feat(package): sing windows binaries [NR-489681] (#1938)

sigilioso · web-flow · commit 54920bdce43a · 2025-12-17T10:14:18.000+01:00
diff --git a/.github/workflows/component_packages.yml b/.github/workflows/component_packages.yml
@@ -2,6 +2,22 @@ name: 📞 Build binaries and create packages
 
 on:
   workflow_call:
+    secrets:
+      gh_token:
+        description: 'Github token for uploading packages to release'
+        required: false
+      gpg_private_key_base64:
+        description: 'Private key for signing packages'
+        required: false
+      gpg_passphrase:
+        description: 'Passphrase the GPG private key'
+        required: false
+      pfx_certificate_base64:
+        description: 'Pfx for signing windows executables'
+        required: false
+      pfx_passphrase:
+        description: 'Passphrase of the PFX certificate'
+        required: false
     inputs:
       pre-release:
         description: 'set to true if running a real pre-release'
@@ -82,18 +98,22 @@ jobs:
         if: ${{ inputs.skip_sign }}
         run: |
           echo SKIP_SIGN="--skip=sign" >> $GITHUB_ENV
+          echo SKIP_WINDOWS_SIGN="true" >> $GITHUB_ENV
 
       - name: Release packages with GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
         with:
           args: release ${{ env.SKIP_UPLOAD_RELEASE }} ${{ env.SKIP_SIGN }} --clean --verbose --timeout 2h
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
-          GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+          GITHUB_TOKEN: ${{ secrets.gh_token }}
+          GPG_PRIVATE_KEY_BASE64: ${{ secrets.gpg_private_key_base64 }} # base64 encoded
+          GPG_PASSPHRASE: ${{ secrets.gpg_passphrase }}
+          PFX_CERTIFICATE_BASE64: ${{ secrets.pfx_certificate_base64 }} # base64 encoded
+          PFX_PASSPHRASE: ${{ secrets.pfx_passphrase }}
           GPG_MAIL: 'infrastructure-eng@newrelic.com'
           NR_RELEASE_TAG: ${{ inputs.tag_name }}
           GORELEASER_CURRENT_TAG: ${{ inputs.tag_name }}
+          SKIP_WINDOWS_SIGN: ${{ env.SKIP_WINDOWS_SIGN }}
 
       - name: Upload assets to pipeline
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
@@ -103,3 +123,25 @@ jobs:
           path: |
             ./bin/*
             ./dist/*
+
+  verify-windows-signatures:
+    runs-on: windows-latest
+    name: Verify Windows signatures
+    needs: build
+    if: ${{ ! inputs.skip_sign }}
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Download built binaries
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+        with:
+          name: built-binaries-${{ inputs.tag_name }}
+          path: ./artifacts
+
+      - name: Verify Windows executable signatures
+        shell: powershell
+        run: |
+          ./build/scripts/windows-exec-sign/verify-signature.ps1 -Executables @(
+            "./artifacts/dist/newrelic-agent-control-windows_x86_64-pc-windows-msvc/newrelic-agent-control.exe",
+            "./artifacts/dist/newrelic-agent-control-cli-windows_x86_64-pc-windows-msvc/newrelic-agent-control-cli.exe"
+          )
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -18,7 +18,12 @@ jobs:
     with:
       pre-release: false
       tag_name: 0.100.${{ github.run_id }}
-    secrets: inherit
+    secrets:
+      gh_token: ${{ secrets.GITHUB_TOKEN }}
+      gpg_private_key_base64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }}
+      gpg_passphrase: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      pfx_certificate_base64: ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }}
+      pfx_passphrase: ${{ secrets.OHAI_PFX_PASSPHRASE }}
 
   build-image:
     name: Build and Push nightly image
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -17,7 +17,12 @@ jobs:
     with:
       pre-release: true
       tag_name: ${{ github.event.release.tag_name }}
-    secrets: inherit
+    secrets:
+      gh_token: ${{ secrets.GITHUB_TOKEN }}
+      gpg_private_key_base64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }}
+      gpg_passphrase: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      pfx_certificate_base64: ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }}
+      pfx_passphrase: ${{ secrets.OHAI_PFX_PASSPHRASE }}
 
