ci: Signtool path & MSBuild path for windows-2025 runner (#2084)

* ci: signtool path & MSBuild path

Author: muruganishekar

.github/workflows/component_windows_packaging.yml

@@ -61,19 +61,20 @@ jobs:
 
       - name: Import PFX certificate
         shell: pwsh
-        run: build\windows\scripts\import_certificates.ps1 -pfx_passphrase "$env:PFX_PASSPHRASE" -pfx_certificate_description "$env:PFX_CERTIFICATE_DESCRIPTION"
+        run: |
+          build\windows\scripts\set_cert_thumbprint_env.ps1 -PfxPassphrase "$env:PFX_PASSPHRASE" -PfxCertificateDescription "$env:PFX_CERTIFICATE_DESCRIPTION"
 
       - name: Set date environment variable for buildDate metadata
         run: echo buildDate=$(date -u +"%Y-%m-%dT%H:%M:%SZ") >> $GITHUB_ENV
         shell: bash
 
       - name: Build executables ${{ matrix.goarch }}
         shell: pwsh
-        run: build\windows\build.ps1 -arch ${{ matrix.goarch }} -version ${{env.TAG}} -commit "$env:GITHUB_SHA" -date ${{env.buildDate}}
+        run: build\windows\build.ps1 -arch ${{ matrix.goarch }} -version ${{env.TAG}} -commit "$env:GITHUB_SHA" -date ${{env.buildDate}} -certThumbprint "$env:certThumbprint"
 
       - name: Create MSI package ${{ matrix.goarch }}
         shell: pwsh
-        run: build\windows\package_msi.ps1 -arch ${{ matrix.goarch }} -version ${{env.TAG}}
+        run: build\windows\package_msi.ps1 -arch ${{ matrix.goarch }} -version ${{env.TAG}} -certThumbprint "$env:certThumbprint"
 
       - name: Create zip package ${{ matrix.goarch }}
         shell: pwsh

.github/workflows/prerelease_windows.yml

@@ -58,19 +58,20 @@ jobs:
 
       - name: Import PFX certificate
         shell: pwsh
-        run: build\windows\scripts\import_certificates.ps1 -pfx_passphrase "$env:PFX_PASSPHRASE" -pfx_certificate_description "$env:PFX_CERTIFICATE_DESCRIPTION"
+        run: |
+          build\windows\scripts\set_cert_thumbprint_env.ps1 -PfxPassphrase "$env:PFX_PASSPHRASE" -PfxCertificateDescription "$env:PFX_CERTIFICATE_DESCRIPTION"
 
       - name: Set date environment variable for buildDate metadata
         run: echo buildDate=$(date -u +"%Y-%m-%dT%H:%M:%SZ") >> $GITHUB_ENV
         shell: bash
 
       - name: Build executables ${{ matrix.goarch }}
         shell: pwsh
-        run: build\windows\build.ps1 -arch ${{ matrix.goarch }} -version ${{env.TAG}} -commit "$env:GITHUB_SHA" -date ${{env.buildDate}}
+        run: build\windows\build.ps1 -arch ${{ matrix.goarch }} -version ${{env.TAG}} -commit "$env:GITHUB_SHA" -date ${{env.buildDate}} -certThumbprint "$env:certThumbprint"
 
       - name: Create MSI package ${{ matrix.goarch }}
         shell: pwsh
-        run: build\windows\package_msi.ps1 -arch ${{ matrix.goarch }} -version ${{env.TAG}}
+        run: build\windows\package_msi.ps1 -arch ${{ matrix.goarch }} -version ${{env.TAG}} -certThumbprint "$env:certThumbprint"
 
       - name: Create zip package ${{ matrix.goarch }}
         shell: pwsh

.github/workflows/prerelease_windows_on_demand.yml

@@ -59,19 +59,20 @@ jobs:
 
