Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions .github/steps/sign-macos-package/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,17 +58,25 @@ runs:
rm "$CERTIFICATE_PATH"
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> $GITHUB_ENV

# Extract the signing identity from the keychain (use SHA-1 hash for reliability)
SIGNING_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
if [[ -z "$SIGNING_IDENTITY" ]]; then
echo "Error: No Developer ID Application identity found in keychain"
exit 1
fi
echo "Found signing identity: $SIGNING_IDENTITY"
echo "SIGNING_IDENTITY=$SIGNING_IDENTITY" >> $GITHUB_ENV

- name: Code Sign Standalone binary
shell: bash
run: |
chmod +x "$BINARY_PATH"

# Sign the binary and verify
codesign --sign "$DEVELOPER_ID" --timestamp --options runtime --deep --force "$BINARY_PATH"
codesign --sign "$SIGNING_IDENTITY" --timestamp --options runtime --deep --force "$BINARY_PATH"

# Verify signature
codesign --verify --deep --strict --verbose=2 "$BINARY_PATH"
codesign -dv --verbose=4 "$BINARY_PATH"
echo "Binary signed successfully"

- name: Create archive and submit for Notarization
Expand Down
82 changes: 82 additions & 0 deletions .github/steps/sign-windows-package/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
name: Sign Windows package
description: Sign Windows executable using Azure Trusted Signing
inputs:
azure_tenant_id:
description: 'Azure AD tenant ID'
required: true
azure_client_id:
description: 'Azure AD application (client) ID'
required: true
azure_client_secret:
description: 'Azure AD client secret'
required: true
signing_endpoint:
description: 'Azure Trusted Signing endpoint URL'
required: true
code_signing_account_name:
description: 'Azure Trusted Signing account name'
required: true
certificate_profile_name:
description: 'Certificate profile name'
required: true
binary_path:
description: 'Path to the Windows binary to sign'
required: true

runs:
using: "composite"
steps:
- name: Setup and export all needed vars
shell: pwsh
run: |
$BinaryPath = "${{ github.workspace }}/${{ inputs.binary_path }}"
if (-not (Test-Path $BinaryPath)) {
Write-Error "Binary not found at: $BinaryPath"
exit 1
}
Write-Host "Binary to sign: $BinaryPath"
echo "BINARY_PATH=$BinaryPath" >> $env:GITHUB_ENV

- name: Sign Windows Executable
uses: azure/trusted-signing-action@v0.5.0
with:
azure-tenant-id: ${{ inputs.azure_tenant_id }}
azure-client-id: ${{ inputs.azure_client_id }}
azure-client-secret: ${{ inputs.azure_client_secret }}
endpoint: ${{ inputs.signing_endpoint }}
trusted-signing-account-name: ${{ inputs.code_signing_account_name }}
certificate-profile-name: ${{ inputs.certificate_profile_name }}
files: ${{ github.workspace }}/${{ inputs.binary_path }}
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256

- name: Verify Signature
shell: pwsh
run: |
$BinaryPath = "${{ github.workspace }}/${{ inputs.binary_path }}"
Write-Host "Verifying signature for: $BinaryPath"

$sig = Get-AuthenticodeSignature -FilePath $BinaryPath
Write-Host " Status: $($sig.Status)"
Write-Host " Status Message: $($sig.StatusMessage)"

if ($sig.SignerCertificate) {
Write-Host " Signer: $($sig.SignerCertificate.Subject)"
Write-Host " Issuer: $($sig.SignerCertificate.Issuer)"
Write-Host " Thumbprint: $($sig.SignerCertificate.Thumbprint)"
}

if ($sig.TimeStamperCertificate) {
Write-Host " Timestamped: Yes"
Write-Host " Timestamp Authority: $($sig.TimeStamperCertificate.Subject)"
}

if ($sig.Status -ne "Valid") {
Write-Error "Signature verification failed for $BinaryPath"
Write-Error "Status: $($sig.Status)"
Write-Error "Message: $($sig.StatusMessage)"
exit 1
}

Write-Host "Signature verified successfully!"
13 changes: 12 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ jobs:
matrix:
include:
- name: "macOS x86-64"
os: macos-13
os: macos-15-intel
os_arch: x86-64
cmake_arch: x86_64
artifact_name: osquery-macos-x64
Expand Down Expand Up @@ -256,6 +256,17 @@ jobs:
cd build
cmake --build . --config RelWithDebInfo -j10

- name: Sign Windows package
uses: ./.github/steps/sign-windows-package
with:
azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
signing_endpoint: ${{ secrets.AZURE_SIGNING_ENDPOINT }}
code_signing_account_name: ${{ secrets.AZURE_CODE_SIGNING_ACCOUNT_NAME }}
certificate_profile_name: ${{ secrets.AZURE_CERTIFICATE_PROFILE_NAME }}
binary_path: build/osquery/RelWithDebInfo/${{ env.BINARY_NAME }}.exe

- name: Upload Windows OSQuery artifact
if: runner.os == 'Windows'
uses: actions/upload-artifact@v4
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
matrix:
include:
- name: "macOS x86-64"
os: macos-13
os: macos-15-intel
os_arch: x86-64
cmake_arch: x86_64
artifact_name: osquery-macos-x64
Expand Down
Loading