From 5cb868bb418e2ae89fb39df6cfc8b13594ce5e97 Mon Sep 17 00:00:00 2001 From: "brian m. carlson" Date: Thu, 5 Sep 2019 21:50:36 +0000 Subject: [PATCH] Makefile: allow passing a Windows signing cert file Currently, we build Windows objects on a dedicated VM which already has the certificate imported. When we build on GitHub Actions, we'll need to build binaries using a certificate and password specified on the command line. To do so, add several environment variables that allow specifying these values, and if they're specified, pass appropriate arguments on the command line. Note that we hide the output from these commands so as not to leak secrets into the log. Additionally, add a target to the Makefile which can be used to write a Base64-encoded certificate to a file on the file system without echoing it so we don't leak even the encrypted certificate to the log. --- Makefile | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 1bf509f5..ca387266 100644 --- a/Makefile +++ b/Makefile @@ -76,6 +76,18 @@ TAR_XFORM_CMD ?= $(shell tar --version | grep -q 'GNU tar' && echo 's') # actual signature is made with SHA-256. CERT_SHA1 ?= 824455beeb23fe270e756ca04ec8e902d19c62aa +# CERT_FILE is the PKCS#12 file holding the certificate. +CERT_FILE ?= + +# CERT_PASS is the password for the certificate. It must not contain +# double-quotes. +CERT_PASS ?= + +# CERT_ARGS are additional arguments to pass when signing Windows binaries. +ifneq ("$(CERT_FILE)$(CERT_PASS)","") +CERT_ARGS ?= /f "$(CERT_FILE)" /p "$(CERT_PASS)" +endif + # SOURCES is a listing of all .go files in this and child directories, excluding # that in vendor. SOURCES = $(shell find . -type f -name '*.go' | grep -v vendor) @@ -317,13 +329,16 @@ bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz : @# work properly. $(MAKE) -B GOARCH=amd64 && cp ./bin/git-lfs.exe ./git-lfs-x64.exe $(MAKE) -B GOARCH=386 && cp ./bin/git-lfs.exe ./git-lfs-x86.exe - signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-x64.exe - signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-x86.exe + @echo Signing git-lfs-x64.exe + @signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-x64.exe + @echo Signing git-lfs-x86.exe + @signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-x86.exe iscc.exe script/windows-installer/inno-setup-git-lfs-installer.iss @# This file will be named according to the version number in the @# versioninfo.json, not according to $(VERSION). mv git-lfs-windows-*.exe git-lfs-windows.exe - signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-windows.exe + @echo Signing git-lfs-windows.exe + @signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-windows.exe mv git-lfs-x64.exe git-lfs-windows-amd64.exe mv git-lfs-x86.exe git-lfs-windows-386.exe @# We use tar because Git Bash doesn't include zip. @@ -347,6 +362,12 @@ release-windows-rebuild: bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz ); \ status="$$?"; [ -n "$$temp" ] && $(RM) -r "$$temp"; exit "$$status" +.PHONY : release-write-certificate +release-write-certificate: + @echo "Writing certificate to $(CERT_FILE)" + @echo "$$CERT_CONTENTS" | base64 --decode >"$$CERT_FILE" + @printf 'Wrote %d bytes (SHA256 %s) to certificate file\n' $$(wc -c <"$$CERT_FILE") $$(shasum -ba 256 "$$CERT_FILE" | cut -d' ' -f1) + # TEST_TARGETS is a list of all phony test targets. Each one of them corresponds # to a specific kind or subset of tests to run. TEST_TARGETS := test-bench test-verbose test-race