From 3bd9ab8e9bc4d0925f9b0b4ff8b75f26d382b5a0 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Mon, 4 Oct 2021 03:00:01 +0200 Subject: [PATCH] .github/workflows: sign Windows binaries Fixes #326 Closes #328 Co-authored-by: Joshua Small --- .github/workflows/build.yml | 10 +++++++ .github/workflows/certs/README | 14 +++++++++ .github/workflows/certs/uitacllc.crt | Bin 0 -> 5605 bytes .github/workflows/certs/uitacllc.key | 42 +++++++++++++++++++++++++++ 4 files changed, 66 insertions(+) create mode 100644 .github/workflows/certs/README create mode 100644 .github/workflows/certs/uitacllc.crt create mode 100644 .github/workflows/certs/uitacllc.key diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8002d0e..9a83d14 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,6 +10,7 @@ jobs: build: name: Build binaries runs-on: ubuntu-latest + environment: "Build, sign, release binaries" steps: - name: Install Go uses: actions/setup-go@v2 @@ -21,6 +22,7 @@ jobs: fetch-depth: 0 - name: Build binaries run: | + sudo apt-get update && sudo apt-get install -y osslsigncode cp LICENSE "$RUNNER_TEMP/LICENSE" echo -e "\n---\n" >> "$RUNNER_TEMP/LICENSE" curl "https://golang.org/LICENSE?m=text" >> "$RUNNER_TEMP/LICENSE" @@ -31,6 +33,14 @@ jobs: cp "$RUNNER_TEMP/LICENSE" "$DIR/age" go build -o "$DIR/age" -ldflags "-X main.Version=$VERSION" -trimpath ./cmd/... if [ "$GOOS" == "windows" ]; then + for exe in "$DIR"/age/*.exe; do + /usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \ + -certs .github/workflows/certs/uitacllc.crt \ + -key .github/workflows/certs/uitacllc.key \ + -pass "${{ secrets.SIGN_PASS }}" \ + -n age -in "$exe" -out "$exe.signed" + mv "$exe.signed" "$exe" + done ( cd "$DIR"; zip age.zip -r age ) mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip" else diff --git a/.github/workflows/certs/README b/.github/workflows/certs/README new file mode 100644 index 0000000..71f3355 --- /dev/null +++ b/.github/workflows/certs/README @@ -0,0 +1,14 @@ +In this folder there are + + uitacllc.crt + + PKCS#7 encoded certificate chain for a code signing certificate issued + to Up in the Air Consulting LLC valid until Sep 26 23:59:59 2024 GMT. + + https://crt.sh/?id=5339775059 + + uitacllc.key + + PEM