   build-image:
     name: Build and Push container image
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -48,6 +48,14 @@ builds:
       - AGENT_CONTROL_VERSION={{ .Version }}
       - NEWRELIC_INFRA_AGENT_VERSION={{ .Env.NEWRELIC_INFRA_AGENT_VERSION }}
       - NR_OTEL_COLLECTOR_VERSION={{ .Env.NR_OTEL_COLLECTOR_VERSION }}
+    hooks:
+      post:
+        - cmd: ./build/scripts/windows-exec-sign/sign.sh
+          env:
+            - SKIP_WINDOWS_SIGN={{ if index .Env "SKIP_WINDOWS_SIGN"}}{{ .Env.SKIP_WINDOWS_SIGN }}{{ else }}{{ end }}
+            - PFX_CERTIFICATE_BASE64={{ if index .Env "PFX_CERTIFICATE_BASE64"}}{{ .Env.PFX_CERTIFICATE_BASE64 }}{{ else }}{{ end }}
+            - PFX_PASSPHRASE={{ if index .Env "PFX_PASSPHRASE"}}{{ .Env.PFX_PASSPHRASE }}{{ else }}{{ end }}
+            - EXECUTABLE={{ .Path }}
 
   # Linux builds for CLI
   - id: newrelic-agent-control-cli-linux
@@ -83,6 +91,13 @@ builds:
         # Wait for newrelic-agent-control to be ready (parallel executions of cargo-xwin can be problematic)
         - cmd: sh -c 'while [ ! -f target/x86_64-pc-windows-msvc/release/newrelic-agent-control.exe ]; do echo "Waiting for newrelic-agent-control-windows build to complete..."; sleep 5; done'
           output: true
+      post:
+        - cmd: ./build/scripts/windows-exec-sign/sign.sh
+          env:
+            - SKIP_WINDOWS_SIGN={{ if index .Env "SKIP_WINDOWS_SIGN"}}{{ .Env.SKIP_WINDOWS_SIGN }}{{ else }}{{ end }}
+            - PFX_CERTIFICATE_BASE64={{ if index .Env "PFX_CERTIFICATE_BASE64"}}{{ .Env.PFX_CERTIFICATE_BASE64 }}{{ else }}{{ end }}
+            - PFX_PASSPHRASE={{ if index .Env "PFX_PASSPHRASE"}}{{ .Env.PFX_PASSPHRASE }}{{ else }}{{ end }}
+            - EXECUTABLE={{ .Path }}
 
