workflows/release: use Azure Code Signing

All new keys for Windows code signing have to be hardware backed as of sometime in 2024. To make this possible for us, let's set up Azure Code Signing. We call each of the separate stages, signing the intermediate objects in between each stage. The Action requires that we specify all of the objects in a single folder with a single extension, so we separate the binaries of Git LFS itself from the installer binary so we can include signed binaries in the installer without re-signing the original binaries.
2024-01-19 17:01:17 +00:00 · 2024-01-19 17:01:17 +00:00 · d4f2c3d4bd
commit d4f2c3d4bd
parent f17318a6a4
1 changed files with 31 additions and 6 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -40,10 +40,6 @@ jobs:
      shell: bash
    - run: mkdir -p bin/releases
      shell: bash
-    - run: CERT_FILE="$HOME/cert.pfx" env -u TMPDIR make release-write-certificate
-      shell: bash
-      env:
-        CERT_CONTENTS: ${{secrets.WINDOWS_CERT_BASE64}}
      # We clear the TMPDIR set for Ruby so mktemp and Go use the same
      # volume for temporary files.
    - run: PATH="$HOME/go/bin:$PATH" GOARCH=amd64 go generate && env -u TMPDIR make bin/releases/git-lfs-windows-amd64-$(git describe).zip
@ -58,11 +54,40 @@ jobs:
      shell: bash
      env:
        FORCE_LOCALIZE: true
-    - run: PATH="$HOME/go/bin:/c/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86:$PATH" CERT_FILE="$HOME/cert.pfx" env -u TMPDIR make release-windows
+    - run: env -u TMPDIR make release-windows-stage-1
      shell: bash
      env:
-        CERT_PASS: ${{secrets.WINDOWS_CERT_PASS}}
        FORCE_LOCALIZE: true
+    - uses: azure/azure-code-signing-action@v0.2.22
+      with:
+        azure-tenant-id: ${{ secrets.SPN_GIT_LFS_SIGNING_TENANT_ID }}
+        azure-client-id: ${{ secrets.SPN_GIT_LFS_SIGNING_CLIENT_ID }}
+        azure-client-secret: ${{ secrets.SPN_GIT_LFS_SIGNING }}
+        endpoint: https://wus.codesigning.azure.net/
+        code-signing-account-name: GitHubInc
+        certificate-profile-name: GitHubInc
+        files-folder: ${{ github.workspace }}/tmp/stage1
+        files-folder-filter: exe
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
+    - run: env -u TMPDIR make release-windows-stage-2
+      shell: bash
+    - uses: azure/azure-code-signing-action@v0.2.22
+      with:
+        azure-tenant-id: ${{ secrets.SPN_GIT_LFS_SIGNING_TENANT_ID }}
+        azure-client-id: ${{ secrets.SPN_GIT_LFS_SIGNING_CLIENT_ID }}
+        azure-client-secret: ${{ secrets.SPN_GIT_LFS_SIGNING }}
+        endpoint: https://wus.codesigning.azure.net/
+        code-signing-account-name: GitHubInc
+        certificate-profile-name: GitHubInc
+        files-folder: ${{ github.workspace }}/tmp/stage2
+        files-folder-filter: exe
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
+    - run: env -u TMPDIR make release-windows-stage-3
+      shell: bash
    - run: env -u TMPDIR make release-windows-rebuild
      shell: bash
    - uses: actions/upload-artifact@v4