File tree Expand file tree Collapse file tree 6 files changed +114
-0
lines changed
build/scripts/windows-exec-sign Expand file tree Collapse file tree 6 files changed +114
-0
lines changed Original file line number Diff line number Diff line change 8585 if : ${{ inputs.skip_sign }}
8686 run : |
8787 echo SKIP_SIGN="--skip=sign" >> $GITHUB_ENV
88+ echo SKIP_WINDOWS_SIGN="true" >> $GITHUB_ENV
8889
8990name : Release packages with GoReleaser
9091 uses : goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
@@ -93,10 +94,13 @@ jobs:
9394 env :
9495 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
9596 GPG_PASSPHRASE : ${{ secrets.OHAI_GPG_PASSPHRASE }}
97+ PFX_CERTIFICATE_BASE64 : ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }} # base64 encoded
98+ PFX_PASSPHRASE : ${{ secrets.OHAI_PFX_PASSPHRASE }}
9699 GPG_PRIVATE_KEY_BASE64 : ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
97100 GPG_MAIL : ' infrastructure-eng@newrelic.com'
98101 NR_RELEASE_TAG : ${{ inputs.tag_name }}
99102 GORELEASER_CURRENT_TAG : ${{ inputs.tag_name }}
103+ SKIP_WINDOWS_SIGN : ${{ env.SKIP_WINDOWS_SIGN }}
100104
101105 - name : Upload assets to pipeline
102106 uses : actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
Original file line number Diff line number Diff line change @@ -48,6 +48,14 @@ builds:
4848 - AGENT_CONTROL_VERSION={{ .Version }}
4949 - NEWRELIC_INFRA_AGENT_VERSION={{ .Env.NEWRELIC_INFRA_AGENT_VERSION }}
5050 - NR_OTEL_COLLECTOR_VERSION={{ .Env.NR_OTEL_COLLECTOR_VERSION }}
51+ hooks :
52+ post :
53+ - cmd : ./build/scripts/windows-exec-sign/sign.sh
54+ env :
55+ - SKIP_WINDOWS_SIGN={{ if index .Env "SKIP_WINDOWS_SIGN"}}{{ .Env.SKIP_WINDOWS_SIGN }}{{ else }}{{ end }}
56+ - PFX_CERT_BASE64={{ if index .Env "PFX_CERT_BASE64"}}{{ .Env.PFX_CERT_BASE64 }}{{ else }}{{ end }}
57+ - PFX_PASSPHRASE={{ if index .Env "PFX_PASSPHRASE"}}{{ .Env.PFX_PASSPHRASE }}{{ else }}{{ end }}
58+ - EXECUTABLE={{ .Path }}
5159
5260 # Linux builds for CLI
5361 - id : newrelic-agent-control-cli-linux
@@ -83,6 +91,13 @@ builds:
8391 # Wait for newrelic-agent-control to be ready (parallel executions of cargo-xwin can be problematic)
8492 - cmd : sh -c 'while [ ! -f target/x86_64-pc-windows-msvc/release/newrelic-agent-control.exe ]; do echo "Waiting for newrelic-agent-control-windows build to complete..."; sleep 5; done'
8593 output : true
94+ post :
95+ - cmd : ./build/scripts/windows-exec-sign/sign.sh
96+ env :
97+ - SKIP_WINDOWS_SIGN={{ if index .Env "SKIP_WINDOWS_SIGN"}}{{ .Env.SKIP_WINDOWS_SIGN }}{{ else }}{{ end }}
98+ - PFX_CERT_BASE64={{ if index .Env "PFX_CERT_BASE64"}}{{ .Env.PFX_CERT_BASE64 }}{{ else }}{{ end }}
99+ - PFX_PASSPHRASE={{ if index .Env "PFX_PASSPHRASE"}}{{ .Env.PFX_PASSPHRASE }}{{ else }}{{ end }}
100+ - EXECUTABLE={{ .Path }}
86101
87102archives :
88103 - id : linux
Original file line number Diff line number Diff line change 1+ FROM debian:bullseye
2+
3+ RUN apt-get update \
4+ && apt-get -y install \
5+ openssl \
6+ libengine-pkcs11-openssl \
7+ gnutls-bin \
8+ xxd \
9+ osslsigncode
10+
11+ ADD cmd.sh /cmd.sh
12+
13+ CMD ["/cmd.sh" ]
Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+
3+ # Obtain the certificate from base64
4+ echo " $PFX_CERT_BASE64 " | base64 -d > ./certificate.pfx
5+
6+ # Sing the binary with the osslsigncode tool
7+ osslsigncode sign \
8+ -pkcs12 ./certificate.pfx \
9+ -pass " $PFX_PASSPHRASE "
10+ -n " $PFX_CERTIFICATE_DESCRIPTION "
11+ -in " $EXECUTABLE "
12+ -out " $EXECUTABLE .signed"
13+
14+ # Replace the unsigned binary by the signed one
15+ mv " $EXECUTABLE .signed" " $EXECUTABLE "
Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+
3+ CURRENT_DIR=" $( dirname $( readlink -f ${BASH_SOURCE[0]} ) ) "
4+ LOCAL_DIR=" $CURRENT_DIR /../../../local/testing-pfx-cert"
5+ IMAGE_NAME=" testing-credentials"
6+
7+ rm -rf $LOCAL_DIR && mkdir $LOCAL_DIR
8+
9+ docker build -t $IMAGE_NAME " $CURRENT_DIR /."
