diff --git a/.circleci/config.yml b/.circleci/config.yml index 1752c5e5b..01159d90d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -394,9 +394,9 @@ jobs: - run: ./tools/package_lxd_test/package_lxd_test --package $(find ./dist -name "*_amd64.deb") - run: ./tools/package_lxd_test/package_lxd_test --package $(find ./dist -name "*.x86_64.rpm") package-sign-windows: - executor: - name: win/default - shell: powershell.exe + machine: + image: ubuntu-2204:current + resource_class: medium steps: - checkout - check-changed-files-or-halt @@ -404,9 +404,7 @@ jobs: at: '/build' - run: name: "Sign Windows Executables" - shell: powershell.exe - command: | - ./scripts/windows-signing.ps1 + command: ./scripts/sign-windows.sh - persist_to_workspace: root: './build' paths: diff --git a/scripts/sign-windows.sh b/scripts/sign-windows.sh new file mode 100755 index 000000000..0752df854 --- /dev/null +++ b/scripts/sign-windows.sh @@ -0,0 +1,44 @@ +#!/bin/bash +set -eux + +# Install dependencies +sudo apt update && sudo apt install --yes 7zip default-jre-headless osslsigncode wget +wget https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb +sha256sum="9877a0949a9c9ac4485155bbb8679ac863d3ec3d67e0a380b880eed650d06854" +if ! echo "${sha256sum} jsign_5.0_all.deb" | sha256sum --check -; then + echo "Checksum for jsign deb failed" >&2 + exit 1 +fi +sudo dpkg -i jsign_5.0_all.deb + +# Load certificates +touch "$SM_CLIENT_CERT_FILE" +set +x +echo "$SM_CLIENT_CERT_FILE_B64" > "$SM_CLIENT_CERT_FILE.b64" +set -x +base64 -d "$SM_CLIENT_CERT_FILE.b64" > "$SM_CLIENT_CERT_FILE" + +# Loop through and sign + verify the binaries +artifactDirectory="./build/dist" +extractDirectory="$artifactDirectory/extracted" +for file in "$artifactDirectory"/*windows*; do + 7zz x "$file" -o$extractDirectory + subDirectoryPath=$(find $extractDirectory -mindepth 1 -maxdepth 1 -type d) + telegrafExePath="$subDirectoryPath/telegraf.exe" + + jsign \ + -storetype DIGICERTONE \ + -alias "$SM_CERT_ALIAS" \ + -storepass "$SM_API_KEY|$SM_CLIENT_CERT_FILE|$SM_CLIENT_CERT_PASSWORD" \ + -alg SHA-256 \ + -tsaurl http://timestamp.digicert.com \ + "$telegrafExePath" + + osslsigncode verify \ + -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \ + -TSA-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \ + -in "$telegrafExePath" + + 7zz a -r "$file" "$subDirectoryPath" + rm -rf "$extractDirectory" +done diff --git a/scripts/windows-signing.ps1 b/scripts/windows-signing.ps1 deleted file mode 100644 index 770462974..000000000 --- a/scripts/windows-signing.ps1 +++ /dev/null @@ -1,33 +0,0 @@ -$tempCertFile = New-TemporaryFile - -# Retrieve environment variables for cert/password. -$certText = $env:windowsCert -$CertPass = $env:windowsCertPassword - -# Create a Cert object by converting the cert string to bytes. -$finalFileName = $tempCertFile.FullName -$certBytes = [Convert]::FromBase64String($certText) -[System.IO.File]::WriteAllBytes($finalFileName, $certBytes) -$CertPath = $finalFileName -$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass) - -# Update the version of Compress-Archive to support zipping correctly. -Install-Module Microsoft.PowerShell.Archive -MinimumVersion 1.2.3.0 -Repository PSGallery -Force -Import-Module Microsoft.PowerShell.Archive - -# Go through the artifacts directory and sign the 'windows' artifacts. -$artifactDirectory = "./build/dist" -$extractDirectory = $artifactDirectory + "/" + "extracted" -foreach ($file in get-ChildItem $artifactDirectory | where {$_.name -like "*windows*"} | select name) -{ - $artifact = $artifactDirectory + "/" + $file.Name - Expand-Archive -LiteralPath $artifact -DestinationPath $extractDirectory -Force - - $subDirectoryPath = $extractDirectory + "/" + (Get-ChildItem -Path $extractDirectory | Select-Object -First 1).Name - $telegrafExePath = $subDirectoryPath + "/" + "telegraf.exe" - Set-AuthenticodeSignature -Certificate $Cert -FilePath $telegrafExePath -TimestampServer http://timestamp.digicert.com - Compress-Archive -Path $subDirectoryPath -DestinationPath $artifact -Force - Remove-Item $extractDirectory -Force -Recurse -} - -Remove-Item $finalFileName -Force