Add code signing of release binaries via cargo-code-sign

zanieb · zanieb · commit e91fbc771acc · 2026-03-04T11:33:05.000-06:00
diff --git a/.github/workflows/build-release-binaries.yml b/.github/workflows/build-release-binaries.yml
@@ -100,6 +100,45 @@ jobs:
       - name: "Install cargo extensions"
         shell: bash
         run: scripts/install-cargo-extensions.sh
+      - name: "Prepare macOS signing certificate"
+        run: |
+          set -euo pipefail
+
+          CERT_NAME="uv-codesign-ci"
+          CERT_DIR="$RUNNER_TEMP/codesign-cert"
+          mkdir -p "$CERT_DIR"
+
+          openssl req -x509 -newkey rsa:2048 -sha256 -days 7 -nodes \
+            -keyout "$CERT_DIR/key.pem" \
+            -out "$CERT_DIR/cert.pem" \
+            -subj "/CN=$CERT_NAME" \
+            -addext "extendedKeyUsage=codeSigning" \
+            -addext "keyUsage=digitalSignature"
+
+          P12_PASSWORD="$(uuidgen | tr -d '-')"
+
+          # LibreSSL (shipped with macOS) doesn't support -legacy; OpenSSL 3.x
+          # requires it for macOS keychain compatibility.
+          LEGACY_FLAG=""
+          if openssl version 2>&1 | grep -q "^OpenSSL 3"; then
+            LEGACY_FLAG="-legacy"
+          fi
+
+          openssl pkcs12 -export $LEGACY_FLAG \
+            -inkey "$CERT_DIR/key.pem" \
+            -in "$CERT_DIR/cert.pem" \
+            -name "$CERT_NAME" \
+            -out "$CERT_DIR/cert.p12" \
+            -passout pass:"$P12_PASSWORD"
+
+          CERT_B64="$(base64 < "$CERT_DIR/cert.p12" | tr -d '\n')"
+          CERT_SHA1="$(openssl x509 -in "$CERT_DIR/cert.pem" -noout -fingerprint -sha1 | cut -d= -f2 | tr -d ':')"
+
+          {
+            echo "CODESIGN_IDENTITY=$CERT_SHA1"
+            echo "CODESIGN_CERTIFICATE=$CERT_B64"
+            echo "CODESIGN_CERTIFICATE_PASSWORD=$P12_PASSWORD"
+          } >> "$GITHUB_ENV"
 
       # uv
       - name: "Build wheels - x86_64"
@@ -166,6 +205,45 @@ jobs:
       - name: "Install cargo extensions"
         shell: bash
         run: scripts/install-cargo-extensions.sh
+      - name: "Prepare macOS signing certificate"
+        run: |
+          set -euo pipefail
+
+          CERT_NAME="uv-codesign-ci"
+          CERT_DIR="$RUNNER_TEMP/codesign-cert"
+          mkdir -p "$CERT_DIR"
+
+          openssl req -x509 -newkey rsa:2048 -sha256 -days 7 -nodes \
+            -keyout "$CERT_DIR/key.pem" \
+            -out "$CERT_DIR/cert.pem" \
+            -subj "/CN=$CERT_NAME" \
+            -addext "extendedKeyUsage=codeSigning" \
+            -addext "keyUsage=digitalSignature"
+
+          P12_PASSWORD="$(uuidgen | tr -d '-')"
+
+          # LibreSSL (shipped with macOS) doesn't support -legacy; OpenSSL 3.x
+          # requires it for macOS keychain compatibility.
+          LEGACY_FLAG=""
+          if openssl version 2>&1 | grep -q "^OpenSSL 3"; then
+            LEGACY_FLAG="-legacy"
+          fi
+
+          openssl pkcs12 -export $LEGACY_FLAG \
+            -inkey "$CERT_DIR/key.pem" \
+            -in "$CERT_DIR/cert.pem" \
+            -name "$CERT_NAME" \
+            -out "$CERT_DIR/cert.p12" \
+            -passout pass:"$P12_PASSWORD"
+
+          CERT_B64="$(base64 < "$CERT_DIR/cert.p12" | tr -d '\n')"
+          CERT_SHA1="$(openssl x509 -in "$CERT_DIR/cert.pem" -noout -fingerprint -sha1 | cut -d= -f2 | tr -d ':')"
+
+          {
+            echo "CODESIGN_IDENTITY=$CERT_SHA1"
+            echo "CODESIGN_CERTIFICATE=$CERT_B64"
+            echo "CODESIGN_CERTIFICATE_PASSWORD=$P12_PASSWORD"
+          } >> "$GITHUB_ENV"
 
