Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(build): code-sign Windows binaries #884

Closed
wants to merge 1 commit into from

Conversation

Integralist
Copy link
Collaborator

@Integralist Integralist commented Mar 24, 2023

We're using osslsigncode to code-sign Windows binaries; to do that, we're told...

Before you can sign a file you need a Software Publishing Certificate (SPC) and a corresponding private key.

There wasn't much (any) information on how to generate an SPC so I've used the following command:

openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out spc.pem -days 365 -nodes

This code generates a self-signed X.509 certificate using the RSA private key generated by the openssl req command. The private key is saved in a file named private_key.pem, and the certificate is saved in a file named spc.pem. The -x509 option specifies that a self-signed certificate should be generated, while the -newkey option specifies that a new private key should be generated. The -nodes option specifies that the private key should not be encrypted. The -days option specifies the certificate's validity period, which is set to 365 days. This command is commonly used to generate a self-signed certificate for testing or development purposes.

I then tested the changes in this PR by running goreleaser locally...

make fastly GORELEASER_ARGS="--clean --skip-validate --id windows"

  • starting build...
  • loading config file                              file=.goreleaser.yml
  • loading environment variables
  • getting and validating git state
    • building...                                    commit=c7e5240957d8a8aa5fad748d96395ab55eec7a58 latest tag=v8.1.2
    • pipe skipped                                   reason=validation is disabled
  • parsing tag
  • setting defaults
  • running before hooks
    • running                                        hook=go mod tidy
    • running                                        hook=go mod download
  • checking distribution directory
    • cleaning dist
  • loading go mod information
  • build prerequisites
  • writing effective config file
    • writing                                        config=dist/config.yaml
  • building binaries
    • building                                       binary=dist/windows_windows_arm64/fastly.exe
    • building                                       binary=dist/windows_windows_amd64_v1/fastly.exe
    • building                                       binary=dist/windows_windows_386/fastly.exe
    • running hook                                   hook=osslsigncode sign -certs ./certkey/spc.pem -key ./certkey/private_key.pem -n "fastly-cli" -i "https://github.com/fastly/cli" -verbose -in "/Users/integralist/Code/fastly/cli/dist/windows_windows_386/fastly.exe" -out "/Users/integralist/Code/fastly/cli/dist/windows_windows_386/fastly.exe-signed"
    • running hook                                   hook=osslsigncode sign -certs ./certkey/spc.pem -key ./certkey/private_key.pem -n "fastly-cli" -i "https://github.com/fastly/cli" -verbose -in "/Users/integralist/Code/fastly/cli/dist/windows_windows_arm64/fastly.exe" -out "/Users/integralist/Code/fastly/cli/dist/windows_windows_arm64/fastly.exe-signed"
    • running hook                                   hook=osslsigncode sign -certs ./certkey/spc.pem -key ./certkey/private_key.pem -n "fastly-cli" -i "https://github.com/fastly/cli" -verbose -in "/Users/integralist/Code/fastly/cli/dist/windows_windows_amd64_v1/fastly.exe" -out "/Users/integralist/Code/fastly/cli/dist/windows_windows_amd64_v1/fastly.exe-signed"
    • running hook                                   hook=mv "/Users/integralist/Code/fastly/cli/dist/windows_windows_arm64/fastly.exe-signed" "/Users/integralist/Code/fastly/cli/dist/windows_windows_arm64/fastly.exe"
    • running hook                                   hook=mv "/Users/integralist/Code/fastly/cli/dist/windows_windows_386/fastly.exe-signed" "/Users/integralist/Code/fastly/cli/dist/windows_windows_386/fastly.exe"
    • running hook                                   hook=mv "/Users/integralist/Code/fastly/cli/dist/windows_windows_amd64_v1/fastly.exe-signed" "/Users/integralist/Code/fastly/cli/dist/windows_windows_amd64_v1/fastly.exe"
    • took: 2s
  • storing release metadata
    • writing                                        file=dist/artifacts.json
    • writing                                        file=dist/metadata.json
  • build succeeded after 2s

@Integralist Integralist added the enhancement New feature or request label Mar 24, 2023
@Integralist Integralist force-pushed the integralist/windows-code-sign branch 2 times, most recently from 60eeb05 to ea5e19c Compare October 6, 2023 16:37
@Integralist Integralist force-pushed the integralist/windows-code-sign branch 4 times, most recently from 963eff6 to 57ed339 Compare October 16, 2023 09:02
@Integralist Integralist force-pushed the integralist/windows-code-sign branch 2 times, most recently from 827fd54 to 2dd3e40 Compare October 18, 2023 11:56
@Integralist Integralist force-pushed the integralist/windows-code-sign branch 2 times, most recently from 9d577b7 to f57340e Compare October 25, 2023 13:20
@Integralist Integralist force-pushed the integralist/windows-code-sign branch 5 times, most recently from ada8f9b to 7d18278 Compare November 9, 2023 14:57
@Integralist Integralist force-pushed the integralist/windows-code-sign branch 2 times, most recently from 87a4fcb to 9b39823 Compare November 16, 2023 11:34
@Integralist Integralist force-pushed the integralist/windows-code-sign branch from 9b39823 to ce0229d Compare November 28, 2023 11:47
@@ -41,6 +41,10 @@ builds:
id: windows
goos: [windows]
goarch: ["386", amd64, arm64]
hooks: # https://goreleaser.com/customization/builds/#build-hooks
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably just close off this PR for now until we have a plan to move forward.

@Integralist Integralist deleted the integralist/windows-code-sign branch June 26, 2024 06:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant