feat: renew windows code signing certificate (#4872)

* chore: install keylocker tools * chore: adapt win signing script * fix: win acc tests
snyk · Sep 25, 2023 · c17867b · c17867b
1 parent 3f827ee
commit c17867b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -184,6 +184,21 @@ commands:
       - install-deps-python:
           os: win
 
+  install-deps-windows-signing:
+    steps:
+      - run:
+          name: Install DigiCert Keylocker Tools
+          command: |
+            cd C:\
+            curl.exe -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:$env:SM_API_KEY" -o smtools-windows-x64.msi
+            msiexec.exe /i smtools-windows-x64.msi /quiet /qn | Wait-Process
+            & 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\smksp_cert_sync.exe'
+
+  install-deps-windows-full-signing:
+    steps:
+      - install-deps-windows-full
+      - install-deps-windows-signing
+
   install-deps-windows-make:
     steps:
       - restore_cache:
@@ -202,6 +217,7 @@ commands:
             - ~\AppData\Local\Temp\chocolatey
       - install-deps-python:
           os: win
+      - install-deps-windows-signing
 
   install-deps-windows-node:
     steps:
@@ -405,7 +421,7 @@ workflows:
           go_arch: amd64
           go_download_base_url: << pipeline.parameters.fips_go_download_base_url >>
           make_target: build clean-golang build-fips
-          install_deps_extension: windows-full
+          install_deps_extension: windows-full-signing
           install_path: 'C:\'
           executor: win-server2022-amd64
           context: snyk-windows-signing

diff --git a/cliv2/scripts/sign_windows.ps1 b/cliv2/scripts/sign_windows.ps1
@@ -4,20 +4,19 @@ param (
 )
 
 # expected environment variables
-# $env:SIGNING_SECRETS_BINARY="EEE...."      # Base64-encoded PKCS#12 certificate data
-# $env:SIGNING_SECRETS_PASSWORD="FFF"        # Passkey for the PKCS#12 certificate
+# $env:SM_CODE_SIGNING_CERT_SHA1_HASH="EEE...."      # thumbprint of certificate
+
 
 # Define file paths and names
 $APP_PATH = Join-Path $EXPORT_PATH $PRODUCT_NAME
 $APP_PATH_UNSIGNED = "$APP_PATH.unsigned"
-$SIGNING_SECRETS = "secrets.p12"
 $SIGNING_SECRETS_B64 = "secrets.b64"
 
 # Prefix for log messages
 $LOG_PREFIX = "--- $(Split-Path $MyInvocation.MyCommand.Path -Leaf):"
 
 # if the required secrets are not available we skip signing completely without an error to enable local builds on windows. A later issigned check will catch this error in the build pipeline
-if (-Not (Test-Path env:SIGNING_SECRETS_BINARY)) {
+if (-Not (Test-Path env:SM_CODE_SIGNING_CERT_SHA1_HASH)) {
     Write-Host "$LOG_PREFIX Skipping signing, since the required secrets are not available."
     exit
 }
@@ -27,17 +26,18 @@ Write-Host "$LOG_PREFIX Signing ""$APP_PATH"""
 # create files as needed
 Write-Host "$LOG_PREFIX Creating p12 file"
 # Save the Base64-encoded PKCS#12 certificate data to a file
-$env:SIGNING_SECRETS_BINARY | Set-Content -Path $SIGNING_SECRETS_B64
+$env:SM_CLIENT_CERT_FILE_B64 | Set-Content -Path $SIGNING_SECRETS_B64
 # Decode the Base64-encoded PKCS#12 certificate data to a binary file
-certutil -f -decode $SIGNING_SECRETS_B64 $SIGNING_SECRETS
+certutil -f -decode $SIGNING_SECRETS_B64 $env:SM_CLIENT_CERT_FILE
 
 Write-Host "$LOG_PREFIX Signing binary $APP_PATH_UNSIGNED"
+
 # Move the original executable to the .unsigned version (as expected by signtool)
 Move-Item -Path $APP_PATH -Destination $APP_PATH_UNSIGNED
 
 # Find the latest version of signtool.exe and use it to sign the executable
 $SIGNTOOL = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\" -Recurse -Include 'signtool.exe' | Where-Object { $_.FullName -like "*x64*" } | Sort-Object LastWriteTime | Select-Object -Last 1 -ExpandProperty FullName
-& $SIGNTOOL sign /fd SHA512 /f $SIGNING_SECRETS /p $env:SIGNING_SECRETS_PASSWORD /d "Snyk CLI" /du "https://snyk.io" /t "http://timestamp.sectigo.com" /v $APP_PATH_UNSIGNED
+& $SIGNTOOL sign /sha1 $env:SM_CODE_SIGNING_CERT_SHA1_HASH /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 /d "Snyk CLI" /du "https://snyk.io" /v $APP_PATH_UNSIGNED
 if ($LASTEXITCODE) {
     exit $LASTEXITCODE
 }
@@ -46,8 +46,8 @@ if ($LASTEXITCODE) {
 Move-Item -Path $APP_PATH_UNSIGNED -Destination $APP_PATH
 
 # Remove temporary files (the .unsigned version and the p12 certificate)
-Write-Host "$LOG_PREFIX Cleaning up $SIGNING_SECRETS"
-Remove-Item -Path $SIGNING_SECRETS
+Write-Host "$LOG_PREFIX Cleaning up $env:SM_CLIENT_CERT_FILE"
+Remove-Item -Path $env:SM_CLIENT_CERT_FILE
 Write-Host "$LOG_PREFIX Cleaning up $SIGNING_SECRETS_B64"
 Remove-Item -Path $SIGNING_SECRETS_B64