feat(package): sing windows binaries [NR-489681] by sigilioso · Pull Request #1938 · newrelic/newrelic-agent-control

sigilioso · 2025-12-11T09:33:48Z

Implementation details

Implements Windows binary signing for newrelic-agent-control and newrelic-agent-control-cli executables using PFX code signing certificates during the GoReleaser build process.

The implementation uses a containerized Docker-based signing workflow that integrates with GoReleaser's post-build hooks. When Windows binaries are compiled, a signing script is executed. It uses osslsigncode for signing.

Pipelines

The GitHub Actions workflow exposes signing credentials as environment variables to GoReleaser. When the skip_sign input parameter is set to true, both packages signing and Windows executable signing are disabled (SKIP_WINDOWS_SIGN environment variable disables Windows executable signing).

Manual testing

To test the signing implementation locally with self-signed certificates:

Generate Test Credentials:

./build/scripts/windows-exec-sign/generate-testing-credentials.s

Sent environment variables:

export PFX_CERT_BASE64=$(cat local/testing-pfx-cert/certificate_pfx_base64)
export PFX_PASSPHRASE="TestPassword123"

Run goreleaser or sing directly

# Test signing a single executable
export EXECUTABLE=/path/to/your/binary.exe
./build/scripts/windows-exec-sign/sign.s
 # goreleaser (--skip=sing) skips package signature only, windows binaries are signed
 goreleaser release --skip=publish --skip=sign --clean --verbose --snapshot --verbose

Check signature (on Windows):
The self-signed certificate will not be trusted by Windows but we still can check that the binary contains the signature.

File properties example

Checklist

Provided a meaningful title following conventional commit style.
Included a detailed description for the Pull Request.
Documentation under docs is aligned with the change.
Follows guidelines for Pull Requests in CONTRIBUTING.md.
Follows log level guidelines.

DavSanchez

Looking good! A few doubts

.goreleaser.yml

build/scripts/windows-exec-sign/sign.sh

build/scripts/windows-exec-sign/generate-testing-credentials.sh

gsanchezgavier

LGTM, wonder if makes sense to have some sort of test (outside this task) that validates that we are releasing signed binaries , i think we are covering with linux due to the gpg check when installing from package managers

gsanchezgavier · 2025-12-12T10:09:58Z

.github/workflows/component_packages.yml

+          PFX_CERTIFICATE_BASE64: ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }} # base64 encoded
+          PFX_PASSPHRASE: ${{ secrets.OHAI_PFX_PASSPHRASE }}


would make sense to pass this as secrets , using them only in the pre-release wf to make more difficult to sign testing assets? i think same for the GPG

It makes total sense!

i pasted somehting complealty unrelated in the link 😆 , just updated it

I got the point anyway, thanks!

I've changed it here: 475b1e1 LMKWYT

sigilioso · 2025-12-12T10:36:49Z

wonder if makes sense to have some sort of test (outside this task) that validates that we are releasing signed binaries , i think we are covering with linux due to the gpg check when installing from package managers

🤔 I also think we should check it. I can trigger a nightly before merging and, at very least, check manually that the binaries are signed as expected. Once that is verified, we can figure out a way check the signature on Windows machines (when packages are signed and uploaded)

sigilioso · 2025-12-12T12:28:52Z

I've just triggered a nightly and checked the signature of the corresponding binaries. It works as expected 🎉

Signature check

> Get-AuthenticodeSignature .\newrelic-agent-control.exe


    Directory: C:\Users\calvarez\Downloads\newrelic-agent-control-windows_x86_64-pc-windows-msvc


SignerCertificate                         Status                                                       Path
-----------------                         ------                                                       ----
99C80227B0FD6238225C5E27227115F511EC0C1A  Valid                                                        newrelic-agent-control.exe


> Get-AuthenticodeSignature .\newrelic-agent-control.exe | Format-List *


SignerCertificate      : [Subject]
                           CN="New Relic, Inc.", O="New Relic, Inc.", L=San Francisco, S=California, C=US

                         [Issuer]
                           CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US

                         [Serial Number]
                           01C331132C221038E2DEBD4E825F51CD

                         [Not Before]
                           7/11/2024 2:00:00 AM

                         [Not After]
                           9/10/2027 1:59:59 AM

                         [Thumbprint]
                           99C80227B0FD6238225C5E27227115F511EC0C1A

TimeStamperCertificate : [Subject]
                           CN=DigiCert SHA256 RSA4096 Timestamp Responder 2025 1, O="DigiCert, Inc.", C=US

                         [Issuer]
                           CN=DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1, O="DigiCert, Inc.", C=US

                         [Serial Number]
                           0A80EF184B8DF10582D1C476A7957468

                         [Not Before]
                           6/4/2025 2:00:00 AM

                         [Not After]
                           9/4/2036 1:59:59 AM

                         [Thumbprint]
                           DD6230AC860A2D306BDA38B16879523007FB417E

Status                 : Valid
StatusMessage          : Signature verified.
Path                   : C:\Users\calvarez\Downloads\newrelic-agent-control-windows_x86_64-pc-windows-msvc\newrelic-agent-control.exe
SignatureType          : Authenticode
IsOSBinary             : False

