From fe0157a03b78d50e8e392c7f0a2355ad5c93d80c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20Scha=CC=88fer?= <101886095+PeterSchafer@users.noreply.github.com> Date: Thu, 21 Sep 2023 17:57:43 +0200 Subject: [PATCH 1/3] chore: install keylocker tools --- .circleci/config.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 110fa57789..8e3076ae9e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -183,6 +183,13 @@ commands: - ~\AppData\Local\Temp\chocolatey - install-deps-python: os: win + - run: + name: Install DigiCert Keylocker Tools + command: | + cd C:\ + curl.exe -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:$env:SM_API_KEY" -o smtools-windows-x64.msi + msiexec.exe /i smtools-windows-x64.msi /quiet /qn | Wait-Process + & 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\smksp_cert_sync.exe' install-deps-windows-make: steps: From 5eb55c3d4fce982fc7ecf5f7681ea5f87c5b57c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20Scha=CC=88fer?= <101886095+PeterSchafer@users.noreply.github.com> Date: Thu, 21 Sep 2023 18:46:08 +0200 Subject: [PATCH 2/3] chore: adapt win signing script --- cliv2/scripts/sign_windows.ps1 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cliv2/scripts/sign_windows.ps1 b/cliv2/scripts/sign_windows.ps1 index b52fe343e7..1ce1816144 100644 --- a/cliv2/scripts/sign_windows.ps1 +++ b/cliv2/scripts/sign_windows.ps1 @@ -4,20 +4,19 @@ param ( ) # expected environment variables -# $env:SIGNING_SECRETS_BINARY="EEE...." # Base64-encoded PKCS#12 certificate data -# $env:SIGNING_SECRETS_PASSWORD="FFF" # Passkey for the PKCS#12 certificate +# $env:SM_CODE_SIGNING_CERT_SHA1_HASH="EEE...." # thumbprint of certificate + # Define file paths and names $APP_PATH = Join-Path $EXPORT_PATH $PRODUCT_NAME $APP_PATH_UNSIGNED = "$APP_PATH.unsigned" -$SIGNING_SECRETS = "secrets.p12" $SIGNING_SECRETS_B64 = "secrets.b64" # Prefix for log messages $LOG_PREFIX = "--- $(Split-Path $MyInvocation.MyCommand.Path -Leaf):" # if the required secrets are not available we skip signing completely without an error to enable local builds on windows. A later issigned check will catch this error in the build pipeline -if (-Not (Test-Path env:SIGNING_SECRETS_BINARY)) { +if (-Not (Test-Path env:SM_CODE_SIGNING_CERT_SHA1_HASH)) { Write-Host "$LOG_PREFIX Skipping signing, since the required secrets are not available." exit } @@ -27,17 +26,18 @@ Write-Host "$LOG_PREFIX Signing ""$APP_PATH""" # create files as needed Write-Host "$LOG_PREFIX Creating p12 file" # Save the Base64-encoded PKCS#12 certificate data to a file -$env:SIGNING_SECRETS_BINARY | Set-Content -Path $SIGNING_SECRETS_B64 +$env:SM_CLIENT_CERT_FILE_B64 | Set-Content -Path $SIGNING_SECRETS_B64 # Decode the Base64-encoded PKCS#12 certificate data to a binary file -certutil -f -decode $SIGNING_SECRETS_B64 $SIGNING_SECRETS +certutil -f -decode $SIGNING_SECRETS_B64 $env:SM_CLIENT_CERT_FILE Write-Host "$LOG_PREFIX Signing binary $APP_PATH_UNSIGNED" + # Move the original executable to the .unsigned version (as expected by signtool) Move-Item -Path $APP_PATH -Destination $APP_PATH_UNSIGNED # Find the latest version of signtool.exe and use it to sign the executable $SIGNTOOL = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\" -Recurse -Include 'signtool.exe' | Where-Object { $_.FullName -like "*x64*" } | Sort-Object LastWriteTime | Select-Object -Last 1 -ExpandProperty FullName -& $SIGNTOOL sign /fd SHA512 /f $SIGNING_SECRETS /p $env:SIGNING_SECRETS_PASSWORD /d "Snyk CLI" /du "https://snyk.io" /t "http://timestamp.sectigo.com" /v $APP_PATH_UNSIGNED +& $SIGNTOOL sign /sha1 $env:SM_CODE_SIGNING_CERT_SHA1_HASH /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 /d "Snyk CLI" /du "https://snyk.io" /v $APP_PATH_UNSIGNED if ($LASTEXITCODE) { exit $LASTEXITCODE } @@ -46,8 +46,8 @@ if ($LASTEXITCODE) { Move-Item -Path $APP_PATH_UNSIGNED -Destination $APP_PATH # Remove temporary files (the .unsigned version and the p12 certificate) -Write-Host "$LOG_PREFIX Cleaning up $SIGNING_SECRETS" -Remove-Item -Path $SIGNING_SECRETS +Write-Host "$LOG_PREFIX Cleaning up $env:SM_CLIENT_CERT_FILE" +Remove-Item -Path $env:SM_CLIENT_CERT_FILE Write-Host "$LOG_PREFIX Cleaning up $SIGNING_SECRETS_B64" Remove-Item -Path $SIGNING_SECRETS_B64 From da71c12b709c87946c77c27412c87c30279438fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20Scha=CC=88fer?= <101886095+PeterSchafer@users.noreply.github.com> Date: Thu, 21 Sep 2023 19:33:47 +0200 Subject: [PATCH 3/3] fix: win acc tests --- .circleci/config.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8e3076ae9e..b2ef64cc45 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -183,6 +183,9 @@ commands: - ~\AppData\Local\Temp\chocolatey - install-deps-python: os: win + + install-deps-windows-signing: + steps: - run: name: Install DigiCert Keylocker Tools command: | @@ -191,6 +194,11 @@ commands: msiexec.exe /i smtools-windows-x64.msi /quiet /qn | Wait-Process & 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\smksp_cert_sync.exe' + install-deps-windows-full-signing: + steps: + - install-deps-windows-full + - install-deps-windows-signing + install-deps-windows-make: steps: - restore_cache: @@ -209,6 +217,7 @@ commands: - ~\AppData\Local\Temp\chocolatey - install-deps-python: os: win + - install-deps-windows-signing install-deps-windows-node: steps: @@ -412,7 +421,7 @@ workflows: go_arch: amd64 go_download_base_url: << pipeline.parameters.fips_go_download_base_url >> make_target: build clean-golang build-fips - install_deps_extension: windows-full + install_deps_extension: windows-full-signing install_path: 'C:\' executor: win-server2022-amd64 context: snyk-windows-signing