Skip to content

Commit 3e0db56

Browse files
mislavmislav
authored
Rotate our Windows signing certificates (cli#5196)
- The certificate pfx file is now read from WINDOWS_CERT_PFX - The password to decode the pfx is in WINDOWS_CERT_PASSWORD - Quit reading from desktop-secrets repo - Switch osslsigncode to take in pfx instead of individual certs - 🔥 obsolete setup scripts
1 parent 28d2b52 commit 3e0db56

File tree

6 files changed

+31
-60
lines changed

6 files changed

+31
-60
lines changed

.github/workflows/releases.yml

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,13 @@ jobs:
2727
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
2828
- name: Install osslsigncode
2929
run: sudo apt-get install -y osslsigncode
30+
- name: Obtain signing cert
31+
run: |
32+
cert="$(mktemp -t cert.XXX)"
33+
base64 -d <<<"$CERT_CONTENTS" > "$cert"
34+
echo "CERT_FILE=$cert" >> $GITHUB_ENV
35+
env:
36+
CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
3037
- name: Run GoReleaser
3138
uses: goreleaser/goreleaser-action@v2
3239
with:
@@ -35,8 +42,7 @@ jobs:
3542
env:
3643
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
3744
GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
38-
GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
39-
DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
45+
CERT_PASSWORD: ${{secrets.WINDOWS_CERT_PASSWORD}}
4046
- name: Checkout documentation site
4147
uses: actions/checkout@v2
4248
with:
@@ -147,15 +153,18 @@ jobs:
147153
"${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$PWD" -p:OutputPath="$PWD" -p:OutputName="$name" -p:ProductVersion="$version"
148154
- name: Obtain signing cert
149155
id: obtain_cert
156+
shell: bash
157+
run: |
158+
base64 -d <<<"$CERT_CONTENTS" > ./cert.pfx
159+
printf "::set-output name=cert-file::%s\n" ".\\cert.pfx"
150160
env:
151-
DESKTOP_CERT_TOKEN: ${{ secrets.DESKTOP_CERT_TOKEN }}
152-
run: .\script\setup-windows-certificate.ps1
161+
CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
153162
- name: Sign MSI
154163
env:
155164
CERT_FILE: ${{ steps.obtain_cert.outputs.cert-file }}
156165
EXE_FILE: ${{ steps.buildmsi.outputs.msi }}
157-
GITHUB_CERT_PASSWORD: ${{ secrets.GITHUB_CERT_PASSWORD }}
158-
run: .\script\sign.ps1 -Certificate $env:CERT_FILE -Executable $env:EXE_FILE
166+
CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
167+
run: .\script\signtool sign /d "GitHub CLI" /f $env:CERT_FILE /p $env:CERT_PASSWORD /fd sha256 /tr http://timestamp.digicert.com /v $env:EXE_FILE
159168
- name: Upload MSI
160169
shell: bash
161170
run: |

.goreleaser.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@ before:
99
hooks:
1010
- go mod tidy
1111
- make manpages GH_VERSION={{.Version}}
12-
- ./script/prepare-windows-cert.sh '{{ if index .Env "GITHUB_CERT_PASSWORD" }}{{ .Env.GITHUB_CERT_PASSWORD}}{{ end }}' '{{ if index .Env "DESKTOP_CERT_TOKEN" }}{{ .Env.DESKTOP_CERT_TOKEN}}{{ end }}'
1312

1413
builds:
1514
- <<: &build_defaults

script/prepare-windows-cert.sh

Lines changed: 0 additions & 19 deletions
This file was deleted.

script/setup-windows-certificate.ps1

Lines changed: 0 additions & 12 deletions
This file was deleted.

script/sign-windows-executable.sh

Lines changed: 15 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,25 @@
11
#!/bin/bash
22
set -e
33

4-
if [[ ! -e certificate.pem || ! -e private-key.pem ]]; then
5-
echo "skipping windows signing; cert or key not found"
4+
EXE="$1"
5+
6+
if [ -z "$CERT_FILE" ]; then
7+
echo "skipping Windows code-signing; CERT_FILE not set" >&2
68
exit 0
79
fi
810

9-
EXECUTABLE_PATH=$1
10-
ARCH="386"
11-
12-
if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then
13-
ARCH="amd64"
11+
if [ ! -f "$CERT_FILE" ]; then
12+
echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
13+
exit 1
1414
fi
1515

16-
OUT_PATH=gh_signed-${ARCH}.exe
16+
if [ -z "$CERT_PASSWORD" ]; then
17+
echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
18+
exit 1
19+
fi
1720

18-
osslsigncode sign \
19-
-certs certificate.pem \
20-
-key private-key.pem \
21-
-n "GitHub CLI" \
22-
-t http://timestamp.digicert.com \
23-
-in $EXECUTABLE_PATH \
24-
-out $OUT_PATH
21+
osslsigncode sign -n "GitHub CLI" -t http://timestamp.digicert.com \
22+
-pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
23+
-in "$EXE" -out "$EXE"~
2524

26-
mv $OUT_PATH $EXECUTABLE_PATH
25+
mv "$EXE"~ "$EXE"

script/sign.ps1

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,7 @@ param (
66
Set-StrictMode -Version Latest
77
$ErrorActionPreference = "Stop"
88

9-
$thumbprint = "fb713a60a7fa79dfc03cb301ca05d4e8c1bdd431"
10-
$passwd = $env:GITHUB_CERT_PASSWORD
119
$ProgramName = "GitHub CLI"
12-
1310
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
1411

15-
& $scriptPath\signtool.exe sign /d $ProgramName /f $Certificate /p $passwd `
16-
/sha1 $thumbprint /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v `
17-
$Executable
12+
& $scriptPath\signtool.exe sign /d $ProgramName /f $Certificate /p $env:CERT_PASSWORD /fd sha256 /tr http://timestamp.digicert.com /v $Executable

0 commit comments

Comments
 (0)