Unverified Commit 80de329c authored by Bohdan Parkhomchuk's avatar Bohdan Parkhomchuk 💬
Browse files

ci(windows): code-sign orbit.exe

parent 71ebb743

.gitlab/ci/release-local.yml

+5 −1
Original line number Diff line number Diff line
@@ -125,12 +125,17 @@ local-cli-code-sign: 
  needs:

    - local-cli-build-darwin-amd64

    - local-cli-build-darwin-arm64

    - local-cli-build-windows-amd64

  before_script:

    - apt-get update -qq && apt-get install -y -qq --no-install-recommends zip unzip

  script:

    - ./scripts/sign-and-repackage.sh ./orbit-local-darwin-x86_64.tar.gz macos orbit

    - ./scripts/sign-and-repackage.sh ./orbit-local-darwin-aarch64.tar.gz macos orbit

    - ./scripts/sign-and-repackage.sh ./orbit-local-windows-x86_64.zip windows orbit.exe

  artifacts:

    paths:

      - orbit-local-darwin-*.tar.gz

      - orbit-local-windows-*.zip

    expire_in: 7 days



local-cli-publish:
@@ -143,7 +148,6 @@ local-cli-publish: 
  needs:

    - local-cli-build-linux-amd64

    - local-cli-build-linux-arm64

    - local-cli-build-windows-amd64

    - local-cli-code-sign

  before_script:

    - apk add --no-cache bash curl coreutils

scripts/sign-and-repackage.sh

+30 −8
Original line number Diff line number Diff line 
#!/usr/bin/env bash

set -euo pipefail



# Re-emit a tarball with its inner binary signed via the code-signer image.

# Re-emit an archive with its inner binary signed via the code-signer image.

# Must run inside the gitlab-com/gl-infra/common-ci-tasks-images/code-signer

# image, with .google-oidc:auth already attached.

# image, with .google-oidc:auth already attached. For .zip archives the

# environment must also provide `unzip` and `zip`.

#

# Usage: scripts/sign-and-repackage.sh <tarball> <platform> <binary>

# Usage: scripts/sign-and-repackage.sh <archive> <platform> <binary>

# Platforms: macos, windows

# Archives:  .tar.gz/.tgz, .zip



if [ $# -ne 3 ]; then

    echo "Usage: $0 <tarball> <platform> <binary>" >&2

    echo "Usage: $0 <archive> <platform> <binary>" >&2

    exit 1

fi



tarball=$1

archive=$1

platform=$2

binary=$3
@@ -23,12 +25,32 @@ case "$platform" in 
    *) echo "unsupported platform: $platform" >&2; exit 1 ;;

esac



archive_abs=$(readlink -f "$archive")

work=$(mktemp -d)

trap 'rm -rf "$work"' EXIT



tar -xzvf "$tarball" -C "$work"

case "$archive" in

    *.zip)

        unzip -q "$archive_abs" -d "$work"

        ;;

    *.tar.gz|*.tgz)

        tar -xzvf "$archive_abs" -C "$work"

        ;;

    *)

        echo "unsupported archive: $archive" >&2; exit 1 ;;

esac



"$signer" "$work/$binary"

rm -f "$work/${binary}.unsigned"

tar -czvf "$tarball" -C "$work" .



echo "signed and repacked $tarball"
 
case "$archive" in

    *.zip)

        rm -f "$archive_abs"

        (cd "$work" && zip -qr "$archive_abs" .)

        ;;

    *)

        tar -czvf "$archive_abs" -C "$work" .

        ;;

esac



echo "signed and repacked $archive"