       # uv
       - name: "Build wheels - aarch64"
@@ -256,6 +334,25 @@ jobs:
       - name: "Install cargo extensions"
         shell: bash
         run: scripts/install-cargo-extensions.sh
+      - name: "Prepare Windows signing certificate"
+        shell: pwsh
+        run: |
+          $cert = New-SelfSignedCertificate `
+            -Type CodeSigningCert `
+            -Subject "CN=uv-codesign-ci" `
+            -CertStoreLocation "Cert:\CurrentUser\My" `
+            -NotAfter (Get-Date).AddDays(7)
+          $passwordPlain = [Guid]::NewGuid().ToString("N")
+          $password = ConvertTo-SecureString -String $passwordPlain -Force -AsPlainText
+          $pfxPath = Join-Path $env:RUNNER_TEMP "uv-codesign-ci.pfx"
+
+          Export-PfxCertificate `
+            -Cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" `
+            -FilePath $pfxPath `
+            -Password $password | Out-Null
+
+          "SIGNTOOL_CERTIFICATE_PATH=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8
+          "SIGNTOOL_CERTIFICATE_PASSWORD=$passwordPlain" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8
 
       # uv
       - name: "Build wheels"
diff --git a/scripts/cargo-auditable.cmd b/scripts/cargo-auditable.cmd
@@ -0,0 +1,5 @@
+@echo off
+REM Cargo wrapper that runs `cargo auditable` to embed SBOM metadata.
+REM See cargo-auditable.sh for the full explanation.
+
+cargo.exe auditable %*
diff --git a/scripts/cargo-auditable.sh b/scripts/cargo-auditable.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+## Cargo wrapper that runs `cargo auditable` to embed SBOM metadata.
+##
+## Used as the inner build command for `cargo-code-sign`.
+##
+## Usage:
+##
+##   CARGO_CODE_SIGN_CARGO="$PWD/scripts/cargo-auditable.sh" cargo-code-sign code-sign ...
+
+set -eu
+
+exec cargo auditable "$@"
diff --git a/scripts/cargo-code-sign.cmd b/scripts/cargo-code-sign.cmd
@@ -0,0 +1,5 @@
+@echo off
+REM Cargo wrapper that signs binaries after building via `cargo-code-sign`.
+REM See cargo-code-sign.sh for the full explanation.
+
+cargo-code-sign.exe code-sign %*
diff --git a/scripts/cargo-code-sign.sh b/scripts/cargo-code-sign.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env sh
+## Cargo wrapper that signs binaries after building via `cargo-code-sign`.
+##
+## Uses `CARGO_CODE_SIGN_CARGO` to determine the inner cargo command.
+## If unset, falls back to plain `cargo`.
+##
+## Usage:
+##
+##   CARGO_CODE_SIGN_CARGO="$PWD/scripts/cargo-auditable.sh" \
+##     scripts/cargo-code-sign.sh build --release
+
+set -eu
+
+exec cargo-code-sign code-sign "$@"
diff --git a/scripts/cargo.cmd b/scripts/cargo.cmd
@@ -1,15 +1,8 @@
 @echo off
-REM Wrapper script that invokes `cargo auditable` instead of plain `cargo`.
+REM Top-level cargo wrapper for release builds.
 REM
-REM Use `scripts/install-cargo-extensions.sh` to install the dependencies.
-REM
-REM Usage:
-REM
-REM   set CARGO=%CD%\scripts\cargo.cmd
-REM   cargo build --release
+REM Chains `cargo-code-sign` (post-build binary signing) with `cargo-auditable`
+REM (SBOM embedding). See cargo.sh for the full explanation.
 
