Skip to content

Commit

Permalink
ci(build): Introduce code signing
Browse files Browse the repository at this point in the history
The code signing is performed by the SignPath
Github Action. All releases are automatically
signed - both the MSI and all the binaries/DLLs.
  • Loading branch information
rabbitstack committed Dec 9, 2024
1 parent 20f4386 commit 9d1aa6a
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 4 deletions.
43 changes: 39 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -88,12 +88,29 @@ jobs:
- name: Package
shell: bash
run: |
export VERSION=${{ steps.get_version.outputs.VERSION }}
./make.bat pkg
export VERSION=${{ steps.get_version.outputs.VERSION }}
./make.bat pkg
mkdir ./build/msi/signed
- uses: actions/upload-artifact@v4
id: upload-msi
with:
name: fibratus-${{ steps.get_version.outputs.VERSION }}-amd64.msi
path: "./build/msi/fibratus-${{ steps.get_version.outputs.VERSION }}-amd64.msi"
- name: Sign MSI
uses: signpath/github-action-submit-signing-request@v1
with:
api-token: "${{ secrets.SIGNPATH_API_TOKEN }}"
organization-id: "${{ secrets.SIGNPATH_ORG_ID }}"
project-slug: "fibratus"
signing-policy-slug: "release-signing"
github-artifact-id: "${{ steps.upload-msi.outputs.artifact-id }}"
wait-for-completion: true
output-artifact-directory: "./build/msi/signed"
- uses: actions/upload-artifact@v4
with:
name: fibratus-${{ steps.get_version.outputs.VERSION }}-amd64.msi
path: "./build/msi/signed/fibratus-${{ steps.get_version.outputs.VERSION }}-amd64.msi"
overwrite: true

build-slim:
runs-on: windows-latest
Expand Down Expand Up @@ -125,12 +142,30 @@ jobs:
- name: Package
shell: bash
run: |
export VERSION=${{ steps.get_version.outputs.VERSION }}
./make.bat pkg-slim
export VERSION=${{ steps.get_version.outputs.VERSION }}
./make.bat pkg-slim
mkdir ./build/msi/signed
- uses: actions/upload-artifact@v4
id: upload-msi
with:
name: fibratus-${{ steps.get_version.outputs.VERSION }}-slim-amd64.msi
path: "./build/msi/fibratus-${{ steps.get_version.outputs.VERSION }}-slim-amd64.msi"
- name: Sign MSI
uses: signpath/github-action-submit-signing-request@v1
with:
api-token: "${{ secrets.SIGNPATH_API_TOKEN }}"
organization-id: "${{ secrets.SIGNPATH_ORG_ID }}"
project-slug: "fibratus"
signing-policy-slug: "release-signing"
artifact-configuration-slug: "fibratus-slim"
github-artifact-id: "${{ steps.upload-msi.outputs.artifact-id }}"
wait-for-completion: true
output-artifact-directory: "./build/msi/signed"
- uses: actions/upload-artifact@v4
with:
name: fibratus-${{ steps.get_version.outputs.VERSION }}-slim-amd64.msi
path: "./build/msi/signed/fibratus-${{ steps.get_version.outputs.VERSION }}-slim-amd64.msi"
overwrite: true

release:
runs-on: windows-latest
Expand Down
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,14 @@ To describe all rules in the catalog, use the `fibratus rules list` command. It

We love contributions. To start contributing to Fibratus, please read our [contribution guidelines](https://github.com/rabbitstack/fibratus/blob/master/CONTRIBUTING.md).

### Code Signing Policy

Free code signing provided by [SignPath.io], certificate by
[SignPath Foundation]. All releases are automatically signed.

[SignPath.io]: https://signpath.io
[SignPath Foundation]: https://signpath.org

---

<p align="center">
Expand Down

0 comments on commit 9d1aa6a

Please sign in to comment.