Skip to content

Commit

Permalink
feat(sign): use Azure Code Signing
Browse files Browse the repository at this point in the history
  • Loading branch information
JanDeDobbeleer committed Nov 16, 2024
1 parent 5d96b12 commit 72fb468
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 40 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/inno.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,9 @@ jobs:
- name: Build installer 📦
id: build
env:
CERTIFICATE: ${{ secrets.CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
run: |
$version = $env:GITHUB_REF.TrimStart("refs/tags/v")
./build.ps1 -Architecture ${{ matrix.arch }} -Version $version
Expand Down
16 changes: 7 additions & 9 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,23 +55,19 @@ jobs:
$env:SIGNING_KEY > $shaSigningKeyLocation
Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# create a base64 encoded value of your certificate using
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
$encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# install code signing dlib
nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.60 -x
Write-Output "SIGNTOOLDLIB=$PWD/Microsoft.Trusted.Signing.Client/bin/x64/Azure.CodeSigning.Dlib.dll" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# requires Windows Dev Kit 10.0.22621.0
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe'
Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# openssl
$openssl = 'C:/Program Files/Git/usr/bin/openssl.exe'
Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
env:
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
- name: Run GoReleaser 🚀
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf
with:
Expand All @@ -80,7 +76,9 @@ jobs:
args: release --clean --skip publish
workdir: src
env:
SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
- name: Zip theme files 🤐
run: |
$compress = @{
Expand Down
16 changes: 7 additions & 9 deletions packages/inno/build.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,12 @@ Param
$Version
)

# Get signing certificate
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
# create a base64 encoded value of your certificate using
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
# requires Windows Dev Kit 10.0.22621.0
$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
$PSDefaultParameterValues['Out-File:Encoding']='UTF8'

# setup dependencies
nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.60 -x
$signtoolDlib = "$PWD/Microsoft.Trusted.Signing.Client/bin/x64/Azure.CodeSigning.Dlib.dll"
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe'

New-Item -Path "." -Name "bin" -ItemType Directory
Copy-Item -Path "../../themes" -Destination "./bin" -Recurse
Expand All @@ -35,7 +33,7 @@ $content | Out-File -Encoding 'UTF8' $ISSName

# package content
$installer = "install-$Architecture"
ISCC.exe /F$installer "/Ssigntool=$signtool sign /f $pfxPath /p $env:CERTIFICATE_PASSWORD /fd SHA256 /t http://timestamp.digicert.com `$f" $ISSName
ISCC.exe /F$installer "/Ssigntool=$signtool sign /v /debug /fd SHA256 /tr 'http://timestamp.acs.microsoft.com' /td SHA256 /dlib $signtoolDlib /dmdf './metadata.json' `$f" $ISSName
# get hash
$zipHash = Get-FileHash "Output/$installer.exe" -Algorithm SHA256
$zipHash.Hash | Out-File -Encoding 'UTF8' "Output/$installer.exe.sha256"
40 changes: 20 additions & 20 deletions src/.goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,36 +25,36 @@ builds:
env:
- CGO_ENABLED=0
goos:
- linux
# - linux
- windows
- darwin
- freebsd
# - darwin
# - freebsd
goarch:
- amd64
# - amd64
- arm64
- arm
- "386"
ignore:
- goos: darwin
goarch: "386"
- goos: darwin
goarch: arm
- goos: windows
goarch: arm
# - arm
# - "386"
# ignore:
# - goos: darwin
# goarch: "386"
# - goos: darwin
# goarch: arm
# - goos: windows
# goarch: arm
hooks:
post:
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /v /debug /fd SHA256 /tr 'http://timestamp.acs.microsoft.com' /td SHA256 /dlib '{{ .Env.SIGNTOOLDLIB }}' /dmdf './metadata.json' '{{ .Path }}' }"
archives:
- id: oh-my-posh
format: binary
name_template: "posh-{{ .Os }}-{{ .Arch }}"
checksum:
name_template: 'checksums.txt'
signs:
- cmd: pwsh
args:
- "-c"
- "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
artifacts: checksum
# signs:
# - cmd: pwsh
# args:
# - "-c"
# - "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
# artifacts: checksum
changelog:
disable: true
14 changes: 14 additions & 0 deletions src/metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"Endpoint": "https://weu.codesigning.azure.net",
"CodeSigningAccountName": "oh-my-posh",
"CertificateProfileName": "oh-my-posh",
"ExcludeCredentials": [
"AzureCliCredential",
"AzurePowerShellCredential",
"ManagedIdentityCredential",
"SharedTokenCacheCredential",
"VisualStudioCredential",
"VisualStudioCodeCredential",
"InteractiveBrowserCredential"
]
}

0 comments on commit 72fb468

Please sign in to comment.