I'm trying to add a validation step to check the binaries are signed right after packaging

sigilioso · 2025-12-15T09:16:49Z

The validation for Windows binaries signatures was added in the latest commit. After triggering a nightly, the check is working as expected: workflow execution

danielorihuela · 2025-12-16T08:22:07Z

.github/workflows/component_packages.yml

-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
-          GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+          GITHUB_TOKEN: ${{ secrets.gh_token }}


Why are we using that instead of ${{ secrets.GITHUB_TOKEN }}?

We are using it to accomplish this. I decided to name them differently (using the lowercase and gh_token instead of github_token to avoid colliding with a Github reserved word) to be very explicit when using the workflow (and prevent us from using secrets: inherit again).

build/scripts/windows-exec-sign/verify-signature.ps1

danielorihuela · 2025-12-16T09:46:15Z

build/scripts/windows-exec-sign/generate-testing-credentials.sh

Question: This is not used anywhere right? What's the purpose of adding it? Future tests or manual tests?

Its purpose is having a quick way of testing the signature part locally, in case we are changing the goreleaser script or anything that could affect the windows binaries. Is it clear enough or does it needs more docs/comments?

gsanchezgavier

Thanks!

sigilioso requested a review from a team as a code owner December 11, 2025 09:33

sigilioso force-pushed the feat/sing-windows-exec branch from 048c73f to e84c8fb Compare December 11, 2025 11:23

DavSanchez reviewed Dec 11, 2025

View reviewed changes

.goreleaser.yml Show resolved Hide resolved

build/scripts/windows-exec-sign/sign.sh Outdated Show resolved Hide resolved

build/scripts/windows-exec-sign/generate-testing-credentials.sh Show resolved Hide resolved

sigilioso requested review from a team and DavSanchez December 11, 2025 13:49

sigilioso force-pushed the feat/sing-windows-exec branch from e84c8fb to 4b3d13a Compare December 12, 2025 08:30

gsanchezgavier previously approved these changes Dec 12, 2025

View reviewed changes

sigilioso dismissed gsanchezgavier’s stale review via 389e376 December 15, 2025 08:13

sigilioso force-pushed the feat/sing-windows-exec branch from 389e376 to 3c62815 Compare December 15, 2025 08:27

sigilioso added 2 commits December 15, 2025 09:27

feat(package): sing windows binaries

6d2e085

feat(windows): check windows binaries signatures

d147e26

sigilioso force-pushed the feat/sing-windows-exec branch from 3c62815 to d147e26 Compare December 15, 2025 08:27

refactor: component_packages explicit secrets

475b1e1

sigilioso force-pushed the feat/sing-windows-exec branch from f339411 to 475b1e1 Compare December 15, 2025 11:02

sigilioso requested review from a team and gsanchezgavier December 15, 2025 11:14

danielorihuela reviewed Dec 16, 2025

View reviewed changes

build/scripts/windows-exec-sign/verify-signature.ps1 Show resolved Hide resolved

danielorihuela reviewed Dec 16, 2025

View reviewed changes

sigilioso requested review from a team and danielorihuela December 16, 2025 13:09

gsanchezgavier approved these changes Dec 17, 2025

View reviewed changes

sigilioso merged commit 54920bd into main Dec 17, 2025
56 checks passed

sigilioso deleted the feat/sing-windows-exec branch December 17, 2025 09:14

		PFX_CERTIFICATE_BASE64: ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }} # base64 encoded
		PFX_PASSPHRASE: ${{ secrets.OHAI_PFX_PASSPHRASE }}

Conversation

sigilioso commented Dec 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Implementation details

Pipelines

Manual testing

Checklist

Uh oh!

DavSanchez left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

gsanchezgavier left a comment

Choose a reason for hiding this comment

Uh oh!

gsanchezgavier Dec 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sigilioso Dec 12, 2025

Choose a reason for hiding this comment

Uh oh!

gsanchezgavier Dec 12, 2025

Choose a reason for hiding this comment

Uh oh!

sigilioso Dec 15, 2025

Choose a reason for hiding this comment

Uh oh!

sigilioso Dec 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

sigilioso commented Dec 12, 2025

Uh oh!

sigilioso commented Dec 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sigilioso commented Dec 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

danielorihuela Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

sigilioso Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

danielorihuela Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

sigilioso Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

gsanchezgavier left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Comments

sigilioso commented Dec 11, 2025 •

edited

Loading

gsanchezgavier Dec 12, 2025 •

edited

Loading

sigilioso Dec 15, 2025 •

edited

Loading

sigilioso commented Dec 12, 2025 •

edited

Loading

sigilioso commented Dec 15, 2025 •

edited

Loading