b2356abe69
* feat(ci): first draft of signtool script * feat(ci): add test signing step * feat: another test commit that should fail * feat: this one should succeed * fix: create installer from resources executable * fix: prevent reset of resources * fix: remove test branch
139 lines
4.3 KiB
Rust
139 lines
4.3 KiB
Rust
//! ```cargo
|
|
//! [dependencies]
|
|
//! glob = "0.3.0"
|
|
//! fs_extra = "1.2.0"
|
|
//! base64 = "0.13.0"
|
|
//! anyhow = "1.0.38"
|
|
//! ```
|
|
|
|
use anyhow::Result;
|
|
use std::path::PathBuf;
|
|
use std::process::Command;
|
|
|
|
const WINDOWS_KITS_LOCATION: &str = "C:/Program Files (x86)/Windows Kits/10/bin";
|
|
const CERTIFICATE_TARGET_DIR: &str = "target/codesign";
|
|
|
|
fn main() {
|
|
let _ = std::fs::remove_dir_all(CERTIFICATE_TARGET_DIR);
|
|
std::fs::create_dir_all(CERTIFICATE_TARGET_DIR).expect("unable to create target directory");
|
|
let certificate_target_dir = PathBuf::from(CERTIFICATE_TARGET_DIR);
|
|
if !certificate_target_dir.is_dir() {
|
|
panic!("expected target directory, found none");
|
|
}
|
|
|
|
let signtool_path = get_signtool_location().expect("unable to locate signtool exe");
|
|
println!("using signtool location: {:?}", signtool_path);
|
|
|
|
let target_exe_file =
|
|
std::env::var("TARGET_SIGNTOOL_FILE").expect("TARGET_SIGNTOOL_FILE env variable not found");
|
|
let target_exe_path = PathBuf::from(target_exe_file);
|
|
if !target_exe_path.is_file() {
|
|
panic!(
|
|
"target file '{}' cannot be found",
|
|
target_exe_path.display()
|
|
);
|
|
}
|
|
|
|
println!("signing file: {:?}", target_exe_path);
|
|
|
|
let certificate_pwd = std::env::var("CODESIGN_PWD").expect("CODESIGN_PWD env variable not found");
|
|
let cross_signed_certificate_b64 = std::env::var("CODESIGN_CROSS_SIGNED_B64")
|
|
.expect("CODESIGN_CROSS_SIGNED_B64 env variable not found");
|
|
let codesign_certificate_b64 = std::env::var("CODESIGN_CERTIFICATE_B64")
|
|
.expect("CODESIGN_CERTIFICATE_B64 env variable not found");
|
|
|
|
let cross_signed_certificate = DecodedCertificate::new(
|
|
&cross_signed_certificate_b64,
|
|
certificate_target_dir.join("SectigoPublicCodeSigningRootR46_AAA.crt"),
|
|
)
|
|
.expect("unable to decode intermediate cross-signed certificate");
|
|
let codesign_certificate = DecodedCertificate::new(
|
|
&codesign_certificate_b64,
|
|
certificate_target_dir.join("codesign.pfx"),
|
|
)
|
|
.expect("unable to decode codesign certificate");
|
|
|
|
let mut cmd = Command::new(signtool_path);
|
|
cmd.args(&[
|
|
"sign",
|
|
"/fd",
|
|
"SHA256",
|
|
"/p",
|
|
&certificate_pwd,
|
|
"/ac",
|
|
&cross_signed_certificate.path(),
|
|
"/f",
|
|
&codesign_certificate.path(),
|
|
"/tr",
|
|
"http://timestamp.sectigo.com/rfc3161",
|
|
"/td",
|
|
"sha256",
|
|
&target_exe_path.to_string_lossy(),
|
|
]);
|
|
|
|
let mut handle = cmd.spawn().expect("signtool spawn failed");
|
|
let result = handle.wait().expect("unable to read signtool exit status");
|
|
if !result.success() {
|
|
panic!("signtool failed");
|
|
}
|
|
}
|
|
|
|
// Inspired by: https://github.com/dlemstra/code-sign-action/blob/main/index.ts#L143
|
|
fn get_signtool_location() -> Option<PathBuf> {
|
|
let mut path: Option<PathBuf> = None;
|
|
let mut max_version = 0;
|
|
for entry in glob::glob(&format!("{}/*", WINDOWS_KITS_LOCATION))
|
|
.expect("unable to glob windows kits location")
|
|
{
|
|
let entry = entry.expect("unable to unwrap glob entry");
|
|
if !entry.is_dir() {
|
|
continue;
|
|
}
|
|
if !entry.to_string_lossy().ends_with(".0") {
|
|
continue;
|
|
}
|
|
let folder_name = entry.file_name().expect("unable to extract folder_name");
|
|
let folder_version_str = folder_name.to_string_lossy().replace(".", "");
|
|
let folder_version = folder_version_str
|
|
.parse::<i32>()
|
|
.expect("invalid folder version string");
|
|
if folder_version > max_version {
|
|
let signtool_path_candidate = entry.join("x86").join("signtool.exe");
|
|
if signtool_path_candidate.is_file() {
|
|
path = Some(signtool_path_candidate);
|
|
max_version = folder_version;
|
|
}
|
|
}
|
|
}
|
|
|
|
return path;
|
|
}
|
|
|
|
struct DecodedCertificate {
|
|
decoded_file: PathBuf,
|
|
}
|
|
|
|
impl DecodedCertificate {
|
|
pub fn new(b64: &str, target_file: PathBuf) -> Result<Self> {
|
|
// Keys and certificates are encoded with whitespaces/newlines in them, but we need to remove them
|
|
let filtered_b64: String = b64.chars().filter(|c| !c.is_whitespace()).collect();
|
|
let decoded = base64::decode(filtered_b64)?;
|
|
std::fs::write(&target_file, &decoded)?;
|
|
Ok(Self {
|
|
decoded_file: target_file,
|
|
})
|
|
}
|
|
|
|
pub fn path(&self) -> String {
|
|
self.decoded_file.to_string_lossy().to_string()
|
|
}
|
|
}
|
|
|
|
// Delete the certificate files when they are not needed anymore
|
|
// to minimize the attack surface
|
|
impl Drop for DecodedCertificate {
|
|
fn drop(&mut self) {
|
|
std::fs::remove_file(&self.decoded_file).expect("unable to remove certificate file")
|
|
}
|
|
}
|