Merge pull request #87 from StanzaOrg/jw/signexe

Sign windows executable
StanzaOrg · Oct 22, 2024 · c3089ee · c3089ee
2 parents 634999a + f867d39
commit c3089ee
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/ci/build-stanza.sh b/ci/build-stanza.sh
@@ -16,6 +16,7 @@ echo "      CONAN_USER_HOME:" "${CONAN_USER_HOME:=${REPODIR}}"
 echo "       CREATE_ARCHIVE:" "${CREATE_ARCHIVE:=false}"
 echo "       CREATE_PACKAGE:" "${CREATE_PACKAGE:=false}"
 echo "         CREATE_CONAN:" "${CREATE_CONAN:=false}"
+echo "      SIGN_EXECUTABLE:" "${SIGN_EXECUTABLE:=false}"
 echo "         UPLOAD_CONAN:" "${UPLOAD_CONAN:=false}"
 echo "STANZA_BUILD_PLATFORM:" "${STANZA_BUILD_PLATFORM:=$(uname -s)}"  # linux|macos|windows
 echo "                  VER:" "${VER:=$(git -C ${REPODIR} describe --tags --abbrev=0)}"
@@ -149,6 +150,10 @@ if [ "$CREATE_PACKAGE" == "true" ] ; then
       && mv ${STANZA_PLATFORMCHAR}stanza${STANZA_EXT} stanza${STANZA_EXT} \
       && mv ${STANZA_PLATFORMCHAR}pkgs pkgs
 
+  if [ "$SIGN_EXECUTABLE" == "true" ] ; then
+      ../ci/sign-windows-release.bash
+  fi
+
   #zip -r ../${STANZA_PLATFORMCHAR}stanza_${VERU}.zip *
   zip -r ../stanza-${PLATFORM_DESC}_${VER}.zip *
   cd ..

diff --git a/ci/sign-windows-release.bash b/ci/sign-windows-release.bash
@@ -0,0 +1,48 @@
+#!/bin/bash -eu
+set -Eeuo pipefail
+
+# sign windows executables with DigiCert smctl with private key in DigiCert KeyLocker
+
+### required environment variables for authentication with DigiCert
+# example: SM_API_KEY="00000000000000000000000000_0000000000000000000000000000000000000000000000000000000000000000"
+# example: SM_HOST="https://clientauth.one.digicert.com"
+# example: SM_CLIENT_CERT_FILE="C:\Users\Administrator\.signingmanager\jwatson-digicert-clientcert-20231212-Certificate_pkcs12.p12"
+# example: SM_CLIENT_CERT_PASSWORD="xxxxxxxxxxxx"
+# example: SM_KEY_ALIAS="key_000000000"
+# example: SMCTL="C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe"
+
+# Defaulted env var inputs - can override if necessary
+echo "              SMCTL:" "${SMCTL:=C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe}"
+echo "            SM_HOST:" "${SM_HOST:=https://clientauth.one.digicert.com}"
+export SMCTL SM_HOST
+
+# check for smctl credential env vars
+VARERR=0
+for V in  SM_API_KEY  SM_HOST  SM_CLIENT_CERT_FILE  SM_CLIENT_CERT_PASSWORD  SM_KEY_ALIAS  SMCTL ; do
+  if [ ! -v ${V} ] ; then
+    echo "Error: Environment variable ${V} not found"
+    VARERR=1
+  fi
+done
+[ ${VARERR} -gt 0 ] && exit -1
+for V in  SM_CLIENT_CERT_FILE  SMCTL ; do
+  if [ ! -e "${!V}" ] ; then
+    echo "Error: ${V} file \"${!V}\" does not exist"
+    VARERR=1
+  fi
+done
+[ ${VARERR} -gt 0 ] && exit -1
+echo "SM_CLIENT_CERT_FILE:" "${SM_CLIENT_CERT_FILE}"
+echo "       SM_KEY_ALIAS:" "${SM_KEY_ALIAS}"
+
+"${SMCTL}" windows certsync --keypair-alias ${SM_KEY_ALIAS}
+"${SMCTL}" keypair ls --filter alias=${SM_KEY_ALIAS}
+
+echo "   Signing files in:" "${PWD}"
+ls -l
+for file in "stanza.exe"
+do
+  echo "Signing ${file}..."
+  "${SMCTL}" sign -i "${PWD}/${file}" --keypair-alias ${SM_KEY_ALIAS} --verbose
+  "${SMCTL}" sign verify -i "${PWD}/${file}"
+done