From 378074147e7458c0466507b8ea8b79b4389d8bb6 Mon Sep 17 00:00:00 2001
From: Ben Rockwood <benr@cuddletech.com>
Date: Fri, 25 Aug 2023 13:01:21 -0700
Subject: [PATCH] Update codesigning for mac and windows

Signed-off-by: Ben Rockwood <benr@cuddletech.com>
---
 .github/workflows/goreleaser.yml | 51 ++++++++++++++++++++++++++++----
 .goreleaser.yml                  | 12 ++++++--
 2 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index e7ba0ca2b5..4900637e71 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -5,6 +5,13 @@ on:
     tags:
       - '*'
   workflow_dispatch:
+    inputs:
+      skip-publish:
+        description: 'Skip publishing to releases.mondoo.com?'
+        type: boolean
+        required: false
+        default: false
+
 
 env:
   REGISTRY: docker.io
@@ -28,7 +35,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: ">=1.20.4"
+          go-version: ">=1.21.0"
           cache: false
 
       - name: 'Authenticate to Google Cloud'
@@ -60,9 +67,29 @@ jobs:
         env:
           CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}'
 
-      - name: Install Quill for Mac Signing and Notarization 
+      - name: Configure DigiCert Signing Variables
+        shell: bash
+        run: |
+          # CertLocker Authentication Certifiate
+          CERT_PATH="$(mktemp -t cert.XXX)"
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH}
+          echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
+          # CertLocker API Key & Host
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
+          # DigiCert CertLocker Code Signing Certificate
+          echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
+          echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV"
+
+      # - name: Install jSign (Windows Signing Tool) -- Required for public runners
+      #   run: |
+      #     curl -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
+      #     sudo dpkg -i ./jsign_5.0_all.deb
+
+      - name: Install Quill for Mac Signing and Notarization
         run: |
-            curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp v0.2.0
+            curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp
             /tmp/quill help
 
       - name: Log in to the Container registry
@@ -87,12 +114,21 @@ jobs:
           QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
           QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
           QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
-          
-      - name: Check RPMs 
+
+      - name: Check RPMs
         run: |
           rpm -qpi dist/*.rpm
+      - name: Output Quill Logs
+        if: ${{ failure() }}
+        run: |
+          for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do
+            echo "=== $f ==="
+            ls -l $f
+            cat $f
+          done
 
       - name: Publish Release to releases.mondoo.com
+        if: ${{ ! inputs.skip-publish }}
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASR_ACTION_TOKEN }}
@@ -102,3 +138,8 @@ jobs:
             "repository": "${{ github.event.repository.name }}",
             "version":  "${{  github.ref_name }}"
           }'
+
+      - name: Cleanup
+        if: always()
+        run:
+          rm -f ${CERT_PATH}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index ad0e80ca5f..7030ef78e4 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,7 +1,13 @@
+# Copyright (c) Mondoo, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
 ---
 project_name: cnquery
 env:
   - CGO_ENABLED=0
+before:
+  hooks:
+    - make providers
 builds:
   - id: linux
     main: ./apps/cnquery/cnquery.go
@@ -38,9 +44,9 @@ builds:
       - -s -w -X go.mondoo.com/cnquery.Version={{.Version}} -X go.mondoo.com/cnquery.Build={{.ShortCommit}} -X go.mondoo.com/cnquery.Date={{.Date}}
     hooks:
       post:
-        - cmd: /tmp/quill sign-and-notarize "{{ .Path }}" -vv
+        - cmd: /tmp/quill sign-and-notarize "{{ .Path }}" -vv || true
           env:
-            - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log      
+            - QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log
   - id: windows
     main: ./apps/cnquery/cnquery.go
     binary: cnquery
@@ -60,7 +66,7 @@ builds:
           output: true
           env:
           - TARGET={{ .Target }}
-        - ./scripts/sign-windows-executable.sh '{{ .Path }}'
+        - cmd: jsign --storetype DIGICERTONE --alias "{{ .Env.SM_CERT_ALIAS }}" --storepass "{{ .Env.SM_API_KEY }}|{{ .Env.SM_CLIENT_CERT_FILE}}|{{ .Env.SM_CLIENT_CERT_PASSWORD }}" --tsaurl "http://timestamp.digicert.com" '{{ .Path }}'
 nfpms:
   -
     maintainer: Mondoo <hello@mondoo.com>