       - name: Import PFX certificate
         shell: pwsh
-        run: build\windows\scripts\import_certificates.ps1 -pfx_passphrase "$env:PFX_PASSPHRASE" -pfx_certificate_description "$env:PFX_CERTIFICATE_DESCRIPTION"
+        run: |
+          build\windows\scripts\set_cert_thumbprint_env.ps1 -PfxPassphrase "$env:PFX_PASSPHRASE" -PfxCertificateDescription "$env:PFX_CERTIFICATE_DESCRIPTION"
 
       - name: Set date environment variable for buildDate metadata
         run: echo buildDate=$(date -u +"%Y-%m-%dT%H:%M:%SZ") >> $GITHUB_ENV
         shell: bash
 
       - name: Build executables ${{ matrix.goarch }}
         shell: pwsh
-        run: build\windows\build.ps1 -arch ${{ matrix.goarch }} -version ${{env.FAKE_TAG}} -commit "$env:GITHUB_SHA" -date ${{env.buildDate}}
+        run: build\windows\build.ps1 -arch ${{ matrix.goarch }} -version ${{env.FAKE_TAG}} -commit "$env:GITHUB_SHA" -date ${{env.buildDate}} -certThumbprint "$env:certThumbprint"
 
       - name: Create MSI package ${{ matrix.goarch }}
         shell: pwsh
-        run: build\windows\package_msi.ps1 -arch ${{ matrix.goarch }} -version ${{env.FAKE_TAG}}
+        run: build\windows\package_msi.ps1 -arch ${{ matrix.goarch }} -version ${{env.FAKE_TAG}} -certThumbprint "$env:certThumbprint"
 
       - name: Create zip package ${{ matrix.goarch }}
         shell: pwsh
@@ -84,7 +85,7 @@ jobs:
           files_path: './${{ env.REPO_WORKDIR }}/dist'
 
       - name: Archive production artifacts
-        uses: actions/upload-artifact@v2 #v3 just got released and was not working in windows
+        uses: actions/upload-artifact@v4
         with:
           name: windows-assets
           path: dist
@@ -101,7 +102,7 @@ jobs:
 
     steps:
       - name: Download a single artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: windows-assets
 

build/package/windows/newrelic-infra-386-installer/newrelic-infra/newrelic-infra-installer.wixproj

@@ -8,11 +8,19 @@
     <SchemaVersion>2.0</SchemaVersion>
     <OutputName>newrelic-infra-386</OutputName>
     <OutputType>Package</OutputType>
-    <SignToolPath>C:\Program Files (x86)\Windows Kits\10\bin\x64\</SignToolPath>
+    <SignToolPath>C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\</SignToolPath>
     <WixTargetsPath Condition=" '$(WixTargetsPath)' == '' AND '$(MSBuildExtensionsPath32)' != '' ">$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets</WixTargetsPath>
     <WixTargetsPath Condition=" '$(WixTargetsPath)' == '' ">$(MSBuildExtensionsPath)\Microsoft\WiX\v3.x\Wix.targets</WixTargetsPath>
     <Name>newrelic-infra-installer</Name>
     <DefineSolutionProperties>false</DefineSolutionProperties>
+  </PropertyGroup>
+    <!-- NEW: Define default values for SignToolArgs and SkipSigning -->
+  <PropertyGroup>
+    <!-- Define a default for SignToolArgs if it's not passed from MSBuild -->
+    <!-- Using SHA256 as a recommended default -->
+    <SignToolArgs Condition="'$(SignToolArgs)' == ''">/fd SHA256 /tr http://timestamp.digicert.com /td SHA256</SignToolArgs>
+    <!-- Define a default for SkipSigning if it's not passed -->
+    <SkipSigning Condition="'$(SkipSigning)' == ''">false</SkipSigning>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|x86' ">
     <OutputPath>bin\$(Configuration)\</OutputPath>
@@ -46,8 +54,8 @@
       <Output TaskParameter="Value" PropertyName="DefineConstants" />
     </CreateProperty>
   </Target>
-  <Target Name="SignInstaller">
-    <Exec Command="&quot;$(SignToolPath)signtool.exe&quot; sign /d &quot;New Relic Infrastructure Agent&quot; /n &quot;New Relic, Inc.&quot; &quot;$(OutputPath)$(OutputName).msi&quot;" />
+  <Target Name="SignInstaller" Condition="'$(SkipSigning)' != 'true'">
+    <Exec Command="&quot;$(SignToolPath)signtool.exe&quot; sign $(SignToolArgs) /d &quot;New Relic Infrastructure Agent&quot; /n &quot;New Relic, Inc.&quot; &quot;$(OutputPath)$(OutputName).msi&quot;" />
     <Copy SourceFiles="$(OutputPath)$(OutputName).msi" DestinationFiles="$(OutputPath)$(OutputName).1.0.NNN.msi" />
     <!-- <Delete Files="$(OutputPath)$(OutputName).msi" /> -->
   </Target>

