feat: sign binaries (#1875)

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
2025-04-18 19:24:05 +03:00 · 2025-02-08 20:04:37 +01:00 · 2025-02-08 20:04:37 +01:00 · fc5b3051fa
commit fc5b3051fa
parent 1b2958a7cc
3 changed files with 76 additions and 0 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -22,6 +22,7 @@ env:
 jobs:
  build:
    runs-on: windows-2022
+    environment: build
    steps:
      - uses: actions/checkout@v4
        with:
@ -68,6 +69,40 @@ jobs:

          Get-ChildItem -Path output

+      - name: Sign build artifacts
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'prometheus-community/windows_exporter' || github.repository == 'prometheus-community/windows_exporter' }}
+        run: |
+          $ErrorActionPreference = "Stop"
+          $Version = Get-Content VERSION
+
+          $b64      = $env:CODE_SIGN_KEY
+          $filename = 'windows_exporter_CodeSign.pfx'
+
+          $bytes = [Convert]::FromBase64String($b64)
+          [IO.File]::WriteAllBytes($filename, $bytes)
+
+          $basePath = "C:\Program Files (x86)\Windows Kits\10\bin"
+          $latestSigntool = Get-ChildItem -Path $basePath -Directory |
+          Where-Object { $_.Name -match "^\d+\.\d+\.\d+\.\d+$" } |
+          Sort-Object { [Version]$_.Name } -Descending |
+          Select-Object -First 1 |
+          ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" }
+
+          if (Test-Path $latestSigntool) {
+            Write-Output $latestSigntool
+          } else {
+            Write-Output "signtool.exe not found"
+          }
+
+          foreach($Arch in "amd64", "arm64") {
+            & $latestSigntool sign /v /tr "http://timestamp.digicert.com" /d "Prometheus exporter for Windows machines" /td SHA256 /fd SHA256 /a /f "windows_exporter_CodeSign.pfx" /p $env:CODE_SIGN_PASSWORD "output\windows_exporter-$Version-$Arch.exe"
+          }
+
+          rm windows_exporter_CodeSign.pfx
+        env:
+          CODE_SIGN_KEY: ${{ secrets.CODE_SIGN_KEY }}
+          CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }}
+
      - name: Build Release Artifacts
        run: |
          $ErrorActionPreference = "Stop"
@ -83,6 +118,40 @@ jobs:

          promu checksum output\

+      - name: Sign installer artifacts
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'prometheus-community/windows_exporter' || github.repository == 'prometheus-community/windows_exporter' }}
+        run: |
+          $ErrorActionPreference = "Stop"
+          $Version = Get-Content VERSION
+
+          $b64      = $env:CODE_SIGN_KEY
+          $filename = 'windows_exporter_CodeSign.pfx'
+
+          $bytes = [Convert]::FromBase64String($b64)
+          [IO.File]::WriteAllBytes($filename, $bytes)
+
+          $basePath = "C:\Program Files (x86)\Windows Kits\10\bin"
+          $latestSigntool = Get-ChildItem -Path $basePath -Directory |
+          Where-Object { $_.Name -match "^\d+\.\d+\.\d+\.\d+$" } |
+          Sort-Object { [Version]$_.Name } -Descending |
+          Select-Object -First 1 |
+          ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" }
+
+          if (Test-Path $latestSigntool) {
+            Write-Output $latestSigntool
+          } else {
+            Write-Output "signtool.exe not found"
+          }
+
+          foreach($Arch in "amd64", "arm64") {
+            & $latestSigntool sign /v /tr "http://timestamp.digicert.com" /d "Prometheus exporter for Windows machines" /td SHA256 /fd SHA256 /a /f "windows_exporter_CodeSign.pfx" /p $env:CODE_SIGN_PASSWORD "output\windows_exporter-$Version-$Arch.msi"
+          }
+
+          rm windows_exporter_CodeSign.pfx
+        env:
+          CODE_SIGN_KEY: ${{ secrets.CODE_SIGN_KEY }}
+          CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }}
+
      - name: Upload Artifacts
        uses: actions/upload-artifact@v4
        with:
@ -103,6 +172,9 @@ jobs:
    runs-on: ubuntu-latest
    needs:
      - build
+    env:
+      DOCKER_BUILD_SUMMARY: false
+      DOCKER_BUILD_RECORD_UPLOAD: false
    steps:
      - uses: actions/checkout@v4
        with:
@ -165,3 +237,4 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: windows/amd64
+          annotations: ${{ steps.meta.outputs.labels }}
--- a/README.md
+++ b/README.md
@ -100,6 +100,9 @@ windows_exporter accepts flags to configure certain behaviours. The ones configu

 The latest release can be downloaded from the [releases page](https://github.com/prometheus-community/windows_exporter/releases).

+All binaries and installation packages are signed with an self-signed certificate. The public key can be found [here](https://github.com/prometheus-community/windows_exporter/blob/master/installer/codesign.cer).
+Once import into the trusted root certificate store, the binaries and installation packages will be trusted.
+
 Each release provides a .msi installer. The installer will setup the windows_exporter as a Windows service, as well as create an exception in the Windows Firewall.

 If the installer is run without any parameters, the exporter will run with default settings for enabled collectors, ports, etc.
--- a/installer/codesign.cer
+++ b/installer/codesign.cer