Migrate Code Signing from DigiCert to Azure Trusted Signer (#5809)

Refactor Windows signing workflow; improve OIDC auth, input handling, and artifact validation

- Switched Azure authentication to OIDC 
- Refactored workflows to sign Windows binaries using Azure Trusted Signing
- Added snapshot and artifact upload options to support validation without publishing

Signed-off-by: Gary Bright <gary@mondoo.com>

Author: username-is-already-taken2

.github/.goreleaser-unstable.yml

@@ -64,7 +64,7 @@ builds:
       - -s -w -X go.mondoo.com/cnquery/v9.Version={{.Version}} -X go.mondoo.com/cnquery/v9.Build={{.ShortCommit}} -X go.mondoo.com/cnquery/v9.Date={{.Date}}
     hooks:
       post:
-        - cmd: jsign --storetype DIGICERTONE --alias "{{ .Env.SM_CERT_ALIAS }}" --storepass "{{ .Env.SM_API_KEY }}|{{ .Env.SM_CLIENT_CERT_FILE}}|{{ .Env.SM_CLIENT_CERT_PASSWORD }}" --tsaurl "http://timestamp.digicert.com" '{{ .Path }}'
+        - cmd: jsign --storetype TRUSTEDSIGNING --keystore {{ .Env.TSIGN_AZURE_ENDPOINT }} --storepass {{ .Env.TSIGN_ACCESS_TOKEN }} --alias {{ .Env.TSIGN_ACCOUNT_NAME }}/{{ .Env.TSIGN_CERT_PROFILE_NAME }} '{{ .Path }}'
 nfpms:
   -
     maintainer: Mondoo <hello@mondoo.com>
@@ -89,7 +89,7 @@ checksum:
   name_template: '{{ .ProjectName }}_v{{ .Version }}_SHA256SUMS'
   algorithm: sha256
 snapshot:
-  name_template: "{{ .Tag }}-snapshot"
+  version_template: "{{ .Tag }}-snapshot"
 changelog:
   use: github-native
 dockers: # https://goreleaser.com/customization/docker/

.github/workflows/goreleaser.yml

@@ -11,7 +11,21 @@ on:
         type: boolean
         required: false
         default: false
-
+      use-test-cert:
+        description: "Use test certificate profile (not publicly trusted)"
+        required: false
+        default: false
+        type: boolean
+      goreleaser-snapshot:
+        description: 'Run goreleaser in snapshot mode, which will not publish and bypass tag checks.'
+        required: false
+        default: false
+        type: boolean
+      upload-artifacts:
+        description: "Uploading artifacts to workflow"
+        required: false
+        default: false
+        type: boolean
 
 env:
   REGISTRY: docker.io
@@ -25,16 +39,20 @@ jobs:
       id-token: 'write'
 
     runs-on: self-hosted
+    environment: prod
     timeout-minutes: 120
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Dump all inputs
+        run: echo "${{ toJSON(inputs) }}"
+
       - name: Skip Publish for Alpha and Beta Tags
         id: skip-publish
-        if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == 'true'
+        if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == true
         run: |
           echo "Skipping publish for alpha and beta tags"
           echo "skip-publish=true" >> $GITHUB_OUTPUT
@@ -61,13 +79,6 @@ jobs:
           workload_identity_provider: ${{ secrets.GCP_WIP }}
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
-      - id: 'gcp_secrets'
-        uses: 'google-github-actions/get-secretmanager-secrets@v2'
-        with:
-          secrets: |-
-            code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64
-            code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge
-
       - name: "Write RPM Signing Cert"
         run: |
           gpgkey="$(mktemp -t gpgkey.XXX)"
@@ -76,33 +87,30 @@ jobs:
         env:
           GPG_KEY: '${{ secrets.GPG_KEY}}'
 
-      - name: "Write Windows Signing Cert"
-        run: |
-          cert="$(mktemp -t cert.XXX)"
-          base64 -d <<<"$CERT_CONTENTS" > "$cert"
-          echo "CERT_FILE=$cert" >> $GITHUB_ENV
-        env:
-          CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}'
+# jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate
+# These packages have been installed on the self-hosted runner using ansible from the private repo
+
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.TSIGN_AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.TSIGN_AZURE_TENANT_ID}}
+          subscription-id: ${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }}
 
