CL-Softwares
/
telegraf
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: Update Windows signing process (#14565)

This commit is contained in:
Joshua Powers 2024-01-15 08:09:32 -07:00 committed by GitHub
parent 7253fcfeb3
commit 19ade37af7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 48 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.circleci/config.yml
View File

@ -394,9 +394,9 @@ jobs:
- run: ./tools/package_lxd_test/package_lxd_test --package $(find ./dist -name "*_amd64.deb") - run: ./tools/package_lxd_test/package_lxd_test --package $(find ./dist -name "*_amd64.deb")
- run: ./tools/package_lxd_test/package_lxd_test --package $(find ./dist -name "*.x86_64.rpm") - run: ./tools/package_lxd_test/package_lxd_test --package $(find ./dist -name "*.x86_64.rpm")
package-sign-windows: package-sign-windows:
executor: machine:
name: win/default image: ubuntu-2204:current
shell: powershell.exe resource_class: medium
steps: steps:
- checkout - checkout
- check-changed-files-or-halt - check-changed-files-or-halt
@ -404,9 +404,7 @@ jobs:
at: '/build' at: '/build'
- run: - run:
name: "Sign Windows Executables" name: "Sign Windows Executables"
shell: powershell.exe command: ./scripts/sign-windows.sh
command: |
./scripts/windows-signing.ps1
- persist_to_workspace: - persist_to_workspace:
root: './build' root: './build'
paths: paths:

44
scripts/sign-windows.sh Executable file
View File

@ -0,0 +1,44 @@
#!/bin/bash
set -eux
# Install dependencies
sudo apt update && sudo apt install --yes 7zip default-jre-headless osslsigncode wget
wget https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
sha256sum="9877a0949a9c9ac4485155bbb8679ac863d3ec3d67e0a380b880eed650d06854"
if ! echo "${sha256sum} jsign_5.0_all.deb" | sha256sum --check -; then
echo "Checksum for jsign deb failed" >&2
exit 1
fi
sudo dpkg -i jsign_5.0_all.deb
# Load certificates
touch "$SM_CLIENT_CERT_FILE"
set +x
echo "$SM_CLIENT_CERT_FILE_B64" > "$SM_CLIENT_CERT_FILE.b64"
set -x
base64 -d "$SM_CLIENT_CERT_FILE.b64" > "$SM_CLIENT_CERT_FILE"
# Loop through and sign + verify the binaries
artifactDirectory="./build/dist"
extractDirectory="$artifactDirectory/extracted"
for file in "$artifactDirectory"/*windows*; do
7zz x "$file" -o$extractDirectory
subDirectoryPath=$(find $extractDirectory -mindepth 1 -maxdepth 1 -type d)
telegrafExePath="$subDirectoryPath/telegraf.exe"
jsign \
-storetype DIGICERTONE \
-alias "$SM_CERT_ALIAS" \
-storepass "$SM_API_KEY|$SM_CLIENT_CERT_FILE|$SM_CLIENT_CERT_PASSWORD" \
-alg SHA-256 \
-tsaurl http://timestamp.digicert.com \
"$telegrafExePath"
osslsigncode verify \
-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \
-TSA-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \
-in "$telegrafExePath"
7zz a -r "$file" "$subDirectoryPath"
rm -rf "$extractDirectory"
done

33
scripts/windows-signing.ps1
View File

@ -1,33 +0,0 @@
$tempCertFile = New-TemporaryFile
# Retrieve environment variables for cert/password.
$certText = $env:windowsCert
$CertPass = $env:windowsCertPassword
# Create a Cert object by converting the cert string to bytes.
$finalFileName = $tempCertFile.FullName
$certBytes = [Convert]::FromBase64String($certText)
[System.IO.File]::WriteAllBytes($finalFileName, $certBytes)
$CertPath = $finalFileName
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
# Update the version of Compress-Archive to support zipping correctly.
Install-Module Microsoft.PowerShell.Archive -MinimumVersion 1.2.3.0 -Repository PSGallery -Force
Import-Module Microsoft.PowerShell.Archive
# Go through the artifacts directory and sign the 'windows' artifacts.
$artifactDirectory = "./build/dist"
$extractDirectory = $artifactDirectory + "/" + "extracted"
foreach ($file in get-ChildItem $artifactDirectory | where {$_.name -like "*windows*"} | select name)
{
$artifact = $artifactDirectory + "/" + $file.Name
Expand-Archive -LiteralPath $artifact -DestinationPath $extractDirectory -Force
$subDirectoryPath = $extractDirectory + "/" + (Get-ChildItem -Path $extractDirectory | Select-Object -First 1).Name
$telegrafExePath = $subDirectoryPath + "/" + "telegraf.exe"
Set-AuthenticodeSignature -Certificate $Cert -FilePath $telegrafExePath -TimestampServer http://timestamp.digicert.com
Compress-Archive -Path $subDirectoryPath -DestinationPath $artifact -Force
Remove-Item $extractDirectory -Force -Recurse
}
Remove-Item $finalFileName -Force