feat: add signing for windows binaries (#304)

overcookedpanda · web-flow · commit d70e07d2001c · 2025-01-17T15:34:50.000-05:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -61,8 +61,48 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: 1.22.x
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: 'temurin'
       - name: Build binary
         run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} make build
+      - id: 'auth'
+        name: Authenticate with Google Cloud
+        if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          credentials_json: '${{ secrets.CERTIFICATE_SA_CREDENTIALS }}'
+      - name: Set up Cloud SDK
+        if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows'
+        uses: 'google-github-actions/setup-gcloud@v2'
+      - name: Sign windows binary
+        if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows'
+        run: |
+          echo "Downloading jsign.jar"
+          curl -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar
+          echo "Verifying jsign.jar checksum"
+          echo '05ca18d4ab7b8c2183289b5378d32860f0ea0f3bdab1f1b8cae5894fb225fa8a  jsign.jar' | sha256sum -c
+          echo "${{ secrets.CERTIFICATE_CHAIN }}" | base64 --decode > codesign-chain.pem
+          set +x
+          _filename=adder
+          ACCESS_TOKEN=$(gcloud auth print-access-token)
+          echo "::add-mask::$ACCESS_TOKEN"
+          java -jar jsign.jar \
+            --storetype ${{ secrets.CERTIFICATE_STORE_TYPE }} \
+            --storepass "$ACCESS_TOKEN" \
+            --keystore ${{ secrets.CERTIFICATE_KEYSTORE }} \
+            --alias ${{ secrets.CERTIFICATE_KEY_NAME }} \
+            --certfile codesign-chain.pem \
+            --tsmode RFC3161 \
+            --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \
+            ${_filename}
+          unset ACCESS_TOKEN
+          set -x
+          echo "Signed Windows binary: ${_filename}"
+          echo "Cleaning up certificate chain"
+          rm -f codesign-chain.pem
       - name: Upload release asset
         if: startsWith(github.ref, 'refs/tags/')
         run: |
