diff --git a/.github/steps/sign-macos-package/action.yml b/.github/steps/sign-macos-package/action.yml index 8c8318c22e7..f3dba6211cf 100644 --- a/.github/steps/sign-macos-package/action.yml +++ b/.github/steps/sign-macos-package/action.yml @@ -58,17 +58,25 @@ runs: rm "$CERTIFICATE_PATH" echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> $GITHUB_ENV + # Extract the signing identity from the keychain (use SHA-1 hash for reliability) + SIGNING_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}') + if [[ -z "$SIGNING_IDENTITY" ]]; then + echo "Error: No Developer ID Application identity found in keychain" + exit 1 + fi + echo "Found signing identity: $SIGNING_IDENTITY" + echo "SIGNING_IDENTITY=$SIGNING_IDENTITY" >> $GITHUB_ENV + - name: Code Sign Standalone binary shell: bash run: | chmod +x "$BINARY_PATH" # Sign the binary and verify - codesign --sign "$DEVELOPER_ID" --timestamp --options runtime --deep --force "$BINARY_PATH" - + codesign --sign "$SIGNING_IDENTITY" --timestamp --options runtime --deep --force "$BINARY_PATH" + # Verify signature codesign --verify --deep --strict --verbose=2 "$BINARY_PATH" - codesign -dv --verbose=4 "$BINARY_PATH" echo "Binary signed successfully" - name: Create archive and submit for Notarization diff --git a/.github/steps/sign-windows-package/action.yml b/.github/steps/sign-windows-package/action.yml new file mode 100644 index 00000000000..901c2d2e3c3 --- /dev/null +++ b/.github/steps/sign-windows-package/action.yml @@ -0,0 +1,82 @@ +name: Sign Windows package +description: Sign Windows executable using Azure Trusted Signing +inputs: + azure_tenant_id: + description: 'Azure AD tenant ID' + required: true + azure_client_id: + description: 'Azure AD application (client) ID' + required: true + azure_client_secret: + description: 'Azure AD client secret' + required: true + signing_endpoint: + description: 'Azure Trusted Signing endpoint URL' + required: true + code_signing_account_name: + description: 'Azure Trusted Signing account name' + required: true + certificate_profile_name: + description: 'Certificate profile name' + required: true + binary_path: + description: 'Path to the Windows binary to sign' + required: true + +runs: + using: "composite" + steps: + - name: Setup and export all needed vars + shell: pwsh + run: | + $BinaryPath = "${{ github.workspace }}/${{ inputs.binary_path }}" + if (-not (Test-Path $BinaryPath)) { + Write-Error "Binary not found at: $BinaryPath" + exit 1 + } + Write-Host "Binary to sign: $BinaryPath" + echo "BINARY_PATH=$BinaryPath" >> $env:GITHUB_ENV + + - name: Sign Windows Executable + uses: azure/trusted-signing-action@v0.5.0 + with: + azure-tenant-id: ${{ inputs.azure_tenant_id }} + azure-client-id: ${{ inputs.azure_client_id }} + azure-client-secret: ${{ inputs.azure_client_secret }} + endpoint: ${{ inputs.signing_endpoint }} + trusted-signing-account-name: ${{ inputs.code_signing_account_name }} + certificate-profile-name: ${{ inputs.certificate_profile_name }} + files: ${{ github.workspace }}/${{ inputs.binary_path }} + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + + - name: Verify Signature + shell: pwsh + run: | + $BinaryPath = "${{ github.workspace }}/${{ inputs.binary_path }}" + Write-Host "Verifying signature for: $BinaryPath" + + $sig = Get-AuthenticodeSignature -FilePath $BinaryPath + Write-Host " Status: $($sig.Status)" + Write-Host " Status Message: $($sig.StatusMessage)" + + if ($sig.SignerCertificate) { + Write-Host " Signer: $($sig.SignerCertificate.Subject)" + Write-Host " Issuer: $($sig.SignerCertificate.Issuer)" + Write-Host " Thumbprint: $($sig.SignerCertificate.Thumbprint)" + } + + if ($sig.TimeStamperCertificate) { + Write-Host " Timestamped: Yes" + Write-Host " Timestamp Authority: $($sig.TimeStamperCertificate.Subject)" + } + + if ($sig.Status -ne "Valid") { + Write-Error "Signature verification failed for $BinaryPath" + Write-Error "Status: $($sig.Status)" + Write-Error "Message: $($sig.StatusMessage)" + exit 1 + } + + Write-Host "Signature verified successfully!" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e1768360fbd..58fed8fc651 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: matrix: include: - name: "macOS x86-64" - os: macos-13 + os: macos-15-intel os_arch: x86-64 cmake_arch: x86_64 artifact_name: osquery-macos-x64 @@ -256,6 +256,17 @@ jobs: cd build cmake --build . --config RelWithDebInfo -j10 + - name: Sign Windows package + uses: ./.github/steps/sign-windows-package + with: + azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }} + azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} + azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} + signing_endpoint: ${{ secrets.AZURE_SIGNING_ENDPOINT }} + code_signing_account_name: ${{ secrets.AZURE_CODE_SIGNING_ACCOUNT_NAME }} + certificate_profile_name: ${{ secrets.AZURE_CERTIFICATE_PROFILE_NAME }} + binary_path: build/osquery/RelWithDebInfo/${{ env.BINARY_NAME }}.exe + - name: Upload Windows OSQuery artifact if: runner.os == 'Windows' uses: actions/upload-artifact@v4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 07859a0ec0f..340a1961626 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -44,7 +44,7 @@ jobs: matrix: include: - name: "macOS x86-64" - os: macos-13 + os: macos-15-intel os_arch: x86-64 cmake_arch: x86_64 artifact_name: osquery-macos-x64