build/package/windows/newrelic-infra-amd64-installer/newrelic-infra/newrelic-infra-installer.wixproj

@@ -8,11 +8,19 @@
     <SchemaVersion>2.0</SchemaVersion>
     <OutputName>newrelic-infra-amd64</OutputName>
     <OutputType>Package</OutputType>
-    <SignToolPath>C:\Program Files (x86)\Windows Kits\10\bin\x64\</SignToolPath>
+    <SignToolPath>C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\</SignToolPath>
     <WixTargetsPath Condition=" '$(WixTargetsPath)' == '' AND '$(MSBuildExtensionsPath32)' != '' ">$(MSBuildExtensionsPath32)\Microsoft\WiX\v3.x\Wix.targets</WixTargetsPath>
     <WixTargetsPath Condition=" '$(WixTargetsPath)' == '' ">$(MSBuildExtensionsPath)\Microsoft\WiX\v3.x\Wix.targets</WixTargetsPath>
     <Name>newrelic-infra-installer</Name>
     <DefineSolutionProperties>false</DefineSolutionProperties>
+  </PropertyGroup>
+      <!-- NEW: Define default values for SignToolArgs and SkipSigning -->
+  <PropertyGroup>
+    <!-- Define a default for SignToolArgs if it's not passed from MSBuild -->
+    <!-- Using SHA256 as a recommended default -->
+    <SignToolArgs Condition="'$(SignToolArgs)' == ''">/fd SHA256 /tr http://timestamp.digicert.com /td SHA256</SignToolArgs>
+    <!-- Define a default for SkipSigning if it's not passed -->
+    <SkipSigning Condition="'$(SkipSigning)' == ''">false</SkipSigning>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|x86' ">
     <OutputPath>bin\$(Configuration)\</OutputPath>
@@ -46,8 +54,8 @@
       <Output TaskParameter="Value" PropertyName="DefineConstants" />
     </CreateProperty>
   </Target>
-  <Target Name="SignInstaller">
-    <Exec Command="&quot;$(SignToolPath)signtool.exe&quot; sign /d &quot;New Relic Infrastructure Agent&quot; /n &quot;New Relic, Inc.&quot; &quot;$(OutputPath)$(OutputName).msi&quot;" />
+  <Target Name="SignInstaller" Condition="'$(SkipSigning)' != 'true'">
+    <Exec Command="&quot;$(SignToolPath)signtool.exe&quot; sign $(SignToolArgs) /d &quot;New Relic Infrastructure Agent&quot; /n &quot;New Relic, Inc.&quot; &quot;$(OutputPath)$(OutputName).msi&quot;" />
     <Copy SourceFiles="$(OutputPath)$(OutputName).msi" DestinationFiles="$(OutputPath)$(OutputName).1.0.NNN.msi" />
     <!-- <Delete Files="$(OutputPath)$(OutputName).msi" /> -->
   </Target>

build/windows/README.md

@@ -1,7 +1,7 @@
 # Building New Relic Infrastructure agent on windows.
 ## Requirements
 1. [Go](https://golang.org/dl/)
-2. [MSBuild](https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2019)
+2. [MSBuild](https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2022)
 3. [Wix Toolset](https://wixtoolset.org/)
 
