fumiama/terasu-cloudflared
1
0
Fork 0
mirror of https://github.com/fumiama/terasu-cloudflared.git synced 2026-06-07 19:40:30 +08:00
Code Activity

TUN-9863: Introduce Code Signing for Windows Builds

Browse Source 
* TUN-9863: Introduce Code Signing for Windows Builds

This commit adds a signing step to the build script for windows binaries.
Since we package the MSI on Linux, this commit adds another CI step that depends on package-windows and signs all of the windows packages.

To do so, we use azuresigntool which relies on a certificate stored in Azure Vault.

Closes TUN-9863
This commit is contained in:
Gonçalo Garcia
2025-11-06 11:41:21 +00:00
parent a8fdbb83d0
commit eedbcf46d4
4 changed files with 77 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.ci/scripts/windows/builds.ps1
View File

@@ -4,6 +4,7 @@ $ProgressPreference = "SilentlyContinue"
$env:TARGET_OS = "windows"
$env:LOCAL_OS = "windows"
$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
New-Item -Path ".\artifacts" -ItemType Directory
@@ -13,6 +14,8 @@ $env:LOCAL_ARCH = "amd64"
$env:CGO_ENABLED = 1
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
# Sign build
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
Write-Output "Building for 386"
@@ -21,4 +24,6 @@ $env:LOCAL_ARCH = "386"
$env:CGO_ENABLED = 0
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
## Sign build
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe

26
.ci/scripts/windows/sign-msi.ps1 Normal file
View File

@@ -0,0 +1,26 @@
# Sign Windows artifacts using azuretool
# This script processes MSI files from the artifacts directory
$ErrorActionPreference = "Stop"
# Define paths
$ARTIFACT_DIR = "artifacts"
$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
# Find all Windows MSI files
$msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
if ($msiFiles.Count -eq 0) {
Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
exit 1
}
Write-Host "Found $($msiFiles.Count) file(s) to sign:"
foreach ($file in $msiFiles) {
Write-Host "Running azuretool sign for $($file.Name)"
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
}
Write-Host "Signing process completed"