-      - name: Configure DigiCert Signing Variables
-        shell: bash
+      - name: Get Azure AD Access Token to trusted signing
+        id: get_token
         run: |
-          # CertLocker Authentication Certifiate
-          CERT_PATH="$(mktemp -t cert.XXX)"
-          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH}
-          echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV"
-          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
-          # CertLocker API Key & Host
-          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
-          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
-          # DigiCert CertLocker Code Signing Certificate
-          echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
-          echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV"
-
-      # - name: Install jSign (Windows Signing Tool) -- Required for public runners
-      #   run: |
-      #     curl -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
-      #     sudo dpkg -i ./jsign_5.0_all.deb
+          set -e  # Stop on first error
+          TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv)
+
+          if [ -z "$TSIGN_ACCESS_TOKEN" ]; then
+            echo "Error: Access token is empty"
+            exit 1
+          fi
+          PREFIX="${TSIGN_ACCESS_TOKEN:0:8}"
+          echo "Access token prefix: ${PREFIX}..."
+          echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT
+
 
       - name: Install Quill for Mac Signing and Notarization
         run: |
@@ -116,13 +124,26 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
+      # Run GoReleaser
+      # This will build the binaries, create the docker images, and publish the release to Git
+      # we are currently pinned to v2.5.1 because of a bug in v2.6.0 that causes the release to fail
+      # specifically with the signing of the RPM packages
+      # if you upgrade then when validating the signatures 'rpm -qpi dist/*.rpm' it will error with
+      # Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
+      # This is because a goreleaser dep was changed to https://github.com/goreleaser/nfpm/releases/tag/v2.41.2
+      # created a discussion on the issue here https://github.com/orgs/goreleaser/discussions/5943
+
       - name: Run GoReleaser (w/ Docker Release)
-        if: ${{ ! steps.skip-publish.outputs.skip-publish }}
+        if: ${{ inputs.skip-publish != true }}
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: v2.5.1
-          args: release --clean --timeout 120m
+          args: >
+            release
+            --config .goreleaser.yml
+            --clean
+            --timeout 120m
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
@@ -132,14 +153,23 @@ jobs:
           QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
           QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
           QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
+          TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }}
+          TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
+          TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }}
+          TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}
 
       - name: Run GoReleaser (w/o Docker Release)
-        if: ${{ steps.skip-publish.outputs.skip-publish == 'true' }}
+        if: ${{ inputs.skip-publish == true }}
         uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
-          version: latest
-          args: release -f .github/.goreleaser-unstable.yml --clean --timeout 120m
+          version: v2.5.1
+          args: >
+            release
+            ${{ inputs.goreleaser-snapshot == true && '--snapshot' || '' }}
+            --config .github/.goreleaser-unstable.yml
+            --clean
+            --timeout 120m
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
@@ -149,10 +179,15 @@ jobs:
           QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
           QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
           QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
+          TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }}
+          TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
+          TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }}
+          TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}
 
       - name: Check RPMs
         run: |
           rpm -qpi dist/*.rpm
+
       - name: Output Quill Logs
         if: ${{ failure() }}
         run: |
@@ -162,11 +197,19 @@ jobs:
             cat $f
           done
 
+      - name: Upload artifacts
+        if: ${{ inputs.upload-artifacts == true }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: windows-artifacts
+          path: dist/*.zip
+          retention-days: 7
+
       # At this point we know the docker container is published.
       # We can now trigger the cnquery bump in cnspec, which will also trigger the release of cnspec.
       # The docker container is a pre-requisite for cnspec release.
       - name: Trigger cnquery bump in cnspec
-        if: ${{ ! steps.skip-publish.outputs.skip-publish }}
+        if: ${{ inputs.skip-publish != true }}
         uses: peter-evans/repository-dispatch@v3
         with:
           token: ${{ secrets.RELEASR_ACTION_TOKEN }}
@@ -175,8 +218,3 @@ jobs:
           client-payload: '{
               "version": "${{  github.ref_name }}"
             }'
-
-      - name: Cleanup
-        if: always()
-        run:
-          rm -f ${CERT_PATH}

.goreleaser.yml

@@ -64,7 +64,7 @@ builds:
       - -s -w -X go.mondoo.com/cnquery/v11.Version={{.Version}} -X go.mondoo.com/cnquery/v11.Build={{.ShortCommit}} -X go.mondoo.com/cnquery/v11.Date={{.Date}}
     hooks:
       post:
-        - cmd: jsign --storetype DIGICERTONE --alias "{{ .Env.SM_CERT_ALIAS }}" --storepass "{{ .Env.SM_API_KEY }}|{{ .Env.SM_CLIENT_CERT_FILE}}|{{ .Env.SM_CLIENT_CERT_PASSWORD }}" --tsaurl "http://timestamp.digicert.com" '{{ .Path }}'
+        - cmd: jsign --storetype TRUSTEDSIGNING --keystore {{ .Env.TSIGN_AZURE_ENDPOINT }} --storepass {{ .Env.TSIGN_ACCESS_TOKEN }} --alias {{ .Env.TSIGN_ACCOUNT_NAME }}/{{ .Env.TSIGN_CERT_PROFILE_NAME }} '{{ .Path }}'
 nfpms:
   -
     maintainer: Mondoo <hello@mondoo.com>