Makefile: allow passing a Windows signing cert file

Currently, we build Windows objects on a dedicated VM which already has the certificate imported. When we build on GitHub Actions, we'll need to build binaries using a certificate and password specified on the command line. To do so, add several environment variables that allow specifying these values, and if they're specified, pass appropriate arguments on the command line. Note that we hide the output from these commands so as not to leak secrets into the log. Additionally, add a target to the Makefile which can be used to write a Base64-encoded certificate to a file on the file system without echoing it so we don't leak even the encrypted certificate to the log.
2019-09-05 21:50:36 +00:00 · 2019-09-05 21:50:36 +00:00 · 5cb868bb41
commit 5cb868bb41
parent 50d13e0ca2
1 changed files with 24 additions and 3 deletions
--- a/27
+++ b/27
@ -76,6 +76,18 @@ TAR_XFORM_CMD ?= $(shell tar --version | grep -q 'GNU tar' && echo 's')
 # actual signature is made with SHA-256.
 CERT_SHA1 ?= 824455beeb23fe270e756ca04ec8e902d19c62aa

+# CERT_FILE is the PKCS#12 file holding the certificate.
+CERT_FILE ?=
+
+# CERT_PASS is the password for the certificate.  It must not contain
+# double-quotes.
+CERT_PASS ?=
+
+# CERT_ARGS are additional arguments to pass when signing Windows binaries.
+ifneq ("$(CERT_FILE)$(CERT_PASS)","")
+CERT_ARGS ?= /f "$(CERT_FILE)" /p "$(CERT_PASS)"
+endif
+
 # SOURCES is a listing of all .go files in this and child directories, excluding
 # that in vendor.
 SOURCES = $(shell find . -type f -name '*.go' | grep -v vendor)
@ -317,13 +329,16 @@ bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz :
 	@# work properly.
 	$(MAKE) -B GOARCH=amd64 && cp ./bin/git-lfs.exe ./git-lfs-x64.exe
 	$(MAKE) -B GOARCH=386 && cp ./bin/git-lfs.exe ./git-lfs-x86.exe
-	signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-x64.exe
-	signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-x86.exe
+	@echo Signing git-lfs-x64.exe
+	@signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-x64.exe
+	@echo Signing git-lfs-x86.exe
+	@signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-x86.exe
 	iscc.exe script/windows-installer/inno-setup-git-lfs-installer.iss
 	@# This file will be named according to the version number in the
 	@# versioninfo.json, not according to $(VERSION).
 	mv git-lfs-windows-*.exe git-lfs-windows.exe
-	signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-windows.exe
+	@echo Signing git-lfs-windows.exe
+	@signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-windows.exe
 	mv git-lfs-x64.exe git-lfs-windows-amd64.exe
 	mv git-lfs-x86.exe git-lfs-windows-386.exe
 	@# We use tar because Git Bash doesn't include zip.
@ -347,6 +362,12 @@ release-windows-rebuild: bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz
 		); \
 		status="$$?"; [ -n "$$temp" ] && $(RM) -r "$$temp"; exit "$$status"

+.PHONY : release-write-certificate
+release-write-certificate:
+	@echo "Writing certificate to $(CERT_FILE)"
+	@echo "$$CERT_CONTENTS" | base64 --decode >"$$CERT_FILE"
+	@printf 'Wrote %d bytes (SHA256 %s) to certificate file\n' $$(wc -c <"$$CERT_FILE") $$(shasum -ba 256 "$$CERT_FILE" | cut -d' ' -f1)
+
 # TEST_TARGETS is a list of all phony test targets. Each one of them corresponds
 # to a specific kind or subset of tests to run.
 TEST_TARGETS := test-bench test-verbose test-race