Merge pull request #10170 from vegaprotocol/fix-signing

feat: add windows sign action
vegaprotocol · Nov 24, 2023 · 45eee49 · 45eee49
2 parents cc3982d + 8bf00c5
commit 45eee49
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 7 deletions.
diff --git a/.github/actions/sign-windows-binary/action.yml b/.github/actions/sign-windows-binary/action.yml
@@ -0,0 +1,97 @@
+---
+name: 'Sign windows binary'
+description: 'Sign binary using EV certificate'
+
+inputs:
+  current-working-directory:
+    description: 'The working directory, where the binary is located in'
+    required: true
+    default: './'
+  binary-file:
+    description: 'Binary file to sign'
+    required: true
+    default: ''
+  gcp-credentials:
+    description: 'GCP credentials'
+    required: true
+    default: ''
+  ev-cert-pem:
+    description: 'EV certificate PEM'
+    required: true
+    default: ''
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Import signing certificate"
+      shell: bash
+      run: |
+        cd "${{ inputs.current-working-directory }}" && \
+        echo "${{ inputs.ev-cert-pem }}" > certificate_chain.pem
+
+    - name: "Download Java v17"
+      uses: oracle-actions/setup-java@v1
+      with:
+        website: oracle.com
+        release: 17
+
+    - name: "Setup python"
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.9"
+
+    - name: "Authenticate to the Google Cloud"
+      uses: "google-github-actions/auth@v1"
+      with:
+        credentials_json: "${{ inputs.gcp-credentials }}"
+
+    - name: "Set up Cloud SDK"
+      uses: "google-github-actions/setup-gcloud@v1"
+      env:
+        CLOUDSDK_PYTHON: "python3"
+
+    - name: "Check the Google Cloud CLI"
+      shell: bash
+      run: "gcloud info"
+
+    - name: "Download signing tool and verify sha265 checksum"
+      shell: bash
+      run: |
+        cd "${{ inputs.current-working-directory }}" && \
+        curl -L -o jsign.jar "https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar" && \
+        echo '290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar' | sha256sum -c
+
+    # We sign binaries with the EV Certificate. You MUST NOT have a key in a file to sign binary.
+    # The only options to store keys are:
+    #   - HSM architecture(e.g., AWS or Google)
+    #   - Physical USB stick with hardware stored key
+    # We are using the first option to be able to sign the binaries within the CI servers without
+    # physical access to them. However, this signing method requires the signing tool supporting the HSM key.
+    #
+    # The high-level signing procedure looks like below:
+    #   1. Calculate the SHA256 Hash for the app
+    #   2. Send a request to sign the hash to the Google Cloud
+    #   3. Google signs our signature with a physically stored key on Google's HSM server and returns the signature over the network
+    #   4. Add our certificate and the signature received from the Google HSM to the EXE file
+    #   5. Our signature hash is again signed with the timestamp authority's private key, and the final hash is added to our binary.
+    #   6. Final executable with all necessary signing information included is produced
+    - name: "Sign binary"
+      shell: bash
+      run: |
+        cd "${{ inputs.current-working-directory }}" && \
+        java -jar jsign.jar \
+          --storetype GOOGLECLOUD \
+          --storepass "$(gcloud auth print-access-token)" \
+          --keystore "projects/vegaprotocol/locations/europe-west2/keyRings/windows-sign-apps" \
+          --alias "digicert-ev-signing-key-ecc-256" \
+          --certfile "./certificate_chain.pem" \
+          --tsmode RFC3161 \
+          --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \
+          "${{ inputs.binary-file }}"
+
+    - name: "Clean up"
+      shell: bash
+      run: |
+        cd "${{ inputs.current-working-directory }}" && \
+        rm -f certificate_chain.pem && \
+        rm -f jsign.jar
diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
@@ -288,15 +288,14 @@ jobs:
         run: go build -o build/${{ matrix.app }}.exe ./cmd/${{ matrix.app }}
 
       - name: "Sign binary"
-        # we do notarization to vegawallet only
         if: ${{ matrix.app == 'vegawallet' }}
-        uses: Dana-Prajea/code-sign-action@98c79121b376beab8d6a9484f445089db4461bca
+        uses: ./.github/actions/sign-windows-binary
         with:
-          certificate: ${{ secrets.WINDOWS_CERTIFICATE }}
-          password: ${{ secrets.WINDOWS_CERTIFICATE_PASS }}
-          certificatesha1: ${{ secrets.WINDOWS_CERTIFICATE_HASH }}
-          folder: "build"
-          timestampUrl: "http://timestamp.sectigo.com"
+          current-working-directory: build
+          binary-file: ${{ matrix.app }}.exe
+          gcp-credentials: ${{ secrets.GCP_CREDENTIALS }}
+          ev-cert-pem: ${{ secrets.EV_SIGN_CERT_FULL_CHAIN_PEM }}
+
 
       - name: Check version
         if: ${{ env.GOARCH == 'amd64' }}