From 0b73ab4150e4d3e50784e1ba2a58bd1f4fa6c6ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivan=20Miri=C4=87?= Date: Thu, 26 Nov 2020 12:09:30 +0100 Subject: [PATCH 1/4] Sign Windows release binary and installer Closes #1034 --- .github/workflows/all.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index 3080ece9a69..62352482060 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -307,6 +307,14 @@ jobs: Expand-Archive -Path ".\dist\k6-$env:VERSION-win64.zip" -DestinationPath .\packaging\ move .\packaging\k6-$env:VERSION-win64\k6.exe .\packaging\ rmdir .\packaging\k6-$env:VERSION-win64\ + - name: Add signtool to PATH + run: echo "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + - name: Convert base64 certificate to PFX + run: | + $bytes = [Convert]::FromBase64String("${{ secrets.CERTIFICATE }}") + [IO.File]::WriteAllBytes("k6.pfx", $bytes) + - name: Sign Windows binary + run: signtool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.exe" - name: Create MSI package run: | $env:VERSION = $env:VERSION -replace 'v(\d+\.\d+\.\d+).*','$1' @@ -314,6 +322,8 @@ jobs: cd .\packaging candle.exe -arch x64 "-dVERSION=$env:VERSION" k6.wxs light.exe -ext WixUIExtension k6.wixobj + - name: Sign MSI package + run: signtool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.msi" - name: Prepare Chocolatey package run: | $env:VERSION = $env:VERSION.TrimStart("v", " ") From 4353e64b43291e8b16e72a89a3ce81e26524f35e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivan=20Miri=C4=87?= Date: Mon, 30 Nov 2020 18:30:11 +0100 Subject: [PATCH 2/4] Use more generic signtool path Resolves https://github.com/loadimpact/k6/pull/1746#discussion_r532530959 --- .github/workflows/all.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index 62352482060..0d7268d0596 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -308,7 +308,7 @@ jobs: move .\packaging\k6-$env:VERSION-win64\k6.exe .\packaging\ rmdir .\packaging\k6-$env:VERSION-win64\ - name: Add signtool to PATH - run: echo "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + run: echo "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - name: Convert base64 certificate to PFX run: | $bytes = [Convert]::FromBase64String("${{ secrets.CERTIFICATE }}") From be0de5c65dce7d33dc7006e9a4ecfbf99222afb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivan=20Miri=C4=87?= Date: Mon, 30 Nov 2020 18:32:17 +0100 Subject: [PATCH 3/4] Update change in secret name Resolves https://github.com/loadimpact/k6/pull/1746#pullrequestreview-540894781 --- .github/workflows/all.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index 0d7268d0596..ace7a6a3315 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -311,7 +311,7 @@ jobs: run: echo "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - name: Convert base64 certificate to PFX run: | - $bytes = [Convert]::FromBase64String("${{ secrets.CERTIFICATE }}") + $bytes = [Convert]::FromBase64String("${{ secrets.WIN_SIGN_CERT }}") [IO.File]::WriteAllBytes("k6.pfx", $bytes) - name: Sign Windows binary run: signtool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.exe" From 0ed867c072a4a55b97d5ae6807f9fc8ffc2b415f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivan=20Miri=C4=87?= Date: Mon, 30 Nov 2020 18:36:32 +0100 Subject: [PATCH 4/4] Remove PFX file after signing Resolves https://github.com/loadimpact/k6/pull/1746#pullrequestreview-540894781 --- .github/workflows/all.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index ace7a6a3315..ce6c69efa9a 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -324,6 +324,8 @@ jobs: light.exe -ext WixUIExtension k6.wixobj - name: Sign MSI package run: signtool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.msi" + - name: Cleanup signing artifacts + run: del k6.pfx - name: Prepare Chocolatey package run: | $env:VERSION = $env:VERSION.TrimStart("v", " ")