🧹 Sign windows binaries (#97)

.github/workflows/goreleaser.yml

@@ -8,6 +8,12 @@ on:
 
 jobs:
   goreleaser:
+    permissions:
+      # Add "contents" to write release
+      contents: 'write'
+      # Add "id-token" for google-github-actions/auth
+      id-token: 'write'
+
     runs-on: self-hosted
     timeout-minutes: 120
     steps:
@@ -19,13 +25,31 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.19
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v0'
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WIP }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+      - id: 'gcp_secrets'
+        uses: 'google-github-actions/get-secretmanager-secrets@v0'
+        with:
+          secrets: |-
+            code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64
+            code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge
       - name: "Write RPM Signing Cert"
         run: |
           gpgkey="$(mktemp -t gpgkey.XXX)"
           base64 -d <<<"$GPG_KEY" > "$gpgkey"
           echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
         env:
           GPG_KEY: '${{ secrets.GPG_KEY}}'
+      - name: "Write Windows Signing Cert"
+        run: |
+          cert="$(mktemp -t cert.XXX)"
+          base64 -d <<<"$CERT_CONTENTS" > "$cert"
+          echo "CERT_FILE=$cert" >> $GITHUB_ENV
+        env:
+          CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}'
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
@@ -35,6 +59,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
       - name: Check RPMs 
         run: |
           rpm -qpi dist/*.rpm

.gitignore

@@ -1 +1,2 @@
-cnquery
+cnquery
+gha-creds-*.json

.goreleaser.yml

@@ -48,6 +48,9 @@ builds:
     ldflags:
       - "-extldflags -static"
       - -s -w -X go.mondoo.com/cnspec.Version={{.Version}} -X go.mondoo.com/cnspec.Build={{.ShortCommit}} -X go.mondoo.com/cnspec.Date={{.Date}}
+    hooks:
+      post:
+        - ./scripts/pkg/windows/sign-windows-executable.sh '{{ .Path }}'
 nfpms:
   -
     maintainer: Mondoo <[email protected]>

scripts/pkg/windows/sign-windows-executable.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# MIT License
+
+# Copyright (c) 2019 GitHub Inc.
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+set -e
+
+EXE="$1"
+
+if [ -z "$CERT_FILE" ]; then
+  echo "skipping Windows code-signing; CERT_FILE not set" >&2
+  exit 0
+fi
+
+if [ ! -f "$CERT_FILE" ]; then
+  echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
+  exit 1
+fi
+
+if [ -z "$CERT_PASSWORD" ]; then
+  echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
+  exit 1
+fi
+
+osslsigncode sign -n "Mondoo cnspec" -t http://timestamp.digicert.com \
+  -pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
+  -in "$EXE" -out "$EXE"~
+
+mv "$EXE"~ "$EXE"