10+
11+ docker run --rm -v $LOCAL_DIR :/workdir -w /workdir $IMAGE_NAME bash -c '
12+ # Generate a private key
13+ openssl genrsa -out private.key 2048
14+
15+ # Generate a self-signed certificate (valid for 365 days)
16+ openssl req -new -x509 -key private.key -out certificate.crt -days 365 \
17+ -subj "/C=US/ST=TestST/L=TestL/O=TestO Org/OU=TestOrg Unit/CN=test.org.site
18+
19+ PFX_PASSPHRASE="TestPassword123"
20+ PFX_FILE="certificate.pfx"
21+
22+ # Convert to PFX format
23+ openssl pkcs12 -export -out $PFX_FILE \
24+ -inkey private.key \
25+ -in certificate.crt \
26+ -passout pass:$PFX_PASSPHRASE
27+
28+ # Encode as base64
29+ base64 $PFX_FILE > certificate_pfx_base64
30+ '
31+
32+ echo " Testing pfx certificate generated:"
33+ echo " PFX_CERT_BASE64: $LOCAL_DIR /certificate_pfx_base64"
34+ echo " PFX_PASSPHRASE: TestPassword123"
Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+ set -e
3+
4+ # Exit with no error if signing should be skipped
5+ if [ -n " $SKIP_WINDOWS_SIGN " ; then
6+ echo " Skipping Windows executable signing (SKIP_WINDOWS_SIGN is set)"
7+ exit 0
8+ fi
9+
10+ # Check that required env variables are set
11+ if [ -z " $EXECUTABLE " || [ -z " $PFX_CERT_BASE64 " || [ -z " $PFX_PASSPHRASE " ; then
12+ echo " EXECUTABLE, PFX_CERT_BASE64 and PFX_PASSPHRASE env variables are required"
13+ exit 1
14+ fi
15+
16+ PFX_CERTIFICATE_DESCRIPTION=" New Relic"
17+
18+ # Build the docker image for windows signing
19+ CURRENT_DIR=" $( dirname $( readlink -f ${BASH_SOURCE[0]} ) ) "
20+ IMAGE_NAME=" exec-windows-signer"
21+ docker build -t $IMAGE_NAME " $CURRENT_DIR /."
22+
23+ # Sing the binary
24+ EXEC_PARENT_DIR=" $( dirname " $EXECUTABLE " ) "
25+ EXEC_FILE_NAME=" $( basename " $EXECUTABLE " ) "
26+ docker run --rm \
27+ -v $EXEC_PARENT_DIR :/workdir \
28+ -w /workdir \
29+ -e PFX_CERT_BASE64=" $PFX_CERT_BASE64 "
30+ -e PFX_PASSPHRASE=" $PFX_PASSPHRASE "
31+ -e PFX_CERTIFICATE_DESCRIPTION=" $PFX_CERTIFICATE_DESCRIPTION "
32+ -e EXECUTABLE=" $EXEC_FILE_NAME "
33+ $IMAGE_NAME
You can’t perform that action at this time.
0 commit comments