From ee70191d0c0bc13dd70c9da5a3dd7ce208beb003 Mon Sep 17 00:00:00 2001 From: Jason Watson Date: Mon, 21 Oct 2024 11:18:58 -0400 Subject: [PATCH 1/3] ci: sign windows release exe --- ci/build-stanza.sh | 5 ++++ ci/sign-windows-release.bash | 49 ++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100755 ci/sign-windows-release.bash diff --git a/ci/build-stanza.sh b/ci/build-stanza.sh index 382c49ad..8b849394 100755 --- a/ci/build-stanza.sh +++ b/ci/build-stanza.sh @@ -16,6 +16,7 @@ echo " CONAN_USER_HOME:" "${CONAN_USER_HOME:=${REPODIR}}" echo " CREATE_ARCHIVE:" "${CREATE_ARCHIVE:=false}" echo " CREATE_PACKAGE:" "${CREATE_PACKAGE:=false}" echo " CREATE_CONAN:" "${CREATE_CONAN:=false}" +echo " SIGN_EXECUTABLE:" "${SIGN_EXECUTABLE:=false}" echo " UPLOAD_CONAN:" "${UPLOAD_CONAN:=false}" echo "STANZA_BUILD_PLATFORM:" "${STANZA_BUILD_PLATFORM:=$(uname -s)}" # linux|macos|windows echo " VER:" "${VER:=$(git -C ${REPODIR} describe --tags --abbrev=0)}" @@ -149,6 +150,10 @@ if [ "$CREATE_PACKAGE" == "true" ] ; then && mv ${STANZA_PLATFORMCHAR}stanza${STANZA_EXT} stanza${STANZA_EXT} \ && mv ${STANZA_PLATFORMCHAR}pkgs pkgs + if [ "$SIGN_EXECUTABLE" == "true" ] ; then + ../scripts/ci/sign-windows-release.bash + fi + #zip -r ../${STANZA_PLATFORMCHAR}stanza_${VERU}.zip * zip -r ../stanza-${PLATFORM_DESC}_${VER}.zip * cd .. diff --git a/ci/sign-windows-release.bash b/ci/sign-windows-release.bash new file mode 100755 index 00000000..97c15a8b --- /dev/null +++ b/ci/sign-windows-release.bash @@ -0,0 +1,49 @@ +#!/bin/bash -eu +set -Eeuo pipefail + +# sign windows executables with DigiCert smctl with private key in DigiCert KeyLocker + +### required environment variables for authentication with DigiCert +# example: SM_API_KEY="00000000000000000000000000_0000000000000000000000000000000000000000000000000000000000000000" +# example: SM_HOST="https://clientauth.one.digicert.com" +# example: SM_CLIENT_CERT_FILE="C:\Users\Administrator\.signingmanager\jwatson-digicert-clientcert-20231212-Certificate_pkcs12.p12" +# example: SM_CLIENT_CERT_PASSWORD="xxxxxxxxxxxx" +# example: SM_KEY_ALIAS="key_000000000" +# example: SMCTL="C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe" + +# Defaulted env var inputs - can override if necessary +echo " SMCTL:" "${SMCTL:=C:\Program Files\DigiCert\DigiCert Keylocker Tools\smctl.exe}" +echo " SM_HOST:" "${SM_HOST:=https://clientauth.one.digicert.com}" +export SMCTL SM_HOST + +# check for smctl credential env vars +VARERR=0 +for V in SM_API_KEY SM_HOST SM_CLIENT_CERT_FILE SM_CLIENT_CERT_PASSWORD SM_KEY_ALIAS SMCTL ; do + if [ ! -v ${V} ] ; then + echo "Error: Environment variable ${V} not found" + VARERR=1 + fi +done +[ ${VARERR} -gt 0 ] && exit -1 +for V in SM_CLIENT_CERT_FILE SMCTL ; do + if [ ! -e "${!V}" ] ; then + echo "Error: ${V} file \"${!V}\" does not exist" + VARERR=1 + fi +done +[ ${VARERR} -gt 0 ] && exit -1 +echo "SM_CLIENT_CERT_FILE:" "${SM_CLIENT_CERT_FILE}" +echo " SM_KEY_ALIAS:" "${SM_KEY_ALIAS}" + +"${SMCTL}" windows certsync --keypair-alias ${SM_KEY_ALIAS} +"${SMCTL}" keypair ls --filter alias=${SM_KEY_ALIAS} + +cd jitpcb.release +echo " Signing files in:" "${PWD}" +ls -l +for file in "stanza.exe" +do + echo "Signing ${file}..." + "${SMCTL}" sign -i "${PWD}/${file}" --keypair-alias ${SM_KEY_ALIAS} --verbose + "${SMCTL}" sign verify -i "${PWD}/${file}" +done From 6d46543b9249c6dd4d4ed69e29d7ad22f41ec943 Mon Sep 17 00:00:00 2001 From: Jason Watson Date: Mon, 21 Oct 2024 11:26:40 -0400 Subject: [PATCH 2/3] ci: sign windows release exe (2) --- ci/build-stanza.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/build-stanza.sh b/ci/build-stanza.sh index 8b849394..604f0d66 100755 --- a/ci/build-stanza.sh +++ b/ci/build-stanza.sh @@ -151,7 +151,7 @@ if [ "$CREATE_PACKAGE" == "true" ] ; then && mv ${STANZA_PLATFORMCHAR}pkgs pkgs if [ "$SIGN_EXECUTABLE" == "true" ] ; then - ../scripts/ci/sign-windows-release.bash + ../ci/sign-windows-release.bash fi #zip -r ../${STANZA_PLATFORMCHAR}stanza_${VERU}.zip * From f867d39b04b6892aea30271c5cc6408db8c5299f Mon Sep 17 00:00:00 2001 From: Jason Watson Date: Mon, 21 Oct 2024 16:08:58 -0400 Subject: [PATCH 3/3] ci: sign windows release exe (3) --- ci/sign-windows-release.bash | 1 - 1 file changed, 1 deletion(-) diff --git a/ci/sign-windows-release.bash b/ci/sign-windows-release.bash index 97c15a8b..0118b8f0 100755 --- a/ci/sign-windows-release.bash +++ b/ci/sign-windows-release.bash @@ -38,7 +38,6 @@ echo " SM_KEY_ALIAS:" "${SM_KEY_ALIAS}" "${SMCTL}" windows certsync --keypair-alias ${SM_KEY_ALIAS} "${SMCTL}" keypair ls --filter alias=${SM_KEY_ALIAS} -cd jitpcb.release echo " Signing files in:" "${PWD}" ls -l for file in "stanza.exe"