CI: sign windows installer and executable

drakkan · Nov 19, 2021 · c41319b · c41319b
1 parent 46157eb
commit c41319b
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 22 deletions.
diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml
@@ -123,7 +123,7 @@ jobs:
           path: output
 
       - name: Prepare Windows installer
-        if: startsWith(matrix.os, 'windows-')
+        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
         run: |
           Remove-Item -LiteralPath "output" -Force -Recurse -ErrorAction Ignore
           mkdir output
@@ -139,10 +139,19 @@ jobs:
           $REV_LIST=$LATEST_TAG+"..HEAD"
           $COMMITS_FROM_TAG= ((git rev-list $REV_LIST --count) | Out-String).Trim()
           $Env:SFTPGO_ISS_DEV_VERSION = $LATEST_TAG  + "." + $COMMITS_FROM_TAG
-          iscc windows-installer\sftpgo.iss
+          $CERT_PATH=(Get-Location -PSProvider FileSystem).ProviderPath + "\cert.pfx"
+          [IO.File]::WriteAllBytes($CERT_PATH,[System.Convert]::FromBase64String($Env:CERT_DATA))
+          certutil -f -p "$Env:CERT_PASS" -importpfx MY "$CERT_PATH"
+          rm "$CERT_PATH"
+          $INNO_S='/Ssigntool=$qC:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe$q sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n $qNicola Murino$q /d $qSFTPGo$q $f'
+          iscc "$INNO_S" windows-installer\sftpgo.iss
+          certutil -delstore MY "Nicola Murino"
+        env:
+          CERT_DATA: ${{ secrets.CERT_DATA }}
+          CERT_PASS: ${{ secrets.CERT_PASS }}
 
       - name: Upload Windows installer artifact
-        if: startsWith(matrix.os, 'windows-')
+        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
         uses: actions/upload-artifact@v2
         with:
           name: sftpgo_windows_installer_x86_64

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,7 +5,7 @@ on:
     tags: 'v*'
 
 env:
-  GO_VERSION: 1.17.1
+  GO_VERSION: 1.17.3
 
 jobs:
   prepare-sources-with-deps:
@@ -51,6 +51,11 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
+      - name: Get SFTPGo version
+        id: get_version
+        run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
+        shell: bash
+
       - name: Build for macOS x86_64
         if: startsWith(matrix.os, 'windows-') != true
         run: go build -trimpath -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/version.commit=`git describe --always --dirty` -X github.com/drakkan/sftpgo/v2/version.date=`date -u +%FT%TZ`" -o sftpgo
@@ -75,11 +80,6 @@ jobs:
         run: ./sftpgo initprovider
         shell: bash
 
-      - name: Get SFTPGo version
-        id: get_version
-        run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
-        shell: bash
-
       - name: Get OS name
         id: get_os_name
         run: |
@@ -134,14 +134,13 @@ jobs:
           xcopy .\templates .\output\templates\ /E
           mkdir output\static
           xcopy .\static .\output\static\ /E
-          iscc windows-installer\sftpgo.iss
-        env:
-          SFTPGO_ISS_VERSION: ${{ steps.get_version.outputs.VERSION }}
-          SFTPGO_ISS_DOC_URL: https://github.com/drakkan/sftpgo/blob/${{ steps.get_version.outputs.VERSION }}/README.md
+          $CERT_PATH=(Get-Location -PSProvider FileSystem).ProviderPath + "\cert.pfx"
+          [IO.File]::WriteAllBytes($CERT_PATH,[System.Convert]::FromBase64String($Env:CERT_DATA))
+          certutil -f -p "$Env:CERT_PASS" -importpfx MY "$CERT_PATH"
+          rm "$CERT_PATH"
+          $INNO_S='/Ssigntool=$qC:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe$q sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n $qNicola Murino$q /d $qSFTPGo$q $f'
+          iscc "$INNO_S" windows-installer\sftpgo.iss
 
-      - name: Prepare Portable Release for Windows
-        if: startsWith(matrix.os, 'windows-')
-        run: |
           mkdir win-portable
           copy .\sftpgo.exe .\win-portable
           copy .\sftpgo.json .\win-portable
@@ -151,10 +150,16 @@ jobs:
           xcopy .\templates .\win-portable\templates\ /E
           mkdir win-portable\static
           xcopy .\static .\win-portable\static\ /E
+          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\win-portable\sftpgo.exe
           Compress-Archive .\win-portable\* sftpgo_portable_x86_64.zip
+          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo Portable" sftpgo_portable_x86_64.zip
+
+          certutil -delstore MY "Nicola Murino"
         env:
-          SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}
-          OS: ${{ steps.get_os_name.outputs.OS }}
+          SFTPGO_ISS_VERSION: ${{ steps.get_version.outputs.VERSION }}
+          SFTPGO_ISS_DOC_URL: https://github.com/drakkan/sftpgo/blob/${{ steps.get_version.outputs.VERSION }}/README.md
+          CERT_DATA: ${{ secrets.CERT_DATA }}
+          CERT_PASS: ${{ secrets.CERT_PASS }}
 
       - name: Upload macOS x86_64 artifact
         if: startsWith(matrix.os, 'macos-')

diff --git a/util/util.go b/util/util.go
@@ -554,10 +554,10 @@ func GetSSHPublicKeyAsString(pubKey []byte) (string, error) {
 func GetRealIP(r *http.Request) string {
 	var ip string
 
-	if xrip := r.Header.Get(xRealIP); xrip != "" {
-		ip = xrip
-	} else if clientIP := r.Header.Get(trueClientIP); clientIP != "" {
+	if clientIP := r.Header.Get(trueClientIP); clientIP != "" {
 		ip = clientIP
+	} else if xrip := r.Header.Get(xRealIP); xrip != "" {
+		ip = xrip
 	} else if clientIP := r.Header.Get(cfConnectingIP); clientIP != "" {
 		ip = clientIP
 	} else if xff := r.Header.Get(xForwardedFor); xff != "" {

diff --git a/windows-installer/sftpgo.iss b/windows-installer/sftpgo.iss
@@ -39,12 +39,14 @@ ArchitecturesAllowed=x64
 MinVersion=6.1sp1
 VersionInfoVersion={#MyVersionInfo}
 VersionInfoCopyright=AGPL-3.0
+SignTool=signtool
+SignedUninstaller=yes
 
 [Languages]
 Name: "english"; MessagesFile: "compiler:Default.isl"
 
 [Files]
-Source: "{#MyAppDir}\sftpgo.exe"; DestDir: "{app}"; Flags: ignoreversion
+Source: "{#MyAppDir}\sftpgo.exe"; DestDir: "{app}"; Flags: ignoreversion signonce
 Source: "{#MyAppDir}\sftpgo.db"; DestDir: "{commonappdata}\{#MyAppName}"; Flags: onlyifdoesntexist uninsneveruninstall
 Source: "{#MyAppDir}\LICENSE.txt"; DestDir: "{app}"; Flags: ignoreversion
 Source: "{#MyAppDir}\sftpgo.json"; DestDir: "{commonappdata}\{#MyAppName}"; Flags: onlyifdoesntexist uninsneveruninstall