From 5dbad75ee6827e7ea592790fca19c1a8fae2200c Mon Sep 17 00:00:00 2001 From: Xiujiao Gao Date: Tue, 24 Oct 2017 17:57:00 -0400 Subject: [PATCH] use S&W code signing cert to sign binaries before they go out --- ci/pipeline.yml | 3 +++ ci/scripts/shipit | 11 +++++++++++ ci/settings.yml | 5 +++++ 3 files changed, 19 insertions(+) diff --git a/ci/pipeline.yml b/ci/pipeline.yml index 9b3612a..fbf666e 100644 --- a/ci/pipeline.yml +++ b/ci/pipeline.yml @@ -263,6 +263,9 @@ jobs: CMD_PKG: (( grab meta.go.cmd_module )) STATIC_BINARY: (( grab meta.go.force_static_binary )) TARGETS: (( grab meta.shipit.targets )) + KEY_PASS: (( grab meta.csc.key_pass )) + STORE_PASS: (( grab meta.csc.store_pass )) + JKS: (( grab meta.csc.jks )) - name: version put: version params: { bump: final } diff --git a/ci/scripts/shipit b/ci/scripts/shipit index 97db40e..f87cf48 100755 --- a/ci/scripts/shipit +++ b/ci/scripts/shipit @@ -61,6 +61,17 @@ gox -osarch="${TARGETS}" --output="artifacts/${BINARY}-{{.OS}}-{{.Arch}}" -ldfla go build -o "${BINARY}" -ldflags="-X main.Version=${VERSION}" ${CMD_PKG:-.} ./${BINARY} -v +(apt-get update && apt-get install -y openjdk-8-jdk) &>/dev/null + +pushd artifacts +for file in * +do + zip -m ${file}.zip ${file} + jarsigner -tsa http://timestamp.digicert.com -keystore "${JKS}" -storepass "${STORE_PASS}" -keypass "${KEY_PASS}" ${file}.zip "key from www.digicert.com" + zip -d ${file}.zip 'META-INF/*' > /dev/null 2>&1 +done +popd + ls artifacts/* | xargs -L1 sha1sum popd diff --git a/ci/settings.yml b/ci/settings.yml index 3e42b93..674311d 100644 --- a/ci/settings.yml +++ b/ci/settings.yml @@ -14,6 +14,11 @@ meta: access_key: (( vault "secret/aws/cfcommunity:access" )) secret_key: (( vault "secret/aws/cfcommunity:secret" )) + csc: + key_pass: (( vault "secret/csc:key_pass" )) + store_pass: (( vault "secret/csc:store_pass" )) + jks: (( vault "secret/csc:jks" )) + github: owner: cloudfoundry-community repo: cf-plugin-open