From 0b3cb6d57c38309926a3a389cae3c656b431b6e9 Mon Sep 17 00:00:00 2001
From: Jay Mundrawala <jay@mondoo.com>
Date: Tue, 18 Oct 2022 14:14:31 -0500
Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=B9=20Sign=20windows=20binaries=20(#97?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/goreleaser.yml              | 25 ++++++++++
 .gitignore                                    |  3 +-
 .goreleaser.yml                               |  3 ++
 .../pkg/windows/sign-windows-executable.sh    | 48 +++++++++++++++++++
 4 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100755 scripts/pkg/windows/sign-windows-executable.sh

diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index c41d344b..55beab41 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -8,6 +8,12 @@ on:
 
 jobs:
   goreleaser:
+    permissions:
+      # Add "contents" to write release
+      contents: 'write'
+      # Add "id-token" for google-github-actions/auth
+      id-token: 'write'
+
     runs-on: self-hosted
     timeout-minutes: 120
     steps:
@@ -19,6 +25,17 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.19
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v0'
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WIP }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+      - id: 'gcp_secrets'
+        uses: 'google-github-actions/get-secretmanager-secrets@v0'
+        with:
+          secrets: |-
+            code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64
+            code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge
       - name: "Write RPM Signing Cert"
         run: |
           gpgkey="$(mktemp -t gpgkey.XXX)"
@@ -26,6 +43,13 @@ jobs:
           echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
         env:
           GPG_KEY: '${{ secrets.GPG_KEY}}'
+      - name: "Write Windows Signing Cert"
+        run: |
+          cert="$(mktemp -t cert.XXX)"
+          base64 -d <<<"$CERT_CONTENTS" > "$cert"
+          echo "CERT_FILE=$cert" >> $GITHUB_ENV
+        env:
+          CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}'
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
@@ -35,6 +59,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
       - name: Check RPMs 
         run: |
           rpm -qpi dist/*.rpm
diff --git a/.gitignore b/.gitignore
index a5e248e4..6dc848de 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-cnquery
\ No newline at end of file
+cnquery
+gha-creds-*.json
diff --git a/.goreleaser.yml b/.goreleaser.yml
index c5784dd0..6d76d14c 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -48,6 +48,9 @@ builds:
     ldflags:
       - "-extldflags -static"
       - -s -w -X go.mondoo.com/cnspec.Version={{.Version}} -X go.mondoo.com/cnspec.Build={{.ShortCommit}} -X go.mondoo.com/cnspec.Date={{.Date}}
+    hooks:
+      post:
+        - ./scripts/pkg/windows/sign-windows-executable.sh '{{ .Path }}'
 nfpms:
   -
     maintainer: Mondoo <hello@mondoo.com>
diff --git a/scripts/pkg/windows/sign-windows-executable.sh b/scripts/pkg/windows/sign-windows-executable.sh
new file mode 100755
index 00000000..beb9e333
--- /dev/null
+++ b/scripts/pkg/windows/sign-windows-executable.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# MIT License
+
+# Copyright (c) 2019 GitHub Inc.
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+set -e
+
+EXE="$1"
+
+if [ -z "$CERT_FILE" ]; then
+  echo "skipping Windows code-signing; CERT_FILE not set" >&2
+  exit 0
+fi
+
+if [ ! -f "$CERT_FILE" ]; then
+  echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
+  exit 1
+fi
+
+if [ -z "$CERT_PASSWORD" ]; then
+  echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
+  exit 1
+fi
+
+osslsigncode sign -n "Mondoo cnspec" -t http://timestamp.digicert.com \
+  -pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
+  -in "$EXE" -out "$EXE"~
+
+mv "$EXE"~ "$EXE"