feat: sign binaries (#1875)

Signed-off-by: Jan-Otto Kröpke <[email protected]>

.github/workflows/release.yml

@@ -22,6 +22,7 @@ env:
 jobs:
   build:
     runs-on: windows-2022
+    environment: build
     steps:
       - uses: actions/checkout@v4
         with:
@@ -68,6 +69,40 @@ jobs:
 
           Get-ChildItem -Path output
 
+      - name: Sign build artifacts
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'prometheus-community/windows_exporter' || github.repository == 'prometheus-community/windows_exporter' }}
+        run: |
+          $ErrorActionPreference = "Stop"
+          $Version = Get-Content VERSION
+
+          $b64      = $env:CODE_SIGN_KEY
+          $filename = 'windows_exporter_CodeSign.pfx'
+
+          $bytes = [Convert]::FromBase64String($b64)
+          [IO.File]::WriteAllBytes($filename, $bytes)
+
+          $basePath = "C:\Program Files (x86)\Windows Kits\10\bin"
+          $latestSigntool = Get-ChildItem -Path $basePath -Directory |
+          Where-Object { $_.Name -match "^\d+\.\d+\.\d+\.\d+$" } |
+          Sort-Object { [Version]$_.Name } -Descending |
+          Select-Object -First 1 |
+          ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" }
+
+          if (Test-Path $latestSigntool) {
+            Write-Output $latestSigntool
+          } else {
+            Write-Output "signtool.exe not found"
+          }
+
+          foreach($Arch in "amd64", "arm64") {
+            & $latestSigntool sign /v /tr "http://timestamp.digicert.com" /d "Prometheus exporter for Windows machines" /td SHA256 /fd SHA256 /a /f "windows_exporter_CodeSign.pfx" /p $env:CODE_SIGN_PASSWORD "output\windows_exporter-$Version-$Arch.exe"
+          }
+
+          rm windows_exporter_CodeSign.pfx
+        env:
+          CODE_SIGN_KEY: ${{ secrets.CODE_SIGN_KEY }}
+          CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }}
+
       - name: Build Release Artifacts
         run: |
           $ErrorActionPreference = "Stop"
@@ -83,6 +118,40 @@ jobs:
 
           promu checksum output\
 
+      - name: Sign installer artifacts
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'prometheus-community/windows_exporter' || github.repository == 'prometheus-community/windows_exporter' }}
+        run: |
+          $ErrorActionPreference = "Stop"
+          $Version = Get-Content VERSION
+
+          $b64      = $env:CODE_SIGN_KEY
+          $filename = 'windows_exporter_CodeSign.pfx'
+
+          $bytes = [Convert]::FromBase64String($b64)
+          [IO.File]::WriteAllBytes($filename, $bytes)
+
+          $basePath = "C:\Program Files (x86)\Windows Kits\10\bin"
+          $latestSigntool = Get-ChildItem -Path $basePath -Directory |
+          Where-Object { $_.Name -match "^\d+\.\d+\.\d+\.\d+$" } |
+          Sort-Object { [Version]$_.Name } -Descending |
+          Select-Object -First 1 |
+          ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" }
+
+          if (Test-Path $latestSigntool) {
+            Write-Output $latestSigntool
+          } else {
+            Write-Output "signtool.exe not found"
+          }
+
+          foreach($Arch in "amd64", "arm64") {
+            & $latestSigntool sign /v /tr "http://timestamp.digicert.com" /d "Prometheus exporter for Windows machines" /td SHA256 /fd SHA256 /a /f "windows_exporter_CodeSign.pfx" /p $env:CODE_SIGN_PASSWORD "output\windows_exporter-$Version-$Arch.msi"
+          }
+
+          rm windows_exporter_CodeSign.pfx
+        env:
+          CODE_SIGN_KEY: ${{ secrets.CODE_SIGN_KEY }}
+          CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }}
+
       - name: Upload Artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -103,6 +172,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build
+    env:
+      DOCKER_BUILD_SUMMARY: false
+      DOCKER_BUILD_RECORD_UPLOAD: false
     steps:
       - uses: actions/checkout@v4
         with:
@@ -165,3 +237,4 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: windows/amd64
+          annotations: ${{ steps.meta.outputs.labels }}

README.md

@@ -100,6 +100,9 @@ windows_exporter accepts flags to configure certain behaviours. The ones configu
 
 The latest release can be downloaded from the [releases page](https://github.com/prometheus-community/windows_exporter/releases).
 
+All binaries and installation packages are signed with an self-signed certificate. The public key can be found [here](https://github.com/prometheus-community/windows_exporter/blob/master/installer/codesign.cer).
+Once import into the trusted root certificate store, the binaries and installation packages will be trusted.
+
 Each release provides a .msi installer. The installer will setup the windows_exporter as a Windows service, as well as create an exception in the Windows Firewall.
 
 If the installer is run without any parameters, the exporter will run with default settings for enabled collectors, ports, etc.