encrypted private key for the leaf certificate above. + Its passphrase is long and randomly generated, so the awful legacy key + derivation doesn't really matter, and it makes osslsigncode happy. diff --git a/.github/workflows/certs/uitacllc.crt b/.github/workflows/certs/uitacllc.crt new file mode 100644 index 0000000000000000000000000000000000000000..ddfc531d3cbf58b626c167dd260448b89d3df7a4 GIT binary patch literal 5605 zcmc(jc|4Ts-^b@3Gea7CWGTj4LhiAXHA^ZXLyMGU48}HMl*l&1L1c*|*_CxFazYD| zkg{Y+_Oe8lL-vy8xrdyi-|sxam17F3o|1UD{oD3pUj1sPd+ zWqDL532_|^jN{JQll{c0Ai>EcNwq1e z(#Jbfrhg&MY(&|3t=9GI-Dk}_H(OOnFVB)*#haE4SQN@2M87=#Eymld+|jS#((q}) z-`~u4P#o)n8jtP3sk->~^A9aum+WYKFE|M=Y;o{4s2i;Ul z2A^s*){B8Jdz4NPEt%Uo+Zw!2cG_9IVNBAvS(y}3Xl9Y!*xg*Q`h>)^s`gg>L;ELf zRxgd)=&mZ;)xDlB1LnV9*(lVR1ZrJ15ER@Bo=<%`5=0jzG}C=>tGCE#{!ba1aJ^&>~R; z8e~KWKgzVgWcn2M1{{ z=Z~>)fNQq{ne67FA}#H)DVc+Kl8dyqF%D!vq3i?E&^YiYEtde|FsKQtr>mx`gecL* zKtu5E&Ih*-`=PB(Y0;GRLs;5ckgN_uy}>J6GeZk?0i8gdtr&!F%S!&2vXcMY4+w;8 z><3yK3Gd;yJ$MKlq z$VuJNSnV@{BaEq%dzFq~!A-w>T`qZ{`N3BLB~0c}fT}D^R|4TLms6h^r^mo}sQaqF zC?n-yjuGBas3rn*OMv_%sETXsB0>D zyG|M&cZPRH*x5+DU^#{KtT2S-o{UVU3MYw$gx61TuW@B)h-P(L2`z@-`<55iR1~ww zmeTiOwxziHd2xuxnu8Rg3g;rSBfVAsTh;MT3yi>N=|LCchy0;lJ$w%N`7NJzPFf{- zPITZ(s^9Y411XlG#+lIzmrb>vrbtG#qu7Ee_YdG2il5F2rzl>(%JD{@-=Z0e%g(!M zCH3CTo8WhZddLp_`225=P4`Q@b~~nmARe$$m$>G6S7Ma|0b~93ik2%#LGePkhi~GZ z)n=~?+5|{F6n%vg1L>OaA08QaY8!X|miAJh1oX;6v={k1+MAF_WQ>X27Vl+cWd7hi zWCF4>*e%}wdtBy!qWW!#6x_1BMwAsw+wpnxg8$+x9FF@{Q=7Bj${G6j-B$>*JK6YQ zdV0>o#^d)?( zddlje!uw=d>OH}CqM=3{J?bMOx?L=732wJ|;*#keujY^98;87l2Q&<0gS%StI|!%K z{N^Oq_Wza6 zh@1&L>||pMPyT?)#Zvm|s2cvuk}K5SG|l8nhY4j;ggUY5mB2mVYr@kLICa*71@qzB zsuv>}Cu;5t7`WnxW|O~utnPZZ?q{XLaJaWpp5DJlF#X&_n%`-j)flxb+##n}`@Gf6 zp6}O>I%gkwy_f+rxMY#h?RO-+MCp27jljB<-jbi@XrJE0v!rudRJVnwZuJw@WhP>i z*5woQrT1$dcEc#dSnLiS*+%uhg#J%d2SPx08dEo@&H$nyxWj?}hV6WtAm0VDgD4aN zVmfRanU8OhSqFsJoDQ)$MCD&3Gfe}K1UA_0v&CYF%_PtT)Z2<7HvgITf5+ynyl#s4 z{~Mj5`+-`g3|z)5xcX#pVs3M+Bi0fS*V(wR*Vv(=!@%#*{ zMsG*4R!2-*d7T~8wFKktA#;a3nEk3}Q@Q3kuNL{ocZesQtSIlp=9{OqeXwEVnZ>;6 z9KKw1{r7;R9=^M0=T$f?&OQp#v0N(T_4XwUG#B=Q6+#Bc*snFGy;_GlOgzF&u4O(! z6}O2-D9O2K^C{;UUK@Q8erx87SOnpdolo+$gG_2-=BkLgXRWfOlMAZeio+TorquEd znLa~EQZ=zJoSO_%!