feat(build): code-sign Windows binaries #884

Integralist · 2023-03-24T14:19:55Z

We're using osslsigncode to code-sign Windows binaries; to do that, we're told...

Before you can sign a file you need a Software Publishing Certificate (SPC) and a corresponding private key.

There wasn't much (any) information on how to generate an SPC so I've used the following command:

openssl req -x509 -newkey rsa:2048 -keyout private_key.pem -out spc.pem -days 365 -nodes

This code generates a self-signed X.509 certificate using the RSA private key generated by the openssl req command. The private key is saved in a file named private_key.pem, and the certificate is saved in a file named spc.pem. The -x509 option specifies that a self-signed certificate should be generated, while the -newkey option specifies that a new private key should be generated. The -nodes option specifies that the private key should not be encrypted. The -days option specifies the certificate's validity period, which is set to 365 days. This command is commonly used to generate a self-signed certificate for testing or development purposes.

I then tested the changes in this PR by running goreleaser locally...

make fastly GORELEASER_ARGS="--clean --skip-validate --id windows"

  • starting build...
  • loading config file                              file=.goreleaser.yml
  • loading environment variables
  • getting and validating git state
    • building...                                    commit=c7e5240957d8a8aa5fad748d96395ab55eec7a58 latest tag=v8.1.2
    • pipe skipped                                   reason=validation is disabled
  • parsing tag
  • setting defaults
  • running before hooks
    • running                                        hook=go mod tidy
    • running                                        hook=go mod download
  • checking distribution directory
    • cleaning dist
  • loading go mod information
  • build prerequisites
  • writing effective config file
    • writing                                        config=dist/config.yaml
  • building binaries
    • building                                       binary=dist/windows_windows_arm64/fastly.exe
    • building                                       binary=dist/windows_windows_amd64_v1/fastly.exe
    • building                                       binary=dist/windows_windows_386/fastly.exe
    • running hook                                   hook=osslsigncode sign -certs ./certkey/spc.pem -key ./certkey/private_key.pem -n "fastly-cli" -i "https://github.com/fastly/cli" -verbose -in "/Users/integralist/Code/fastly/cli/dist/windows_windows_386/fastly.exe" -out "/Users/integralist/Code/fastly/cli/dist/windows_windows_386/fastly.exe-signed"
    • running hook                                   hook=osslsigncode sign -certs ./certkey/spc.pem -key ./certkey/private_key.pem -n "fastly-cli" -i "https://github.com/fastly/cli" -verbose -in "/Users/integralist/Code/fastly/cli/dist/windows_windows_arm64/fastly.exe" -out "/Users/integralist/Code/fastly/cli/dist/windows_windows_arm64/fastly.exe-signed"
    • running hook                                   hook=osslsigncode sign -certs ./certkey/spc.pem -key ./certkey/private_key.pem -n "fastly-cli" -i "https://github.com/fastly/cli" -verbose -in "/Users/integralist/Code/fastly/cli/dist/windows_windows_amd64_v1/fastly.exe" -out "/Users/integralist/Code/fastly/cli/dist/windows_windows_amd64_v1/fastly.exe-signed"
    • running hook                                   hook=mv "/Users/integralist/Code/fastly/cli/dist/windows_windows_arm64/fastly.exe-signed" "/Users/integralist/Code/fastly/cli/dist/windows_windows_arm64/fastly.exe"
    • running hook                                   hook=mv "/Users/integralist/Code/fastly/cli/dist/windows_windows_386/fastly.exe-signed" "/Users/integralist/Code/fastly/cli/dist/windows_windows_386/fastly.exe"
    • running hook                                   hook=mv "/Users/integralist/Code/fastly/cli/dist/windows_windows_amd64_v1/fastly.exe-signed" "/Users/integralist/Code/fastly/cli/dist/windows_windows_amd64_v1/fastly.exe"
    • took: 2s
  • storing release metadata
    • writing                                        file=dist/artifacts.json
    • writing                                        file=dist/metadata.json
  • build succeeded after 2s

Integralist added the enhancement New feature or request label Mar 24, 2023

Integralist force-pushed the integralist/windows-code-sign branch 2 times, most recently from 60eeb05 to ea5e19c Compare October 6, 2023 16:37

Integralist force-pushed the integralist/windows-code-sign branch 4 times, most recently from 963eff6 to 57ed339 Compare October 16, 2023 09:02

Integralist force-pushed the integralist/windows-code-sign branch 2 times, most recently from 827fd54 to 2dd3e40 Compare October 18, 2023 11:56

Integralist force-pushed the integralist/windows-code-sign branch 2 times, most recently from 9d577b7 to f57340e Compare October 25, 2023 13:20

Integralist force-pushed the integralist/windows-code-sign branch 5 times, most recently from ada8f9b to 7d18278 Compare November 9, 2023 14:57

Integralist force-pushed the integralist/windows-code-sign branch 2 times, most recently from 87a4fcb to 9b39823 Compare November 16, 2023 11:34

feat(build): code-sign Windows binaries

ce0229d

Integralist force-pushed the integralist/windows-code-sign branch from 9b39823 to ce0229d Compare November 28, 2023 11:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(build): code-sign Windows binaries #884

feat(build): code-sign Windows binaries #884

Integralist commented Mar 24, 2023 •

edited

feat(build): code-sign Windows binaries #884

Are you sure you want to change the base?

feat(build): code-sign Windows binaries #884

Conversation

Integralist commented Mar 24, 2023 • edited

Integralist commented Mar 24, 2023 •

edited