shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: sign windows binaries (#13086)

Browse Source
This commit is contained in:
Jon Ayers
2024-04-29 10:43:27 -05:00
committed by GitHub
parent 15157c1c40
commit 8269124ab7
3 changed files with 84 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/release.yaml
+39
View File
@@ -128,6 +128,13 @@ jobs:
- name: Setup Node - name: Setup Node
uses: ./.github/actions/setup-node uses: ./.github/actions/setup-node
# Necessary for signing Windows binaries.
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: "zulu"
java-version: "11.0"
- name: Install nsis and zstd - name: Install nsis and zstd
run: sudo apt-get install -y nsis zstd run: sudo apt-get install -y nsis zstd
@@ -161,10 +168,32 @@ jobs:
AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }} AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }} AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}
- name: Setup Windows EV Signing Certificate
run: |
set -euo pipefail
touch /tmp/ev_cert.pem
chmod 600 /tmp/ev_cert.pem
echo "$EV_SIGNING_CERT" > /tmp/ev_cert.pem
wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign-6.0.jar
env:
EV_SIGNING_CERT: ${{ secrets.EV_SIGNING_CERT }}
- name: Test migrations from current ref to main - name: Test migrations from current ref to main
run: | run: |
make test-migrations make test-migrations
# Setup GCloud for signing Windows binaries.
- name: Authenticate to Google Cloud
id: gcloud_auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }}
service_account: ${{ secrets.GCP_CODE_SIGNING_SERVICE_ACCOUNT }}
token_format: "access_token"
- name: Setup GCloud SDK
uses: "google-github-actions/setup-gcloud@v2"
- name: Build binaries - name: Build binaries
run: | run: |
set -euo pipefail set -euo pipefail
@@ -179,16 +208,26 @@ jobs:
build/coder_helm_"$version".tgz \ build/coder_helm_"$version".tgz \
build/provisioner_helm_"$version".tgz build/provisioner_helm_"$version".tgz
env: env:
CODER_SIGN_WINDOWS: "1"
CODER_SIGN_DARWIN: "1" CODER_SIGN_DARWIN: "1"
AC_CERTIFICATE_FILE: /tmp/apple_cert.p12 AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }} AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }} AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
AC_APIKEY_FILE: /tmp/apple_apikey.p8 AC_APIKEY_FILE: /tmp/apple_apikey.p8
EV_KEY: ${{ secrets.EV_KEY }}
EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }}
EV_TSA_URL: ${{ secrets.EV_TSA_URL }}
EV_CERTIFICATE_PATH: /tmp/ev_cert.pem
GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
JSIGN_PATH: /tmp/jsign-6.0.jar
- name: Delete Apple Developer certificate and API key - name: Delete Apple Developer certificate and API key
run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8} run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
- name: Delete Windows EV Signing Cert
run: rm /tmp/ev_cert.pem
- name: Determine base image tag - name: Determine base image tag
id: image-base-tag id: image-base-tag
run: | run: |
scripts/build_go.sh
+10
View File
@@ -35,6 +35,7 @@ os="${GOOS:-linux}"
arch="${GOARCH:-amd64}" arch="${GOARCH:-amd64}"
slim="${CODER_SLIM_BUILD:-0}" slim="${CODER_SLIM_BUILD:-0}"
sign_darwin="${CODER_SIGN_DARWIN:-0}" sign_darwin="${CODER_SIGN_DARWIN:-0}"
sign_windows="${CODER_SIGN_WINDOWS:-0}"
output_path="" output_path=""
agpl="${CODER_BUILD_AGPL:-0}" agpl="${CODER_BUILD_AGPL:-0}"
boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0} boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}
@@ -106,6 +107,11 @@ if [[ "$sign_darwin" == 1 ]]; then
requiredenvs AC_CERTIFICATE_FILE AC_CERTIFICATE_PASSWORD_FILE requiredenvs AC_CERTIFICATE_FILE AC_CERTIFICATE_PASSWORD_FILE
fi fi
if [[ "$sign_windows" == 1 ]]; then
dependencies java
requiredenvs JSIGN_PATH EV_KEYSTORE EV_KEY EV_CERTIFICATE_PATH EV_TSA_URL GCLOUD_ACCESS_TOKEN
fi
ldflags=( ldflags=(
-X "'github.com/coder/coder/v2/buildinfo.tag=$version'" -X "'github.com/coder/coder/v2/buildinfo.tag=$version'"
) )
@@ -176,4 +182,8 @@ if [[ "$sign_darwin" == 1 ]] && [[ "$os" == "darwin" ]]; then
execrelative ./sign_darwin.sh "$output_path" 1>&2 execrelative ./sign_darwin.sh "$output_path" 1>&2
fi fi
if [[ "$sign_windows" == 1 ]] && [[ "$os" == "windows" ]]; then
execrelative ./sign_windows.sh "$output_path" 1>&2
fi
echo "$output_path" echo "$output_path"
scripts/sign_windows.sh
Executable
+35
View File
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
# This script signs the provided windows binary with an Extended Validation
# code signing certificate.
#
# Usage: ./sign_windows.sh path/to/binary
#
# On success, the input file will be signed using the EV cert.
#
# Depends on the jsign utility (and thus Java). Requires the following environment variables
# to be set:
# - $JSIGN_PATH: The path to the jsign jar.
# - $EV_KEYSTORE: The name of the keyring containing the private key
# - $EV_KEY: The name of the key.
# - $EV_CERTIFICATE_PATH: The path to the certificate.
# - $EV_TSA_URL: The url of the timestamp server to use.
set -euo pipefail
# shellcheck source=scripts/lib.sh
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
# Check dependencies
dependencies java
requiredenvs JSIGN_PATH EV_KEYSTORE EV_KEY EV_CERTIFICATE_PATH EV_TSA_URL GCLOUD_ACCESS_TOKEN
java -jar "$JSIGN_PATH" \
--storetype GOOGLECLOUD \
--storepass "$GCLOUD_ACCESS_TOKEN" \
--keystore "$EV_KEYSTORE" \
--alias "$EV_KEY" \
--certfile "$EV_CERTIFICATE_PATH" \
--tsmode RFC3161 \
--tsaurl "$EV_TSA_URL" \
"$@" \
1>&2