diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ec84130a8..02892d937 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,7 @@ env: jobs: build: runs-on: windows-2022 + environment: build steps: - uses: actions/checkout@v4 with: @@ -68,6 +69,40 @@ jobs: Get-ChildItem -Path output + - name: Sign build artifacts + if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'prometheus-community/windows_exporter' || github.repository == 'prometheus-community/windows_exporter' }} + run: | + $ErrorActionPreference = "Stop" + $Version = Get-Content VERSION + + $b64 = $env:CODE_SIGN_KEY + $filename = 'windows_exporter_CodeSign.pfx' + + $bytes = [Convert]::FromBase64String($b64) + [IO.File]::WriteAllBytes($filename, $bytes) + + $basePath = "C:\Program Files (x86)\Windows Kits\10\bin" + $latestSigntool = Get-ChildItem -Path $basePath -Directory | + Where-Object { $_.Name -match "^\d+\.\d+\.\d+\.\d+$" } | + Sort-Object { [Version]$_.Name } -Descending | + Select-Object -First 1 | + ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" } + + if (Test-Path $latestSigntool) { + Write-Output $latestSigntool + } else { + Write-Output "signtool.exe not found" + } + + foreach($Arch in "amd64", "arm64") { + & $latestSigntool sign /v /tr "http://timestamp.digicert.com" /d "Prometheus exporter for Windows machines" /td SHA256 /fd SHA256 /a /f "windows_exporter_CodeSign.pfx" /p $env:CODE_SIGN_PASSWORD "output\windows_exporter-$Version-$Arch.exe" + } + + rm windows_exporter_CodeSign.pfx + env: + CODE_SIGN_KEY: ${{ secrets.CODE_SIGN_KEY }} + CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }} + - name: Build Release Artifacts run: | $ErrorActionPreference = "Stop" @@ -83,6 +118,40 @@ jobs: promu checksum output\ + - name: Sign installer artifacts + if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'prometheus-community/windows_exporter' || github.repository == 'prometheus-community/windows_exporter' }} + run: | + $ErrorActionPreference = "Stop" + $Version = Get-Content VERSION + + $b64 = $env:CODE_SIGN_KEY + $filename = 'windows_exporter_CodeSign.pfx' + + $bytes = [Convert]::FromBase64String($b64) + [IO.File]::WriteAllBytes($filename, $bytes) + + $basePath = "C:\Program Files (x86)\Windows Kits\10\bin" + $latestSigntool = Get-ChildItem -Path $basePath -Directory | + Where-Object { $_.Name -match "^\d+\.\d+\.\d+\.\d+$" } | + Sort-Object { [Version]$_.Name } -Descending | + Select-Object -First 1 | + ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" } + + if (Test-Path $latestSigntool) { + Write-Output $latestSigntool + } else { + Write-Output "signtool.exe not found" + } + + foreach($Arch in "amd64", "arm64") { + & $latestSigntool sign /v /tr "http://timestamp.digicert.com" /d "Prometheus exporter for Windows machines" /td SHA256 /fd SHA256 /a /f "windows_exporter_CodeSign.pfx" /p $env:CODE_SIGN_PASSWORD "output\windows_exporter-$Version-$Arch.msi" + } + + rm windows_exporter_CodeSign.pfx + env: + CODE_SIGN_KEY: ${{ secrets.CODE_SIGN_KEY }} + CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }} + - name: Upload Artifacts uses: actions/upload-artifact@v4 with: @@ -103,6 +172,9 @@ jobs: runs-on: ubuntu-latest needs: - build + env: + DOCKER_BUILD_SUMMARY: false + DOCKER_BUILD_RECORD_UPLOAD: false steps: - uses: actions/checkout@v4 with: @@ -165,3 +237,4 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: windows/amd64 + annotations: ${{ steps.meta.outputs.labels }} diff --git a/README.md b/README.md index d5037e5d5..48d2df800 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,9 @@ windows_exporter accepts flags to configure certain behaviours. The ones configu The latest release can be downloaded from the [releases page](https://github.com/prometheus-community/windows_exporter/releases). +All binaries and installation packages are signed with an self-signed certificate. The public key can be found [here](https://github.com/prometheus-community/windows_exporter/blob/master/installer/codesign.cer). +Once import into the trusted root certificate store, the binaries and installation packages will be trusted. + Each release provides a .msi installer. The installer will setup the windows_exporter as a Windows service, as well as create an exception in the Windows Firewall. If the installer is run without any parameters, the exporter will run with default settings for enabled collectors, ports, etc. diff --git a/installer/codesign.cer b/installer/codesign.cer new file mode 100644 index 000000000..bc0e524cc Binary files /dev/null and b/installer/codesign.cer differ