⭐️ Signing of Windows Providers (#3626)

* Signing of Windows Providers Signed-off-by: Ben Rockwood <[email protected]> * Update Signed-off-by: Ben Rockwood <[email protected]> * Add debugging Signed-off-by: Ben Rockwood <[email protected]> * Fix pathing to the cert Signed-off-by: Ben Rockwood <[email protected]> --------- Signed-off-by: Ben Rockwood <[email protected]>
mondoohq · Mar 24, 2024 · 872da6e · 872da6e
1 parent 19b6627
commit 872da6e
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/.github/workflows/providers.yaml b/.github/workflows/providers.yaml
@@ -121,6 +121,22 @@ jobs:
       - name: 'Set up gcloud CLI'
         uses: 'google-github-actions/setup-gcloud@v2'
 
+      - name: Set DigiCert Signing Variables
+        shell: bash
+        run: |
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > Certificate_pkcs12.p12
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_FILE=`realpath Certificate_pkcs12.p12`" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
+          echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
+
+
+      # - name: Install jSign (Windows Signing Tool) -- Required for public runners
+      #   run: |
+      #     curl -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
+      #     sudo dpkg -i ./jsign_5.0_all.deb
+
       - name: 'Build dependencies'
         run: |
           make providers/proto
@@ -159,7 +175,7 @@ jobs:
           status: ${{ steps.build-providers.outcome }}
           url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           description: Workflow ${{ github.workflow }} for commit ${{ github.sha }} on ${{ github.ref_name }} failed
-          color: 0xff4d4d        
+          color: 0xff4d4d
 
   provider-index:
     needs: [provider-build, scoping]

diff --git a/scripts/provider_bundler.sh b/scripts/provider_bundler.sh
@@ -65,6 +65,14 @@ build_bundle(){
   fi
   cd ${PROVIDER_PATH} && CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GOARM=${GOARM} go build -tags production -ldflags "-s -w" -o ${PROVIDER_DIST}/${PROVIDER_EXECUTABLE} main.go
 
+  if [[ "${GOOS}" == "windows" ]]; then
+    ### SIGN THE BINARY
+    echo "  - Signing the binary ${PROVIDER_DIST}/${PROVIDER_EXECUTABLE}..."
+    jsign --storetype DIGICERTONE --alias "cert_492206180" \
+          --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" \
+          --tsaurl "http://timestamp.digicert.com"  ${PROVIDER_DIST}/${PROVIDER_EXECUTABLE}
+  fi
+
   # set linux flags that do not work on macos
   TAR_FLAGS=""
   if uname -s | grep -q 'Linux'; then