Code Signing for Windows (#8816)

* Draft config * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Create sign-windows.ps1 * Updated config.yml * Updated config.yml * Delete sign-windows.ps1 * Updated config.yml * Updated config.yml * updating config * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Create windows-signing.ps1 * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml
2021-02-11 16:24:06 -05:00 · 2021-02-11 16:24:06 -05:00 · 2118681958
parent f3a208ee28
commit 2118681958
2 changed files with 53 additions and 3 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -66,6 +66,10 @@ commands:
      - store_artifacts:
          path: './build/dist'
          destination: 'build/dist'
+      - persist_to_workspace:
+          root: './build'
+          paths:
+            - 'dist'
 jobs:
  deps:
    executor: go-1_15
@ -108,7 +112,6 @@ jobs:
            - 'usr/local/Cellar/go'
            - 'usr/local/bin/gofmt'
            - 'Users/distiller/go'
-
  test-go-1_14:
    executor: go-1_14
    steps:
@ -155,7 +158,22 @@ jobs:
    steps:
      - package:
          nightly: true
-
+  package-sign-windows:
+    executor:
+        name: win/default
+        shell: powershell.exe
+    steps:
+      - checkout
+      - attach_workspace:
+          at: '/build'
+      - run:
+          name: "Sign Windows Executables"
+          shell: powershell.exe
+          command: |
+            ./scripts/windows-signing.ps1
+      - store_artifacts:
+          path: './build/dist'
+          destination: 'build/dist'
 workflows:
  version: 2
  check:
@ -223,6 +241,9 @@ workflows:
              only: /.*/
            branches:
              ignore: /.*/
+      - 'package-sign-windows':
+          requires:
+            - 'release'
  nightly:
    jobs:
      - 'deps'
@ -257,4 +278,4 @@ workflows:
          filters:
            branches:
              only:
-                - master
+                - master
--- a/scripts/windows-signing.ps1
+++ b/scripts/windows-signing.ps1
@ -0,0 +1,29 @@
+$tempCertFile = New-TemporaryFile
+
+# Retrieve environment variables for cert/password.
+$certText = $env:windowsCert
+$CertPass = $env:windowsCertPassword
+
+# Create a Cert object by converting the cert string to bytes.
+$finalFileName = $tempCertFile.FullName
+$certBytes = [Convert]::FromBase64String($certText)
+[System.IO.File]::WriteAllBytes($finalFileName, $certBytes)
+$CertPath = $finalFileName
+$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
+
+# Go through the artifacts directory and sign the 'windows' artifacts.
+$artifactDirectory = "./build/dist"
+$extractDirectory = $artifactDirectory + "\" + "extracted"
+foreach ($file in get-ChildItem $artifactDirectory | where {$_.name -like "*windows*"} | select name) 
+{
+    $artifact = $artifactDirectory + "\" + $file.Name
+    Expand-Archive -LiteralPath $artifact -DestinationPath $extractDirectory -Force
+
+    $subDirectoryPath = $extractDirectory + "\" + (Get-ChildItem -Path $extractDirectory | Select-Object -First 1).Name
+    $telegrafExePath = $subDirectoryPath + "\" + "telegraf.exe"
+    Set-AuthenticodeSignature -Certificate $Cert -FilePath  $telegrafExePath -TimestampServer http://timestamp.digicert.com
+    Compress-Archive -Path $subDirectoryPath -DestinationPath $artifact -Force
+    Remove-Item $extractDirectory -Force -Recurse
+}
+
+Remove-Item $finalFileName -Force