-if defined REAL_CARGO (
-    "%REAL_CARGO%" auditable %*
-) else (
-    cargo.exe auditable %*
-)
+set CARGO_CODE_SIGN_CARGO=%~dp0cargo-auditable.cmd
+%~dp0cargo-code-sign.cmd %*
diff --git a/scripts/cargo.sh b/scripts/cargo.sh
@@ -1,16 +1,22 @@
 #!/usr/bin/env sh
-## Wrapper script that invokes `cargo auditable` instead of plain `cargo`.
+## Top-level cargo wrapper for release builds.
+##
+## Chains `cargo-code-sign` (post-build binary signing) with `cargo-auditable`
+## (SBOM embedding):
+##
+##   maturin -> cargo.sh -> cargo-code-sign -> cargo-auditable -> cargo
 ##
 ## Use `scripts/install-cargo-extensions.sh` to install the dependencies.
 ##
 ## Usage:
 ##
-##   CARGO="$PWD/scripts/cargo.sh" cargo build --release
+##   CARGO="$PWD/scripts/cargo.sh" maturin build --release
 
 set -eu
 
-if [ -n "${REAL_CARGO:-}" ]; then
-    exec "$REAL_CARGO" auditable "$@"
-else
-    exec cargo auditable "$@"
-fi
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# Tell cargo-code-sign to use cargo-auditable as the inner build command.
+export CARGO_CODE_SIGN_CARGO="${SCRIPT_DIR}/cargo-auditable.sh"
+
+exec "${SCRIPT_DIR}/cargo-code-sign.sh" "$@"
diff --git a/scripts/check-release-artifacts-signed.sh b/scripts/check-release-artifacts-signed.sh
@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+## Check that release artifacts from a CI run are code-signed.
+##
+## Downloads macOS and Windows artifacts and wheels from the given GitHub
+## Actions run, extracts binaries, and verifies:
+##   - macOS:   codesign identity signature (not ad-hoc)
+##   - Windows: Authenticode signature present
+##
+## Usage:
+##   scripts/check-release-artifacts-signed.sh <run-id>
+
+set -euo pipefail
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <run-id>" >&2
+    exit 1
+fi
+
+missing=()
+command -v gh >/dev/null 2>&1 || missing+=(gh)
+command -v codesign >/dev/null 2>&1 || missing+=(codesign)
+command -v osslsigncode >/dev/null 2>&1 || missing+=(osslsigncode)
+
+if [ ${#missing[@]} -gt 0 ]; then
+    echo "error: missing required tools: ${missing[*]}" >&2
+    echo "" >&2
+    echo "Install with:" >&2
+    for tool in "${missing[@]}"; do
+        case "$tool" in
+            gh)            echo "  brew install gh" >&2 ;;
+            codesign)      echo "  (requires macOS)" >&2 ;;
+            osslsigncode)  echo "  brew install osslsigncode" >&2 ;;
+        esac
+    done
+    exit 1
+fi
+
+RUN_ID="$1"
+WORK_DIR="$(mktemp -d)"
+trap 'rm -rf "$WORK_DIR"' EXIT
+
+PASS=0
+FAIL=0
+
+pass() { echo "PASS $1"; PASS=$((PASS + 1)); }
+fail() { echo "FAIL $1"; FAIL=$((FAIL + 1)); }
+
+check_macos() {
+    local binary="$1"
+    local label="$2"
+    local info
+    info=$(codesign -dv "$binary" 2>&1) || true
+    if echo "$info" | grep -q "Signature=adhoc"; then
+        fail "$label (ad-hoc, not identity-signed)"
+    elif sig_size=$(echo "$info" | grep "Signature size=" | sed 's/.*Signature size=//'); then
+        pass "$label (identity-signed, size=$sig_size)"
+    else
+        fail "$label (not signed)"
+    fi
+}
+
+check_windows() {
+    local binary="$1"
+    local label="$2"
+    local output
+    output=$(osslsigncode verify -in "$binary" 2>&1) || true
+    if echo "$output" | grep -q "Signer's certificate:"; then
+        local subject
+        subject=$(echo "$output" | grep "Subject:" | head -1 | sed 's/.*Subject: //')
