Skip to content

Commit 8c862bb

Browse files
author
Nate Smith
authored
Merge pull request cli#2160 from mbpreble/sign-windows-executables
Sign Windows .exes in a post-build hook
2 parents c8fef47 + 2ade4e5 commit 8c862bb

File tree

4 files changed

+53
-1
lines changed

4 files changed

+53
-1
lines changed

.github/workflows/releases.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@ jobs:
2525
-q .body > CHANGELOG.md
2626
env:
2727
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
28+
- name: Install osslsigncode
29+
run: sudo apt-get install -y osslsigncode
2830
- name: Run GoReleaser
2931
uses: goreleaser/goreleaser-action@v2
3032
with:
@@ -33,6 +35,8 @@ jobs:
3335
env:
3436
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
3537
GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
38+
GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
39+
DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
3640
- name: Checkout documentation site
3741
uses: actions/checkout@v2
3842
with:
@@ -61,7 +65,6 @@ jobs:
6165
api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
6266
done
6367
echo "moved ${#cards[@]} cards to the Done column"
64-
6568
- name: Install packaging dependencies
6669
run: sudo apt-get install -y rpm reprepro
6770
- name: Set up GPG

.goreleaser.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ before:
99
hooks:
1010
- go mod tidy
1111
- make manpages GH_VERSION={{.Version}}
12+
- ./script/prepare-windows-cert.sh '{{ if index .Env "GITHUB_CERT_PASSWORD" }}{{ .Env.GITHUB_CERT_PASSWORD}}{{ end }}' '{{ if index .Env "DESKTOP_CERT_TOKEN" }}{{ .Env.DESKTOP_CERT_TOKEN}}{{ end }}'
1213

1314
builds:
1415
- <<: &build_defaults
@@ -32,6 +33,9 @@ builds:
3233
id: windows
3334
goos: [windows]
3435
goarch: [386, amd64]
36+
hooks:
37+
post:
38+
- ./script/sign-windows-executable.sh '{{ .Path }}'
3539

3640
archives:
3741
- id: nix

script/prepare-windows-cert.sh

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
#!/bin/bash
2+
set -e
3+
4+
GITHUB_CERT_PASSWORD=$1
5+
DESKTOP_CERT_TOKEN=$2
6+
7+
if [[ -z "$GITHUB_CERT_PASSWORD" || -z "$DESKTOP_CERT_TOKEN" ]]; then
8+
echo "skipping windows signing prep; cert password or token not found"
9+
exit 0
10+
fi
11+
12+
curl \
13+
-H "Authorization: token $DESKTOP_CERT_TOKEN" \
14+
-H "Accept: application/vnd.github.v3.raw" \
15+
--output windows-certificate.pfx \
16+
https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
17+
18+
openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem -passin pass:${GITHUB_CERT_PASSWORD}
19+
openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}

script/sign-windows-executable.sh

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
#!/bin/bash
2+
set -e
3+
4+
if [[ ! -e certificate.pem || ! -e private-key.pem ]]; then
5+
echo "skipping windows signing; cert or key not found"
6+
exit 0
7+
fi
8+
9+
EXECUTABLE_PATH=$1
10+
ARCH="386"
11+
12+
if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then
13+
ARCH="amd64"
14+
fi
15+
16+
OUT_PATH=gh_signed-${ARCH}.exe
17+
18+
osslsigncode sign \
19+
-certs certificate.pem \
20+
-key private-key.pem \
21+
-n "GitHub CLI" \
22+
-t http://timestamp.digicert.com \
23+
-in $EXECUTABLE_PATH \
24+
-out $OUT_PATH
25+
26+
mv $OUT_PATH $EXECUTABLE_PATH

0 commit comments

Comments
 (0)