Code Signing for Windows (#8816)

* Draft config * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Create sign-windows.ps1 * Updated config.yml * Updated config.yml * Delete sign-windows.ps1 * Updated config.yml * Updated config.yml * updating config * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Create windows-signing.ps1 * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml * Updated config.yml
2021-02-11 16:24:06 -05:00 · 2021-02-11 16:24:06 -05:00 · 2118681958
parent f3a208ee28
commit 2118681958
2 changed files with 53 additions and 3 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -66,6 +66,10 @@ commands:
      - store_artifacts:
          path: './build/dist'
          destination: 'build/dist'
      - persist_to_workspace:
          root: './build'
          paths:
            - 'dist'
 jobs:
  deps:
    executor: go-1_15
@ -108,7 +112,6 @@ jobs:
            - 'usr/local/Cellar/go'
            - 'usr/local/bin/gofmt'
            - 'Users/distiller/go'
  test-go-1_14:
    executor: go-1_14
    steps:
@ -155,7 +158,22 @@ jobs:
    steps:
      - package:
          nightly: true
-
+  package-sign-windows:
    executor:
        name: win/default
        shell: powershell.exe
    steps:
      - checkout
      - attach_workspace:
          at: '/build'
      - run:
          name: "Sign Windows Executables"
          shell: powershell.exe
          command: |
            ./scripts/windows-signing.ps1
      - store_artifacts:
          path: './build/dist'
          destination: 'build/dist'
 workflows:
  version: 2
  check:
@ -223,6 +241,9 @@ workflows:
              only: /.*/
            branches:
              ignore: /.*/
      - 'package-sign-windows':
          requires:
            - 'release'
  nightly:
    jobs:
      - 'deps'
--- a/scripts/windows-signing.ps1
+++ b/scripts/windows-signing.ps1
@ -0,0 +1,29 @@
 $tempCertFile = New-TemporaryFile
 # Retrieve environment variables for cert/password.
 $certText = $env:windowsCert
 $CertPass = $env:windowsCertPassword
 # Create a Cert object by converting the cert string to bytes.
 $finalFileName = $tempCertFile.FullName
 $certBytes = [Convert]::FromBase64String($certText)
 [System.IO.File]::WriteAllBytes($finalFileName, $certBytes)
 $CertPath = $finalFileName
 $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
 # Go through the artifacts directory and sign the 'windows' artifacts.
 $artifactDirectory = "./build/dist"
 $extractDirectory = $artifactDirectory + "\" + "extracted"
 foreach ($file in get-ChildItem $artifactDirectory | where {$_.name -like "*windows*"} | select name) 
 {
    $artifact = $artifactDirectory + "\" + $file.Name
    Expand-Archive -LiteralPath $artifact -DestinationPath $extractDirectory -Force
    $subDirectoryPath = $extractDirectory + "\" + (Get-ChildItem -Path $extractDirectory | Select-Object -First 1).Name
    $telegrafExePath = $subDirectoryPath + "\" + "telegraf.exe"
    Set-AuthenticodeSignature -Certificate $Cert -FilePath  $telegrafExePath -TimestampServer http://timestamp.digicert.com
    Compress-Archive -Path $subDirectoryPath -DestinationPath $artifact -Force
    Remove-Item $extractDirectory -Force -Recurse
 }
 Remove-Item $finalFileName -Force