Sign Windows release binaries (#429)
### Proposed changes This PR adds a new Makefile target `make sign-goreleaser-exe` target to sign all built GoReleaser windows binaries. This PR contains 2 changes: - Makefile target - Copied ci-mgmt workflow files for validation purposes (generated from: https://github.com/pulumi/ci-mgmt/pull/1318) Please see the linked ci-mgmt issue for status of GitHub actions workflows to validate that the binaries are signed.
This commit is contained in:
Ramon Quitales
45
Makefile
45
Makefile
@@ -259,3 +259,48 @@ sdk/java: $(PULUMI) bin/${PROVIDER}
|
||||
docs: $(shell find docs/yaml -type f) $(shell find ./provider/internal/embed -name '*.md') ${SCHEMA_PATH}
|
||||
go generate docs/generate.go
|
||||
@touch docs
|
||||
|
||||
# Set these variables to enable signing of the windows binary
|
||||
AZURE_SIGNING_CLIENT_ID ?=
|
||||
AZURE_SIGNING_CLIENT_SECRET ?=
|
||||
AZURE_SIGNING_TENANT_ID ?=
|
||||
AZURE_SIGNING_KEY_VAULT_URI ?=
|
||||
SKIP_SIGNING ?=
|
||||
|
||||
bin/jsign-6.0.jar:
|
||||
wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar
|
||||
|
||||
sign-goreleaser-exe-amd64: GORELEASER_ARCH := amd64_v1
|
||||
sign-goreleaser-exe-arm64: GORELEASER_ARCH := arm64
|
||||
|
||||
# Set the shell to bash to allow for the use of bash syntax.
|
||||
sign-goreleaser-exe-%: SHELL:=/bin/bash
|
||||
sign-goreleaser-exe-%: bin/jsign-6.0.jar
|
||||
@# Only sign windows binary if fully configured.
|
||||
@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
|
||||
@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
|
||||
@set -e; \
|
||||
if [[ "${SKIP_SIGNING}" != "true" ]]; then \
|
||||
if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
|
||||
echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
|
||||
echo "To rebuild with signing delete the unsigned windows exe file and rebuild with the fixed configuration"; \
|
||||
if [[ "${CI}" == "true" ]]; then exit 1; fi; \
|
||||
else \
|
||||
file=dist/build-provider-sign-windows_windows_${GORELEASER_ARCH}/pulumi-resource-docker-build.exe; \
|
||||
mv $${file} $${file}.unsigned; \
|
||||
az login --service-principal \
|
||||
--username "${AZURE_SIGNING_CLIENT_ID}" \
|
||||
--password "${AZURE_SIGNING_CLIENT_SECRET}" \
|
||||
--tenant "${AZURE_SIGNING_TENANT_ID}" \
|
||||
--output none; \
|
||||
ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \
|
||||
java -jar bin/jsign-6.0.jar \
|
||||
--storetype AZUREKEYVAULT \
|
||||
--keystore "PulumiCodeSigning" \
|
||||
--url "${AZURE_SIGNING_KEY_VAULT_URI}" \
|
||||
--storepass "$${ACCESS_TOKEN}" \
|
||||
$${file}.unsigned; \
|
||||
mv $${file}.unsigned $${file}; \
|
||||
az logout; \
|
||||
fi; \
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user