+        pass "$label (Authenticode, $subject)"
+    else
+        fail "$label (not Authenticode signed)"
+    fi
+}
+
+echo "Fetching artifacts for run $RUN_ID..."
+ALL_ARTIFACTS=$(gh api "repos/{owner}/{repo}/actions/runs/$RUN_ID/artifacts" \
+    --paginate --jq '.artifacts[].name')
+
+echo ""
+
+for artifact in $ALL_ARTIFACTS; do
+    # Only check macOS and Windows archives and wheels.
+    case "$artifact" in
+        artifacts-*apple-darwin*|artifacts-macos-*)  check=check_macos ;;
+        artifacts-*windows*|artifacts-*win*)         check=check_windows ;;
+        wheels_uv-*apple-darwin*|wheels_uv-macos-*)  check=check_macos ;;
+        wheels_uv-*windows*|wheels_uv-*win*)         check=check_windows ;;
+        *) continue ;;
+    esac
+
+    dest="$WORK_DIR/$artifact"
+    mkdir -p "$dest"
+    if ! gh run download "$RUN_ID" -n "$artifact" -D "$dest"; then
+        fail "$artifact (download failed)"
+        continue
+    fi
+
+    # Extract everything: tar.gz archives, zip archives, and wheels.
+    for tarball in "$dest"/*.tar.gz; do
+        [ -f "$tarball" ] || continue
+        tar xzf "$tarball" -C "$dest"
+    done
+    for zip in "$dest"/*.zip "$dest"/*.whl; do
+        [ -f "$zip" ] || continue
+        unzip -qo "$zip" -d "$dest"
+    done
+
+    # Check each binary. The label shows the archive/wheel filename and binary name,
+    # e.g. "uv-x86_64-apple-darwin.tar.gz uv" or "uv-0.10.8-py3-none-win_amd64.whl uv.exe".
+    while IFS= read -r binary; do
+        bin_name=$(basename "$binary")
+        # Walk up to find the archive or wheel this binary came from.
+        archive=""
+        for f in "$dest"/*.tar.gz "$dest"/*.zip "$dest"/*.whl; do
+            [ -f "$f" ] && archive=$(basename "$f") && break
+        done
+        $check "$binary" "${archive:-$artifact} / $bin_name"
+    done < <(find "$dest" \( -name "uv" -o -name "uvx" -o -name "uv.exe" -o -name "uvx.exe" -o -name "uvw.exe" \) -type f ! -name "*.sha256")
+done
+
+echo ""
+echo "PASS $PASS / FAIL $FAIL"
+
+if [ "$FAIL" -gt 0 ]; then
+    exit 1
+fi
diff --git a/scripts/install-cargo-extensions.sh b/scripts/install-cargo-extensions.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env sh
 ## Install cargo extensions for release builds.
 ##
-## Installs cargo-auditable for SBOM embedding.
+## Installs cargo-auditable for SBOM embedding and cargo-code-sign for binary signing.
 ##
 ## Includes handling for cross-build containers in our release workflow.
 ##
@@ -20,6 +20,11 @@ CARGO_AUDITABLE_INSTALL="cargo install cargo-auditable \
     --git https://github.com/rust-secure-code/cargo-auditable.git \
     --rev 7df767ff9e844d742d7223c62b80353da0f18433"
 
+CARGO_CODE_SIGN_INSTALL="cargo install cargo-code-sign \
+    --locked \
+    --git https://github.com/zanieb/cargo-code-sign \
+    --rev 1a305cd50144d46fa2dbc6614c8692ac36daacde"
+
 # In Linux containers running on x86_64, build a static musl binary so the installed tool works in
 # musl-based environments (Alpine, etc.).
 #
@@ -29,6 +34,8 @@ if [ "$(uname -m 2>/dev/null)" = "x86_64" ] && [ "$(uname -s 2>/dev/null)" = "Li
     MUSL_TARGET="x86_64-unknown-linux-musl"
     rustup target add "$MUSL_TARGET"
     CC=gcc $CARGO_AUDITABLE_INSTALL --target "$MUSL_TARGET"
+    CC=gcc $CARGO_CODE_SIGN_INSTALL --target "$MUSL_TARGET"
 else
     $CARGO_AUDITABLE_INSTALL
+    $CARGO_CODE_SIGN_INSTALL
 fi
