Sign Windows runner binary executables

Stan Hurequested to merge
sh-sign-windows-binaries into main

What does this MR do?

This signs the Windows runner and helper binaries:

sequenceDiagram
    participant CI as GitLab CI Job
    participant OIDC as GitLab OIDC Provider
    participant GCP as GCP STS/IAM
    participant Project as gitlab-runner-signing Project
    participant HSM as GCP HSM
    participant Binary as Windows Binary

    CI->>OIDC: Request OIDC JWT token
    OIDC-->>CI: Return JWT token with job claims

    CI->>GCP: Exchange JWT for GCP access token<br/>(sts.googleapis.com)
    GCP-->>CI: GCP access token

    CI->>Project: Impersonate service account using token
    Project-->>CI: Service account credentials

    CI->>Binary: Create binary

    CI->>HSM: Sign binary using HSM key via Google PKCS11 library<br/>(key never leaves HSM)
    HSM-->>CI: Return signature

    CI->>Binary: Apply signature to binary

Why was this MR needed?

Our customers have been asking for a while.

What's the best way to test this MR?

  1. Download the CI artifacts from the binaries job in the build stage.
  2. Extract the artifact file to a directory.
  3. In the File Explorer, locate the .exe file, right-click and select Properties.
  4. Click on the Digital Signatures tab. You should see something like:

image

What are the relevant issue numbers?

Relates to https://gitlab.com/gitlab-org/gitlab-runner/-/issues/38319

Edited by Stan Hu

Merge request reports