From 211868195846c189c079edfffd39e9c9b9ca42c8 Mon Sep 17 00:00:00 2001 From: David Bennett <71459415+Jagularr@users.noreply.github.com> Date: Thu, 11 Feb 2021 16:24:06 -0500 Subject: [PATCH] Code Signing for Windows (#8816) * Draft config * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Create sign-windows.ps1 * Updated config.yml * Updated config.yml * Delete sign-windows.ps1 * Updated config.yml * Updated config.yml * updating config * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Create windows-signing.ps1 * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml --- .circleci/config.yml | 27 ++++++++++++++++++++++++--- scripts/windows-signing.ps1 | 29 +++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 scripts/windows-signing.ps1 diff --git a/.circleci/config.yml b/.circleci/config.yml index 1c8b8da82..6eff53ee8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -66,6 +66,10 @@ commands: - store_artifacts: path: './build/dist' destination: 'build/dist' + - persist_to_workspace: + root: './build' + paths: + - 'dist' jobs: deps: executor: go-1_15 @@ -108,7 +112,6 @@ jobs: - 'usr/local/Cellar/go' - 'usr/local/bin/gofmt' - 'Users/distiller/go' - test-go-1_14: executor: go-1_14 steps: @@ -155,7 +158,22 @@ jobs: steps: - package: nightly: true - + package-sign-windows: + executor: + name: win/default + shell: powershell.exe + steps: + - checkout + - attach_workspace: + at: '/build' + - run: + name: "Sign Windows Executables" + shell: powershell.exe + command: | + ./scripts/windows-signing.ps1 + - store_artifacts: + path: './build/dist' + destination: 'build/dist' workflows: version: 2 check: @@ -223,6 +241,9 @@ workflows: only: /.*/ branches: ignore: /.*/ + - 'package-sign-windows': + requires: + - 'release' nightly: jobs: - 'deps' @@ -257,4 +278,4 @@ workflows: filters: branches: only: - - master + - master \ No newline at end of file diff --git a/scripts/windows-signing.ps1 b/scripts/windows-signing.ps1 new file mode 100644 index 000000000..d7fca9ee1 --- /dev/null +++ b/scripts/windows-signing.ps1 @@ -0,0 +1,29 @@ +$tempCertFile = New-TemporaryFile + +# Retrieve environment variables for cert/password. +$certText = $env:windowsCert +$CertPass = $env:windowsCertPassword + +# Create a Cert object by converting the cert string to bytes. +$finalFileName = $tempCertFile.FullName +$certBytes = [Convert]::FromBase64String($certText) +[System.IO.File]::WriteAllBytes($finalFileName, $certBytes) +$CertPath = $finalFileName +$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass) + +# Go through the artifacts directory and sign the 'windows' artifacts. +$artifactDirectory = "./build/dist" +$extractDirectory = $artifactDirectory + "\" + "extracted" +foreach ($file in get-ChildItem $artifactDirectory | where {$_.name -like "*windows*"} | select name) +{ + $artifact = $artifactDirectory + "\" + $file.Name + Expand-Archive -LiteralPath $artifact -DestinationPath $extractDirectory -Force + + $subDirectoryPath = $extractDirectory + "\" + (Get-ChildItem -Path $extractDirectory | Select-Object -First 1).Name + $telegrafExePath = $subDirectoryPath + "\" + "telegraf.exe" + Set-AuthenticodeSignature -Certificate $Cert -FilePath $telegrafExePath -TimestampServer http://timestamp.digicert.com + Compress-Archive -Path $subDirectoryPath -DestinationPath $artifact -Force + Remove-Item $extractDirectory -Force -Recurse +} + +Remove-Item $finalFileName -Force