 ## Compile and build the agent msi package

build/windows/build.ps1

@@ -14,7 +14,9 @@ param (
     # Skip signing
     [switch]$skipSigning=$false,
     # Signing tool
-    [string]$signtool='"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe"'
+    [string]$signtool='"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe"',
+    # Certificate thumbprint
+    [string]$certThumbprint=""
 )
 $scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
 $workspace = "$scriptPath\..\.."
@@ -92,7 +94,7 @@ Foreach ($pkg in $goMains)
     $exe = "$workspace\target\bin\windows_$arch\$fileName.exe"
     go build -ldflags "-X 'main.buildVersion=$version' -X 'main.gitCommit=$commit' -X 'main.buildDate=$date'" -o $exe $pkg
     if (-Not $skipSigning) {
-        SignExecutable -executable "$exe"
+        SignExecutable -executable "$exe" -certThumbprint "$certThumbprint"
     }
 }
 
@@ -107,7 +109,7 @@ Foreach ($pkg in $goMainsBuildInFolder)
     go mod download
     go build -ldflags "-X 'main.buildVersion=$version' -X 'main.gitCommit=$commit' -X 'main.buildDate=$date'" -o $exe
     if (-Not $skipSigning) {
-        SignExecutable -executable "$exe"
+        SignExecutable -executable "$exe" -certThumbprint "$certThumbprint"
     }
     cd "$workspace"
 }

build/windows/package_msi.ps1

@@ -10,7 +10,10 @@ param (
     [string]$version="0.0.0",
 
     # Skip signing
-    [switch]$skipSigning=$false
+    [switch]$skipSigning=$false,
+    # Certificate thumbprint
+    [string]$certThumbprint=""
+
 )
 
 $scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
@@ -19,7 +22,7 @@ $workspace = "$scriptPath\..\.."
 $buildYear = (Get-Date).Year
 
 Write-Output "===> Embeding integrations"
-Invoke-expression -Command "$scriptPath\scripts\embed_ohis.ps1 -arch $arch $(If ($skipSigning) {"-skipSigning"})"
+Invoke-expression -Command "$scriptPath\scripts\embed_ohis.ps1 -arch $arch -certThumbprint $certThumbprint $(If ($skipSigning) {"-skipSigning"})"
 if ($lastExitCode -ne 0) {
     Write-Output "Failed to embed integration"
     exit -1
@@ -35,9 +38,9 @@ Write-Output $msBuild
 
 Write-Output "===> Building msi Installer"
 
-$env:path = "$env:path;C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin"
+$env:path = "$env:path;C:\Program Files\Microsoft Visual Studio\2022\Enterprise\MSBuild\Current\Bin"
 $WixPrjPath = "$scriptPath\..\package\windows\newrelic-infra-$arch-installer\newrelic-infra"
-. $msBuild/MSBuild.exe "$WixPrjPath\newrelic-infra-installer.wixproj" /p:AgentVersion=${version} /p:Year=$buildYear /p:SkipSigning=${skipSigning}
+. $msBuild/MSBuild.exe "$WixPrjPath\newrelic-infra-installer.wixproj" /p:AgentVersion=${version} /p:Year=$buildYear /p:SkipSigning=${skipSigning} /p:SignToolArgs="/fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /sha1 $certThumbprint"
 
 if (-not $?)
 {

build/windows/scripts/embed_ohis.ps1

@@ -11,7 +11,9 @@ param (
     # Skip signing
     [switch]$skipSigning=$false,
     # Signing tool
-    [string]$signtool='"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe"'
+    [string]$signtool='"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe"',
+    # Certificate thumbprint
+    [string]$certThumbprint=""
 )
 
