Sign Windows .exes in a post-build hook

nate smith · nate smith · commit f5345fd2ca56 · 2022-01-07T12:31:06.000-06:00
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -33,6 +33,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
+          GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
+          DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
       - name: Checkout documentation site
         uses: actions/checkout@v2
         with:
@@ -61,7 +63,6 @@ jobs:
             api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
           done
           echo "moved ${#cards[@]} cards to the Done column"
-      
       - name: Install packaging dependencies
         run: sudo apt-get install -y rpm reprepro
       - name: Set up GPG
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -32,6 +32,12 @@ builds:
     id: windows
     goos: [windows]
     goarch: [386, amd64]
+    hooks:
+      post:
+        - cmd: ./script/sign-windows-executable.sh {{ .Path }}
+          env:
+            - GITHUB_CERT_PASSWORD={{ .Env.GITHUB_CERT_PASSWORD }}
+            - DESKTOP_CERT_TOKEN={{ .Env.DESKTOP_CERT_TOKEN }}
 
 archives:
   - id: nix
diff --git a/script/sign-windows-executable.sh b/script/sign-windows-executable.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+EXECUTABLE_PATH=$1
+
+curl \
+  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
+  -H "Accept: application/vnd.github.v3.raw" \
+  --output windows-certificate.pfx \
+  --silent \
+  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+
+PROGRAM_NAME="GitHub CLI"
+
+# Convert private key to the expected format
+openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
+openssl rsa -in private-key.pem -outform PVK -pvk-none -out private-key.pvk 2>/dev/null # Always writes to STDERR
+
+# Convert certificate chain into the expected format
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
+openssl crl2pkcs7 -nocrl -certfile certificate.pem -outform DER -out certificate.spc
+
+signcode \
+  -spc certificate.spc \
+  -v private-key.pvk \
+  -n $PROGRAM_NAME \
+  -t http://timestamp.digicert.com \
+  -a sha256 \
+$EXECUTABLE_PATH \
+1> /dev/null # STDOUT a little bit chatty here, with multiple lines
