public static void SignAndTimestampBinaries(
string outputDirectory,
string? azureKeyVaultUrl,
string? azureKeyVaultAppId,
string? azureKeyVaultAppSecret,
string? azureKeyVaultTenantId,
string? azureKeyVaultCertificateName,
string? signingCertificatePath,
string? signingCertificatePassword)
{
Log.Information("Signing binaries in {OutputDirectory}", outputDirectory);
// check that any unsigned libraries, that Octopus Deploy authors, get
// signed to play nice with security scanning tools
// refer: https://octopusdeploy.slack.com/archives/C0K9DNQG5/p1551655877004400
// decision re: no signing everything: https://octopusdeploy.slack.com/archives/C0K9DNQG5/p1557938890227100
var unsignedExecutablesAndLibraries = GetFilesFromDirectory(outputDirectory,
"Calamari*.exe",
"Calamari*.dll",
"Octo*.exe",
"Octo*.dll")
.Where(f => !HasAuthenticodeSignature(f))
.ToArray();
if (unsignedExecutablesAndLibraries.IsEmpty())
{
Log.Information("No unsigned binaries to sign in {OutputDirectory}", outputDirectory);
return;
}
if (azureKeyVaultUrl.IsNullOrEmpty() &&
azureKeyVaultAppId.IsNullOrEmpty() &&
azureKeyVaultAppSecret.IsNullOrEmpty() &&
azureKeyVaultTenantId.IsNullOrEmpty() &&
azureKeyVaultCertificateName.IsNullOrEmpty())
{
if (signingCertificatePath.IsNullOrEmpty() ||
signingCertificatePassword.IsNullOrEmpty())
throw new InvalidOperationException("Either Azure Key Vault or Signing " +
"Certificate Parameters must be set");
if (!OperatingSystem.IsWindows())
throw new InvalidOperationException("Non-windows builds must either leave binaries " +
"unsigned or sign using the AzureSignTool");
Log.Information("Signing files using signtool and the self-signed development code signing certificate");
SignFilesWithSignTool(
unsignedExecutablesAndLibraries,
signingCertificatePath!,
signingCertificatePassword!);
}
else
{
Log.Information("Signing files using azuresigntool and the production code signing certificate");
SignFilesWithAzureSignTool(
unsignedExecutablesAndLibraries,
azureKeyVaultUrl!,
azureKeyVaultAppId!,
azureKeyVaultAppSecret!,
azureKeyVaultTenantId!,
azureKeyVaultCertificateName!);
}
}