chore: Update Windows signing process (#14565)

2024-01-15 08:09:32 -07:00 · 2024-01-15 08:09:32 -07:00 · 19ade37af7
parent 7253fcfeb3
commit 19ade37af7
3 changed files with 48 additions and 39 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -394,9 +394,9 @@ jobs:
      - run: ./tools/package_lxd_test/package_lxd_test --package $(find ./dist -name "*_amd64.deb")
      - run: ./tools/package_lxd_test/package_lxd_test --package $(find ./dist -name "*.x86_64.rpm")
  package-sign-windows:
-    executor:
-        name: win/default
-        shell: powershell.exe
+    machine:
+      image: ubuntu-2204:current
+    resource_class: medium
    steps:
      - checkout
      - check-changed-files-or-halt
@ -404,9 +404,7 @@ jobs:
          at: '/build'
      - run:
          name: "Sign Windows Executables"
-          shell: powershell.exe
-          command: |
-            ./scripts/windows-signing.ps1
+          command: ./scripts/sign-windows.sh
      - persist_to_workspace:
          root: './build'
          paths:
--- a/scripts/sign-windows.sh
+++ b/scripts/sign-windows.sh
@ -0,0 +1,44 @@
+#!/bin/bash
+set -eux
+
+# Install dependencies
+sudo apt update && sudo apt install --yes 7zip default-jre-headless osslsigncode wget
+wget https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
+sha256sum="9877a0949a9c9ac4485155bbb8679ac863d3ec3d67e0a380b880eed650d06854"
+if ! echo "${sha256sum}  jsign_5.0_all.deb" | sha256sum --check -; then
+    echo "Checksum for jsign deb failed" >&2
+    exit 1
+fi
+sudo dpkg -i jsign_5.0_all.deb
+
+# Load certificates
+touch "$SM_CLIENT_CERT_FILE"
+set +x
+echo "$SM_CLIENT_CERT_FILE_B64" > "$SM_CLIENT_CERT_FILE.b64"
+set -x
+base64 -d "$SM_CLIENT_CERT_FILE.b64" > "$SM_CLIENT_CERT_FILE"
+
+# Loop through and sign + verify the binaries
+artifactDirectory="./build/dist"
+extractDirectory="$artifactDirectory/extracted"
+for file in "$artifactDirectory"/*windows*; do
+    7zz x "$file" -o$extractDirectory
+    subDirectoryPath=$(find $extractDirectory -mindepth 1 -maxdepth 1 -type d)
+    telegrafExePath="$subDirectoryPath/telegraf.exe"
+
+    jsign \
+        -storetype DIGICERTONE \
+        -alias "$SM_CERT_ALIAS" \
+        -storepass "$SM_API_KEY|$SM_CLIENT_CERT_FILE|$SM_CLIENT_CERT_PASSWORD" \
+        -alg SHA-256 \
+        -tsaurl http://timestamp.digicert.com \
+        "$telegrafExePath"
+
+    osslsigncode verify \
+        -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \
+        -TSA-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \
+        -in "$telegrafExePath"
+
+    7zz a -r "$file" "$subDirectoryPath"
+    rm -rf "$extractDirectory"
+done
--- a/scripts/windows-signing.ps1
+++ b/scripts/windows-signing.ps1
@ -1,33 +0,0 @@
-$tempCertFile = New-TemporaryFile
-
-# Retrieve environment variables for cert/password.
-$certText = $env:windowsCert
-$CertPass = $env:windowsCertPassword
-
-# Create a Cert object by converting the cert string to bytes.
-$finalFileName = $tempCertFile.FullName
-$certBytes = [Convert]::FromBase64String($certText)
-[System.IO.File]::WriteAllBytes($finalFileName, $certBytes)
-$CertPath = $finalFileName
-$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
-
-# Update the version of Compress-Archive to support zipping correctly.
-Install-Module Microsoft.PowerShell.Archive -MinimumVersion 1.2.3.0 -Repository PSGallery -Force
-Import-Module Microsoft.PowerShell.Archive
-
-# Go through the artifacts directory and sign the 'windows' artifacts.
-$artifactDirectory = "./build/dist"
-$extractDirectory = $artifactDirectory + "/" + "extracted"
-foreach ($file in get-ChildItem $artifactDirectory | where {$_.name -like "*windows*"} | select name)
-{
-    $artifact = $artifactDirectory + "/" + $file.Name
-    Expand-Archive -LiteralPath $artifact -DestinationPath $extractDirectory -Force
-
-    $subDirectoryPath = $extractDirectory + "/" + (Get-ChildItem -Path $extractDirectory | Select-Object -First 1).Name
-    $telegrafExePath = $subDirectoryPath + "/" + "telegraf.exe"
-    Set-AuthenticodeSignature -Certificate $Cert -FilePath  $telegrafExePath -TimestampServer http://timestamp.digicert.com
-    Compress-Archive -Path $subDirectoryPath -DestinationPath $artifact -Force
-    Remove-Item $extractDirectory -Force -Recurse
-}
-
-Remove-Item $finalFileName -Force