CLI | Signing for the win binary was added to the CI (AST-42438) (#736)

* Signing for the win binary was added to the CI * Update .goreleaser-dev.yml continue with dev release process if signing fails --------- Co-authored-by: AlvoBen <[email protected]>
Checkmarx · May 19, 2024 · e639d4a · e639d4a
1 parent 8e31c41
commit e639d4a
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 0 deletions.
diff --git a/.github/scripts/signing_win.sh b/.github/scripts/signing_win.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# The purpose of this script is to sign Windows binaries on the remote Checkmarx signing server as part of the CI process
+
+# Check if FILEPATH parameter is provided
+if [ -z "$1" ]; then
+  echo "Usage: $0 <filename>"
+  exit 1
+fi
+
+FILEPATH=$1
+OS_TYPE=$2
+FILENAME=$(basename "$FILEPATH")
+FILENAME_SIGNED="$FILENAME"_signed
+
+# Define remote server details
+REMOTE_USER=$SIGNING_REMOTE_SSH_USER
+REMOTE_HOST=$SIGNING_REMOTE_SSH_HOST
+REMOTE_PATH="/tmp"
+
+# HSM credentials
+HSM_CREDS=$SIGNING_HSM_CREDS
+
+# Check if OS is windows
+if [ "$OS_TYPE" != "windows" ]; then
+  echo "The artifact is not a windows binary file, exiting."
+  exit 0
+fi
+
+# Check if required variables are set
+if [ -z "$REMOTE_USER" ] || [ -z "$REMOTE_HOST" ] || [ -z "$HSM_CREDS" ] || [ -z "$SIGNING_REMOTE_SSH_PRIVATE_KEY" ]; then
+  echo "Required environment variables are not set"
+  exit 1
+fi
+
+# Create an SSH key file from the secret
+SSH_KEY_PATH=$(mktemp)
+echo "$SIGNING_REMOTE_SSH_PRIVATE_KEY" > "$SSH_KEY_PATH"
+chmod 600 "$SSH_KEY_PATH"
+
+# Ensure cleanup of temporary files on exit
+trap 'rm -f "$SSH_KEY_PATH"' EXIT
+
+# Be sure we don't have already uploaded filess on the remote server
+ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "rm -f '$REMOTE_PATH/$FILENAME' && rm -f '$REMOTE_PATH/$FILENAME_SIGNED'"
+
+# Upload file via scp
+scp -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$FILEPATH" "$REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH"
+# Check if file was uploaded
+if [ $? -ne 0 ]; then
+    echo "Failed to copy $FILEPATH"
+    exit 1
+fi
+
+# Sign
+ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "osslsigncode sign -certs /home/ubuntu/checkmarx.crt  -key 'pkcs11:object=CNGRSAPriv-cx-signing' -pass $HSM_CREDS -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so -t http://timestamp.digicert.com -in '$REMOTE_PATH/$FILENAME' -out '$REMOTE_PATH/$FILENAME_SIGNED'"
+# Check remote command status
+if [ $? -ne 0 ]; then
+    echo "Failed to sign file $FILENAME"
+    ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "rm -f '$REMOTE_PATH/$FILENAME'"
+    exit 1
+fi
+
+# Download signed file via scp
+scp -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH/$FILENAME_SIGNED" "/tmp/$FILENAME_SIGNED"
+# Check the status
+if [ $? -ne 0 ]; then
+    echo "Failed to download signed file $FILENAME_SIGNED"
+    ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "rm -f '$REMOTE_PATH/$FILENAME' && rm -f '$REMOTE_PATH/$FILENAME_SIGNED'"
+    exit 1
+fi
+
+# Replace original file with the signed
+rm -f "$FILEPATH" && mv "/tmp/$FILENAME_SIGNED" "$FILEPATH"
+
+# Cleanup remote server
+ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "rm -f '$REMOTE_PATH/$FILENAME' && rm -f '$REMOTE_PATH/$FILENAME_SIGNED'"
+# Cleanup
+rm -f "$SSH_KEY_PATH"
+echo "Signing process completed successfully."
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -110,6 +110,10 @@ jobs:
           GO_BOT_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
           S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
           S3_BUCKET_REGION: ${{ secrets.S3_BUCKET_REGION }}
+          SIGNING_REMOTE_SSH_USER: ${{ secrets.SIGNING_REMOTE_SSH_USER }}
+          SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
+          SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
+          SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
 
   notify:
     runs-on: ubuntu-latest

diff --git a/.goreleaser-dev.yml b/.goreleaser-dev.yml
@@ -32,6 +32,16 @@ builds:
       - -s
       - -w
       - -X github.com/checkmarx/ast-cli/internal/params.Version={{.Version}}
+    hooks:
+      post:
+        - cmd: bash .github/scripts/signing_win.sh dist/cx_windows_amd64_v1/cx.exe {{.Os}} || true
+          output: true
+          env:
+            - SIGNING_REMOTE_SSH_USER={{ .Env.SIGNING_REMOTE_SSH_USER }}
+            - SIGNING_REMOTE_SSH_HOST={{ .Env.SIGNING_REMOTE_SSH_HOST }}
+            - SIGNING_HSM_CREDS={{ .Env.SIGNING_HSM_CREDS }}
+            - SIGNING_REMOTE_SSH_PRIVATE_KEY={{ .Env.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
+
   - main: ./cmd/main.go
     env:
       - CGO_ENABLED=0

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -31,6 +31,16 @@ builds:
       - -s
       - -w
       - -X github.com/checkmarx/ast-cli/internal/params.Version={{.Version}}
+    hooks:
+      post:
+        - cmd: bash .github/scripts/signing_win.sh dist/cx_windows_amd64_v1/cx.exe {{.Os}}
+          output: true
+          env:
+            - SIGNING_REMOTE_SSH_USER={{ .Env.SIGNING_REMOTE_SSH_USER }}
+            - SIGNING_REMOTE_SSH_HOST={{ .Env.SIGNING_REMOTE_SSH_HOST }}
+            - SIGNING_HSM_CREDS={{ .Env.SIGNING_HSM_CREDS }}
+            - SIGNING_REMOTE_SSH_PRIVATE_KEY={{ .Env.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
+
   - main: ./cmd/main.go
     env:
       - CGO_ENABLED=0