+      # - darwin
+      # - freebsd
     goarch:
-      - amd64
+      # - amd64
       - arm64
-      - arm
-      - "386"
-    ignore:
-      - goos: darwin
-        goarch: "386"
-      - goos: darwin
-        goarch: arm
-      - goos: windows
-        goarch: arm
+      # - arm
+      # - "386"
+    # ignore:
+    #   - goos: darwin
+    #     goarch: "386"
+    #   - goos: darwin
+    #     goarch: arm
+    #   - goos: windows
+    #     goarch: arm
     hooks:
       post:
-        - pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
+        - pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /v /debug /fd SHA256 /tr 'http://timestamp.acs.microsoft.com' /td SHA256 /dlib '{{ .Env.SIGNTOOLDLIB }}' /dmdf './metadata.json' '{{ .Path }}' }"
 archives:
   - id: oh-my-posh
     format: binary
     name_template: "posh-{{ .Os }}-{{ .Arch }}"
 checksum:
   name_template: 'checksums.txt'
-signs:
-  - cmd: pwsh
-    args:
-      - "-c"
-      - "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
-    artifacts: checksum
+# signs:
+#   - cmd: pwsh
+#     args:
+#       - "-c"
+#       - "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
+#     artifacts: checksum
 changelog:
   disable: true
diff --git a/src/metadata.json b/src/metadata.json
@@ -0,0 +1,14 @@
+{
+  "Endpoint": "https://weu.codesigning.azure.net",
+  "CodeSigningAccountName": "oh-my-posh",
+  "CertificateProfileName": "oh-my-posh",
+  "ExcludeCredentials": [
+    "AzureCliCredential",
+    "AzurePowerShellCredential",
+    "ManagedIdentityCredential",
+    "SharedTokenCacheCredential",
+    "VisualStudioCredential",
+    "VisualStudioCodeCredential",
+    "InteractiveBrowserCredential"
+  ]
+}