*U7|65Z0No@HbYML`u3U#$3>d*QFM_g5Gijy=u|OVR1X*=3HD;`WZCV{cqRV`E$2u_~wWle@0M5qpgvNk8Cjw=Sx? z(XVqu;mHR@C$@%DlJd(nMCTQ&QPZB(1M)WoF1J;lQa#)0F!6yKCg)?&d)2aG5jnAZ zOri=g(78OG8D8QNWKe!=*M1FUio0Lwaj|=jJu~l9J0&^^Zr|cF?m3_h{iWaS?<#!k z6cF0A2Py_gkUO0I;STyMalcua-HcSosSgk9xXJa8?%?yYJMe)#G!I}vvmbFMSd$6v zm=o5ncn5+9^cBmx@h=NOkEX|2JKK@mZLz!{H?2D(noXPJLb4^%YJsidL2yI;2s$*k zmX;Pqo8V3++7aE|CA((okT{uQUz1MdTn|_i+y%sZM68>l~q5o|t zUL-7heVRS)knhuy@bYq`|GwK!gtohAV$rjs%1JXWuKC01LHoLsm?VtHj-M+ovsJj` zcT6qsVu5wBN3rTo^mLEx=}#4MibKEhonIATSEJBf8u_ka*Lo96Ty`mzqgHu)^~M^{ z+ScVuAquJ;$3IHv4-eXWu&YT{$QEZKqVmu;l$l}ak+tE)+Ou~Ytg+P zb;;p;?!sDnz|+3pWekt!SMVo>RpjfcyP8|x$T;^V1q=Z{(-mvhGO;K%+UMeaSuO(! z%cQ!|y+uJ}qB`}Z!=a)Pd)cHChK~VAea)#wimhJmf=3}Le%6_gR%v!_Px5KrIxoGe zZuvL)D7&elVfqOJNxOR)LSR`{xjO#8;m%p<&+J6B#6>Z=>T08%CWw}vZMvnud z5RMox&8OE(W{OkUVR!3{g?QFubT+7@`c_Xt{%Z1*sp@y%7%wgRA^9|4$I6er^KN6s#!VLZ7-~;h#%3c4r;GN&Lnb==?+&`Kat?u14F(gO_nb==f zCx7c;+M5oh3aWrg=?dv`Au`(>3@Sw+DdMd+Y7$6$+oZRpybb4)+j1(%x%Pu%pvYDX z)dSo=@@>=u+Y@fr&1OLWz}PD@rX$Eni8^IOy+;KijOaVz_GK!8mAc`+CiJgMgg!Kz);I*lw9g&f#nWHD_gy_MO4Xn2*7{4g)#*N_i~`qL-^8dAMqRF|hNM z#y2H?CVrr*=AKWf-*fJM=bSXTxy*0zeNYNpf=$wWU5;-5-Xq^XRGXxYpv=ZnuFtC2 zoP0JZ!Xn;&Cg9qzu8(;qgj*SqLdUy_Tmaa9kC4!L%YT}&pd5&WJ{uS9Smr0j{zn%_ z0sa}p01dAhZ^K1BQDU}5-8903v*+>S*KmX80W^+**%)@vY|WmC7hRI z9Gk_Terr`}adDr_84~@1Q`z@j5)VrA8#?fo9@o2(w{n$o-|Y5MI7uB#o%d3SY-Z^? zJeY_skWOO;`lr)w9i5T-Kqa5xOMG;s=975Kw`lG4z z8=d{F)z^}lE_{}*-vm+Mb1<-c8)g0yLO)XmwQ;)k6J>lhnL!5K{~yeNSd%Uj0{#0Zm3PYZhT=8nR2C?Kii^}#i}FHnA=Fq5EvRMygOC-jBKh^xw^t$R%c{BA7+L0w<<**n_HZDQTg&QIiy6& z*Qud(POne8_M>BUwH%$KZ$h8>3+5cgTUE%20<`p;g-WxtqS=nnew?QBndz010)i`I zk*`w3Q8_Q4NO*xWztQ?Zo|%LzpUrdlnCbfBy>n3(OKRnW!|18m`?Et5N-8@7A2|iTuaNp(gSYe{esIA? XlG5%7(=wh>4oZt3Q%Fd3#lrpz&`4&! literal 0 HcmV?d00001 diff --git a/.github/workflows/certs/uitacllc.key b/.github/workflows/certs/uitacllc.key new file mode 100644 index 0000000..9daf1d6 --- /dev/null +++ b/.github/workflows/certs/uitacllc.key @@ -0,0 +1,42 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,B93C1A166F3677D68FB9CB3E8A184729 + +UriYsaq3tLyvycDDB2YeQ+9L1P5VCPcfVkYR1ocleF8WxNDUPdz3RqbryAZZdXVO +0bcvAHTXkdI4Oiw5mN0S8fGsNq9zn+pyResx3lXtgN3oCDCe2SQn28uEEKxPzud5 +0NRXYoBP+pLDjiuQ/6Lp7DovnAO/uxaPFvYRMiknNVOhwyHGWZyuUe01S9J9im7y +vgc1wkyQzmABIhARynEXHp3KnM9aF8X1/ck839lQRBFrvRFNm5rqiON26spr1Hu5 +znrbVGROYk0XNdH5VHDk7V9k+v2WLL/b4nxlMymZpDzr9pXzX8olpLnQrarsMbHe +ysfXNTtQi5Dq6KXURW8VA4DmxAzTRNUxe2aA4JnAEyFU5LDLetTN9F9M7BUkHbXH +RpSbZqDjPwg7U98vuSwxjIkncHSiYYi3FmSoupLvV+eIP6qRSgONdzGlP5NTn4Lh +N1lYMPHPldH6UjLHrldkYN16TQlrqNHZExN91XvsZVjpyAgErY18xwi3CTEco45D +fRqsiWXtoas4LkafhSY0vfl5aFhY9YPUpS6uFdgWBvgcQeYb8meX5Nr4dNXVk5Wa +yRlYlW/X0TWC0T9qaBOPN/z7OWO5aL4jYRcKQQ+aR8gFcHGGCpRAKD369OneXfOQ +MD9UHoPG4WTBg/NU9OSskcywfuSOkwAGfBVNXrnEj6tYFjsjYK2nC2gm+opUCfm0 +a1FeDb5nQSOgOJKUCO6Aj+0NvDvVLUOsTk1lfzSugIkmUOdV+rXHnrZC+90q8KfN +S2JlzwSZNg0e+VxZpnD7k7axHkbHrbebtrLvzKVnrh3s0OFAXN0isMw7yhhWtzUe +mPoQTZusLDOAJe/QPuNlDUgr4uoVZtoXrPzoZZkw2VFLwYy2g/EYvlK9BdVVTnRm +9Hq9IBDrZw+SV/7roaeVOXbzrQoxEoXcL7eo6iWvV5Q7Ll5C4ovelHKy3IAzcpYP +6LKfxAO2sIKTALrHbtBNG+O4RTtxOva1hyg27V4v2k53CF/GhoBRPSpbbupwppXc +lJJ9RtMTRfhCv/ObhdsJED+YUqFifTJfcnQ1iGN8dnBuGrjXxVCN0wgmv46Pdhn0 +tUfGlkFquOOWamaVaIvp6JCVUDa1ezMzleILoYvrxvOuP+dGVrwTwVCXpx4JuUgp +d72/w+EnqlZnwsAzdrErJFXnHux981ZoojmG94km1B6gPPwMB8JRcD67lfhG/vne +IpTuuzGaSInf24cGNig01hbBuKSg79yNY0llkECPBXbEhfkemEMhg1WHoNP2eG8j +MHS5OCT5KiOfi77pSO3M2mGB1HWYE5R0lcMibukK9ZdyIYcTeMZ0RcGm6YSNv570 +ok/Ex4LUCW66AIWFefmbIOtJSIMHlNKWRPJwnJxVoE5qgH0f/2xL3k15vpI55lAS +sabzegnYlElPbUlZGhgwjKknxgqMhFIW/ZS0h2FukFLwipr4qI47nHWz5dguNkYn +48sSKg3YMhVx/sT+X2A/6zqsC+p4PT7Ti5ruWb7S9L9vRuBdIDNE9qAwuz0g8Bs3 +WhOx6OW2ZqDQEuRhN0lyGA0mwRC4HPFE9b8dnN8lNm+RsnMfNoFxzPnqtsxhEAwa +2a4ijT97ka94lDy7WQ2bwLRz7trKV/T6MeETKE4s7+z2dMTr1f8IwA2uCovFmO9T +aMQAePFEtDT3qwIPu0zH1ocSCkZ50f7RgVmp4FNn03uT/TnsASrr5CS9m8A9gjEn +QiztQyqt27fTT61YkNdA6lwbpFiByugVbS+mWsNa9kvBkgQkcMQwgrELmU9sYdBT +nRMa60i0nEINT/x3zFvT6R7Dl/O8/QhXLeYv20X2roghPw48IovLb8x7dT3YEQSn +ARIXXVPxwOVvS8xcCa69/+1HjC6vNG9dNNnAsVHxB8mDTBqmmLzAMOVzDoNWEgDd +zoRhQ3ORb1brPlKWg8um/svLiSV63ZYi2J8LPamoGmZ/7J8i5rjOpOeG493UICBR +JymmYGUo6/C1Ze8swdMHApVU/spo0s8BCGkMjYUAaxXD7RufN2DuY30Vny/DMn4y +XasuHS9RstD2Okv25PD06Y2H52HJ6MNdArmPZRe0k2ZbhATs5dXOfmaF5Z0f4IkE +G+hsxE1wlCo900ewntx16sBCbI0v9aE+Napf2+ueqPQ06CdfiTG5yOmeXzgR/8zS +KVmTHpmmFpYtj/N350BLAVb/Hwzmh+ieWnO7TUjvNAHUn2i5LZU65rN3GOlPyIlz +DzB2T6KjOUPFKqSRrIin14HLyf5w0vDuJhe5Zpe0hhYKvoKhwCEVefbmkasWeso3 +xsXxOOoL39GA0QpYjR6ztqR8fS9jTeu5IY+zY5LO8yS7+StP3H8CcqRMuxb3ntym +-----END RSA PRIVATE KEY-----