build fips release msi for windows/amd64

Signed-off-by: Justin Kolberg <amd.prophet@gmail.com>
sensu · Nov 6, 2023 · ba968c3 · ba968c3
1 parent da04b70
commit ba968c3
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 12 deletions.
diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
@@ -36,18 +36,33 @@ jobs:
             runs_on: windows-2022
             builder_bin_path: '${RUNNER_TEMP}\bin'
             builder_bin_ext: .exe
+          - arch_os: windows_amd64
+            runs_on: windows-2022
+            builder_bin_path: '${RUNNER_TEMP}\bin'
+            builder_bin_ext: .exe
+            fips: true
+    env:
+      OTELCOL_FIPS_SUFFIX: ${{ matrix.fips && '-fips' || '' }}
     steps:
       - uses: actions/checkout@v4
 
       - name: Fetch current branch
         run: ./ci/fetch_current_branch.sh
 
       - name: Setup go
+        if: ! (contains(matrix.arch_os, 'windows') && matrix.fips)
         uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: '**/go.sum'
 
+      - name: Setup go (Microsoft fork)
+        if: contains(inputs.arch_os, 'windows') && inputs.fips
+        run: |
+          curl -Lo go.zip https://aka.ms/golang/release/latest/go${{ env.GO_VERSION }}.windows-amd64.zip &&
+          powershell -command "Expand-Archive go.zip D:\\a\\_work\\1\\s" &&
+          echo "/d/a/_work/1/s/go/bin" >> $GITHUB_PATH
+
       - name: Set default BUILDER_BIN_PATH
         run: echo "BUILDER_BIN_PATH=${HOME}/bin" >> $GITHUB_ENV
 
@@ -73,17 +88,30 @@ jobs:
         run: make prepare-tag TAG=${{ steps.extract_tag.outputs.tag }}
 
       - name: Build
+        if: ! (inputs.fips && contains(inputs.arch_os, 'windows'))
         run: make otelcol-sumo-${{matrix.arch_os}}
         working-directory: ./otelcolbuilder
 
+      - name: Build (FIPS) for Windows
+        if: inputs.fips && contains(inputs.arch_os, 'windows')
+        run: make otelcol-sumo-${{matrix.arch_os}} FIPS_SUFFIX="-fips" CGO_ENABLED=1
+        working-directory: ./otelcolbuilder
+
       - name: Set filename
         id: set_filename
-        run: echo "filename=$(echo otelcol-sumo-${{ steps.extract_tag.outputs.tag }}-${{matrix.arch_os}})${{matrix.builder_bin_ext}}" > $GITHUB_OUTPUT
+        run: echo "filename=$(echo otelcol-sumo-${{ steps.extract_tag.outputs.tag }}-${OTELCOL_FIPS_SUFFIX}-${{matrix.arch_os}})${{matrix.builder_bin_ext}}" > $GITHUB_OUTPUT
 
       - name: Rename to include tag in filename
         run: cp otelcol-sumo-${{matrix.arch_os}}${{matrix.builder_bin_ext}} ${{ steps.set_filename.outputs.filename }}
         working-directory: ./otelcolbuilder/cmd
 
+      - name: Show Microsoft Cryptography Next-Generation symbols
+        if: inputs.fips && contains(inputs.arch_os, 'windows')
+        working-directory: ./otelcolbuilder/cmd
+        run: |
+          go tool nm ${{ steps.set_filename.outputs.filename }} | \
+          grep "vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt.GetFipsAlgorithmMode"
+
       - name: Sign Windows binary
         if: runner.os == 'Windows'
         uses: skymatic/code-sign-action@v2
@@ -371,6 +399,15 @@ jobs:
     runs-on: windows-2019
     needs:
       - build
+    strategy:
+      matrix:
+        include:
+          - arch_os: windows_amd64
+            platform: x64
+            fips: false
+          - arch_os: windows_amd64
+            platform: x64
+            fips: true
     steps:
       - uses: actions/checkout@v4
 
@@ -380,25 +417,25 @@ jobs:
       - name: Add msbuild to PATH
         uses: microsoft/setup-msbuild@v1.3
 