 archives:
   - id: linux
diff --git a/build/scripts/windows-exec-sign/Dockerfile b/build/scripts/windows-exec-sign/Dockerfile
@@ -0,0 +1,13 @@
+FROM debian:bullseye
+
+RUN apt-get update \
+    && apt-get -y install \
+        openssl \
+        libengine-pkcs11-openssl \
+        gnutls-bin \
+        xxd \
+        osslsigncode
+
+ADD cmd.sh /cmd.sh
+
+CMD ["/cmd.sh"]
diff --git a/build/scripts/windows-exec-sign/cmd.sh b/build/scripts/windows-exec-sign/cmd.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+# Obtain the certificate from base64
+echo "$PFX_CERTIFICATE_BASE64" | base64 -d > ./certificate.pfx
+
+# Sign the binary with the osslsigncode tool
+osslsigncode sign \
+    -pkcs12 ./certificate.pfx \
+    -pass "$PFX_PASSPHRASE" \
+    -n "$PFX_CERTIFICATE_DESCRIPTION" \
+    -t http://timestamp.digicert.com \
+    -in "$EXECUTABLE" \
+    -out "$EXECUTABLE.signed"
+
+# Clean up the certificate file
+rm -f ./certificate.pfx
+
+# Replace the unsigned binary by the signed one
+mv "$EXECUTABLE.signed" "$EXECUTABLE"
diff --git a/build/scripts/windows-exec-sign/generate-testing-credentials.sh b/build/scripts/windows-exec-sign/generate-testing-credentials.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+CURRENT_DIR="$( dirname $( readlink -f ${BASH_SOURCE[0]} ) )"
+LOCAL_DIR="$CURRENT_DIR/../../../local/testing-pfx-cert"
+IMAGE_NAME="testing-credentials"
+
+rm -rf $LOCAL_DIR && mkdir $LOCAL_DIR
+
+docker build -t $IMAGE_NAME "$CURRENT_DIR/."
+
+docker run --rm -v $LOCAL_DIR:/workdir -w /workdir $IMAGE_NAME bash -c '
+# Generate a private key
+openssl genrsa -out private.key 2048
+
+# Generate a self-signed certificate (valid for 365 days)
+openssl req -new -x509 -key private.key -out certificate.crt -days 365 \
+  -subj "/C=US/ST=TestST/L=TestL/O=TestO Org/OU=TestOrg Unit/CN=test.org.site"
+
+PFX_PASSPHRASE="TestPassword123"
+PFX_FILE="certificate.pfx"
+
+# Convert to PFX format
+openssl pkcs12 -export -out $PFX_FILE \
+  -inkey private.key \
+  -in certificate.crt \
+  -passout pass:$PFX_PASSPHRASE
+
+# Encode as base64
+base64 $PFX_FILE > certificate_pfx_base64
+'
+
+echo "Testing pfx certificate generated:"
+echo "PFX_CERTIFICATE_BASE64: $LOCAL_DIR/certificate_pfx_base64"
+echo "PFX_PASSPHRASE: TestPassword123"
diff --git a/build/scripts/windows-exec-sign/sign.sh b/build/scripts/windows-exec-sign/sign.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+# Exit with no error if signing should be skipped
+if [ -n "$SKIP_WINDOWS_SIGN" ]; then
+    echo "Skipping Windows executable signing (SKIP_WINDOWS_SIGN is set)"
+    exit 0
+fi
+
+# Check that required env variables are set
+if [ -z "$EXECUTABLE" ] || [ -z "$PFX_CERTIFICATE_BASE64" ] || [ -z "$PFX_PASSPHRASE" ]; then
+    echo "EXECUTABLE, PFX_CERTIFICATE_BASE64 and PFX_PASSPHRASE env variables are required"
+    exit 1
+fi
+
+PFX_CERTIFICATE_DESCRIPTION="New Relic"
+
+# Build the docker image for windows signing
+CURRENT_DIR="$( dirname $( readlink -f ${BASH_SOURCE[0]} ) )"
+IMAGE_NAME="exec-windows-signer"
+docker build -t "$IMAGE_NAME" "$CURRENT_DIR/."
+
+# Sign the binary
+EXEC_PARENT_DIR="$(dirname "$EXECUTABLE")"
+EXEC_FILE_NAME="$(basename "$EXECUTABLE")"
+docker run --rm \
+    -v "$EXEC_PARENT_DIR:/workdir" \
+    -w /workdir \
+    -e PFX_CERTIFICATE_BASE64="$PFX_CERTIFICATE_BASE64" \
+    -e PFX_PASSPHRASE="$PFX_PASSPHRASE" \
+    -e PFX_CERTIFICATE_DESCRIPTION="$PFX_CERTIFICATE_DESCRIPTION" \
+    -e EXECUTABLE="$EXEC_FILE_NAME" \
+    "$IMAGE_NAME"
diff --git a/build/scripts/windows-exec-sign/verify-signature.ps1 b/build/scripts/windows-exec-sign/verify-signature.ps1
@@ -0,0 +1,68 @@
+#!/usr/bin/env pwsh
+#
+# Verify Windows executable signatures
+#
+# This script verifies that Windows executables are properly signed
+# with valid Authenticode signatures.
+#
+# Usage:
+#   verify-signature.ps1 -Executables <exe1>,<exe2>,...
+#
+# Example:
+#   verify-signature.ps1 -Executables "./artifacts/dist/foo.exe","./artifacts/dist/bar.exe"
+#
+
+param(
+    [Parameter(Mandatory=$true)]
+    [string[]]$Executables
+)
+
+Write-Host "Verifying signatures for Windows executables"
+Write-Host "=============================================="
+Write-Host ""
+
+$allValid = $true
+
+foreach ($exePath in $Executables) {
+    $exeName = Split-Path -Leaf $exePath
+
+    Write-Host "Checking: $exeName"
+    Write-Host "  Path: $exePath"
+
+    if (-not (Test-Path $exePath)) {
+        Write-Host "  ERROR: File not found!" -ForegroundColor Red
+        $allValid = $false
+        Write-Host ""
+        continue
+    }
+
+    $signature = Get-AuthenticodeSignature -FilePath $exePath
+
+    Write-Host "  Status: $($signature.Status)"
+
+    if ($signature.SignerCertificate) {
+        Write-Host "  Signer: $($signature.SignerCertificate.Subject)"
+        Write-Host "  Thumbprint: $($signature.SignerCertificate.Thumbprint)"
+    }
+
+    if ($signature.Status -ne 'Valid') {
+        Write-Host "  ERROR: Signature is not valid!" -ForegroundColor Red
+        if ($signature.StatusMessage) {
+            Write-Host "  Reason: $($signature.StatusMessage)" -ForegroundColor Red
+        }
+        $allValid = $false
+    } else {
+        Write-Host "  SUCCESS: Signature is valid" -ForegroundColor Green
+    }
+
+    Write-Host ""
+}
+
+Write-Host "=============================================="
+if (-not $allValid) {
+    Write-Host "FAILED: One or more executables are missing or have invalid signatures" -ForegroundColor Red
+    exit 1
+}
+
+Write-Host "SUCCESS: All Windows executables are properly signed" -ForegroundColor Green
+exit 0