 # Source build Functions.
@@ -27,7 +29,7 @@ Function EmbedFlex {
     DownloadAndExtractZip -dest:"$downloadPath\nri-flex" -url:"$url"
 
     if (-Not $skipSigning) {
-        SignExecutable -executable "$downloadPath\nri-flex\nri-flex.exe"
+        SignExecutable -executable "$downloadPath\nri-flex\nri-flex.exe" -certThumbprint "$certThumbprint"
     }
 }
 
@@ -44,8 +46,8 @@ Function EmbedWindowsServices {
     DownloadAndExtractZip -dest:"$downloadPath\nri-winservices" -url:"$url"
 
     if (-Not $skipSigning) {
-        SignExecutable -executable "$downloadPath\nri-winservices\nri-winservices.exe"
-        SignExecutable -executable "$downloadPath\nri-winservices\windows_exporter.exe"
+        SignExecutable -executable "$downloadPath\nri-winservices\nri-winservices.exe" -certThumbprint "$certThumbprint"
+        SignExecutable -executable "$downloadPath\nri-winservices\windows_exporter.exe" -certThumbprint "$certThumbprint"
     }
 }
 
@@ -65,7 +67,7 @@ Function EmbedPrometheus {
     Remove-Item -Path "$downloadPath\nri-prometheus\New Relic" -Force -Recurse
 
     if (-Not $skipSigning) {
-        SignExecutable -executable "$downloadPath\nri-prometheus\nri-prometheus.exe"
+        SignExecutable -executable "$downloadPath\nri-prometheus\nri-prometheus.exe" -certThumbprint "$certThumbprint"
     }
 }
 
@@ -97,9 +99,9 @@ Function EmbedFluentBit {
 
     if (-Not $skipSigning) {
         # <To be removed on removal of the ff fluent_bit_19>
-        SignExecutable -executable "$downloadPath\logging\nrfb\fluent-bit.exe"
+        SignExecutable -executable "$downloadPath\logging\nrfb\fluent-bit.exe" -certThumbprint "$certThumbprint"
         # </To be removed on removal of the ff fluent_bit_19>
-        SignExecutable -executable "$downloadPath\logging\nrfb2\fluent-bit.exe"
+        SignExecutable -executable "$downloadPath\logging\nrfb2\fluent-bit.exe" -certThumbprint "$certThumbprint"
     }
 }
 
@@ -115,7 +117,7 @@ Function EmbedWinpkg {
     DownloadAndExtractZip -dest:"$downloadPath" -url:"$url"
 
     if (-Not $skipSigning) {
-        SignExecutable -executable "$downloadPath\winpkg\nr-winpkg.exe"
+        SignExecutable -executable "$downloadPath\winpkg\nr-winpkg.exe" -certThumbprint "$certThumbprint"
     }
 }
 

build/windows/scripts/functions.ps1

@@ -5,13 +5,17 @@
 Function SignExecutable {
     param (
         # Signing tool
-        [string]$signtool='"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe"',
-        [string]$executable=$(throw "-executable path is required")
+        [string]$signtool='"C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe"',
+        [string]$executable=$(throw "-executable path is required"),
+        [string]$certThumbprint=$(throw "-certThumbprint is required")
     )
 
-    Invoke-Expression "& $signtool sign /d 'New Relic Infrastructure Agent' /n 'New Relic, Inc.' $executable"
-    if ($lastExitCode -ne 0) {
-       throw "Failed to sign $executable"
+
+    # Use the certificate thumbprint directly from the imported certificate
+    $certThumbprint = $certThumbprint.Trim()
+    Invoke-Expression "& $signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /d 'New Relic Infrastructure Agent' /sha1 $certThumbprint $executable"
+    if ($LASTEXITCODE -ne 0) {
+        throw "Failed to sign $executable"
     }
 }