-      - name: Fetch binary artifact for windows/amd64
+      - name: Fetch binary artifact for ${{ matrix.arch_os }}
         uses: actions/download-artifact@v3
         with:
-          name: windows_amd64
+          name: otelcol-sumo${{ matrix.fips && '-fips' || '' }}-${{ matrix.arch_os }}.exe
           path: ./otelcolbuilder/cmd
 
-      - name: Rename binary for windows/amd64
+      - name: Rename binary artifact for ${{ matrix.arch_os }}
         working-directory: ./otelcolbuilder/cmd
-        run: mv otelcol-sumo-*-sumo-*-windows_amd64.exe otelcol-sumo-windows_amd64.exe
+        run: mv otelcol-sumo-*-sumo-*${{ matrix.arch_os }}.exe otelcol-sumo-${{ matrix.arch_os }}.exe
 
       - name: Set VERSION_TAG
         run: echo "VERSION_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
 
       - name: Set PRODUCT_VERSION
         run: echo "PRODUCT_VERSION=$(./ci/get_version.sh productversion)" >> $GITHUB_ENV
 
-      - name: Build MSI for windows/amd64
+      - name: Build MSI for ${{ matrix.arch_os }}
         working-directory: ./packaging/msi/wix
-        run: msbuild.exe -p:Configuration=Release -p:Platform=x64 -p:ProductVersion=$PRODUCT_VERSION -Restore
+        run: msbuild.exe -p:Configuration=Release -p:Platform=${{ matrix.platform }} -p:ProductVersion=$PRODUCT_VERSION -p:FIPSEnabled=${{ matrix.fips }} -Restore
 
       - name: Sign MSI
         uses: skymatic/code-sign-action@v2
@@ -408,13 +445,13 @@ jobs:
           certificatesha1: '${{ secrets.MICROSOFT_CERTHASH }}'
           certificatename: '${{ secrets.MICROSOFT_CERTNAME }}'
           description: '${{ secrets.MICROSOFT_DESCRIPTION }}'
-          folder: ./packaging/msi/wix/bin/x64/en-US
+          folder: ./packaging/msi/wix/bin/${{ matrix.platform }}/en-US
 
-      - name: Store MSI as action artifact for windows/amd64
+      - name: Store MSI as action artifact for ${{ matrix.arch_os }}
         uses: actions/upload-artifact@v3
         with:
-          name: windows_amd64_msi
-          path: ./packaging/msi/wix/bin/x64/en-US/*.msi
+          name: ${{ matrix.arch_os }}${{ matrix.fips && '_fips' || '' }}_msi
+          path: ./packaging/msi/wix/bin/${{ matrix.platform }}/en-US/*.msi
           if-no-files-found: error
 
   install-script:

diff --git a/scripts/install.ps1 b/scripts/install.ps1
@@ -17,6 +17,9 @@ param (
 
     # InstallHostMetrics is used to install host metric collection.
     [bool] $InstallHostMetrics
+
+    # Fips is used to download a fips binary installer.
+    [bool] $Fips
 )
 
 ##
@@ -395,6 +398,12 @@ try {
     # set http client timeout to 30 seconds
     $httpClient.Timeout = New-Object System.TimeSpan(0, 0, 30)
 
+    if ($Fips -eq $true) {
+        if ($osName -ne "Win32NT" || $archName -ne "x64") {
+            Write-Error "Error: The FIPS-approved binary is only available for windows/amd64"
+        }
+    }
+
     Write-Host "Getting installed version..."
     $installedVersion = Get-InstalledVersion
     $installedVersionStr = "none"
@@ -447,9 +456,16 @@ try {
     # add newline after breaking changes and changelog
     Write-Host ""
 
+    # Add -fips to the msi filename if necessary
+    $fipsSuffix = ""
+    if ($Fips -eq $true) {
+        Write-Host "Getting FIPS-compliant binary"
+        $fipsSuffix = "-fips"
+    }
+
     # Download MSI
     $msiLanguage = "en-US"
-    $msiFileName = "otelcol-sumo_${productVersion}_${msiLanguage}.${archName}.msi"
+    $msiFileName = "otelcol-sumo_${productVersion}_${msiLanguage}.${archName}${fipsSuffix}.msi"
     $msiUri = "https://github.com/SumoLogic/sumologic-otel-collector/releases/download/"
     $msiUri += "v${Version}/${msiFileName}"
     $msiPath = "${env:TEMP}\${msiFileName}"