From a21fac8bb74284ea4651acb4fd01396c80172c4c Mon Sep 17 00:00:00 2001 From: Daniel Bradley Date: Fri, 13 Dec 2024 16:14:45 +0000 Subject: [PATCH 1/3] Sign windows binaries via makefile Move the logic for signing windows binaries into the makefile from the CI scripts. This allows testing with signed binaries locally. - Fail with error if running in CI so we don't release unsigned binaries. - Add inline documentation explaining how to fix the missing configuration. --- .../.github/workflows/build_provider.yml | 24 +++---------- .../pkg/templates/bridged-provider/Makefile | 35 +++++++++++++++++++ .../acme/.github/workflows/build_provider.yml | 24 +++---------- provider-ci/test-providers/acme/Makefile | 35 +++++++++++++++++++ .../aws/.github/workflows/build_provider.yml | 24 +++---------- provider-ci/test-providers/aws/Makefile | 35 +++++++++++++++++++ .../.github/workflows/build_provider.yml | 24 +++---------- .../test-providers/cloudflare/Makefile | 35 +++++++++++++++++++ .../.github/workflows/build_provider.yml | 24 +++---------- provider-ci/test-providers/docker/Makefile | 35 +++++++++++++++++++ 10 files changed, 200 insertions(+), 95 deletions(-) diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml index 0b2ca66b5..820aa7b8b 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml @@ -15,7 +15,6 @@ jobs: env: PROVIDER_VERSION: ${{ inputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }} strategy: fail-fast: true matrix: @@ -67,24 +66,11 @@ jobs: - name: Build provider run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}" - - - name: Sign windows provider - if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true' - run: | - az login --service-principal \ - -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \ - -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \ - -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \ - -o none; - - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar; - - java -jar jsign-6.0.jar \ - --storetype AZUREKEYVAULT \ - --keystore "PulumiCodeSigning" \ - --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \ - --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \ - bin/windows-amd64/pulumi-resource-#{{ .Config.Provider }}#.exe; + env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/internal/pkg/templates/bridged-provider/Makefile b/provider-ci/internal/pkg/templates/bridged-provider/Makefile index 26440f429..94a9e1c49 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/Makefile +++ b/provider-ci/internal/pkg/templates/bridged-provider/Makefile @@ -342,6 +342,12 @@ debug_tfgen: # Provider cross-platform build & packaging +# Set these variables to enable signing of the windows binary +AZURE_SIGNING_CLIENT_ID ?= +AZURE_SIGNING_CLIENT_SECRET ?= +AZURE_SIGNING_TENANT_ID ?= +AZURE_SIGNING_KEY_VAULT_URI ?= + # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64 @@ -358,6 +364,35 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: export CGO_ENABLED=0 && \ go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)" + @# Only sign windows binary if fully configured. + @# Test variables set by joining with | between and looking for || showing at least one variable is empty. + @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. + set -e; \ + if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ + echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ + echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ + if [[ ${CI} == "true" ]]; then exit 1; fi; \ + else \ + mv $@ $@.unsigned; \ + az login --service-principal \ + --username "${AZURE_SIGNING_CLIENT_ID}" \ + --password "${AZURE_SIGNING_CLIENT_SECRET}" \ + --tenant "${AZURE_SIGNING_TENANT_ID}" \ + --output none; \ + ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ + java -jar bin/jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ + --storepass "$${ACCESS_TOKEN}" \ + $@.unsigned; \ + mv $@.unsigned $@; \ + az logout; \ + fi; \ + fi + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) diff --git a/provider-ci/test-providers/acme/.github/workflows/build_provider.yml b/provider-ci/test-providers/acme/.github/workflows/build_provider.yml index f87b06557..85bb2d58a 100644 --- a/provider-ci/test-providers/acme/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/acme/.github/workflows/build_provider.yml @@ -15,7 +15,6 @@ jobs: env: PROVIDER_VERSION: ${{ inputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }} strategy: fail-fast: true matrix: @@ -54,24 +53,11 @@ jobs: - name: Build provider run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}" - - - name: Sign windows provider - if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true' - run: | - az login --service-principal \ - -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \ - -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \ - -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \ - -o none; - - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar; - - java -jar jsign-6.0.jar \ - --storetype AZUREKEYVAULT \ - --keystore "PulumiCodeSigning" \ - --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \ - --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \ - bin/windows-amd64/pulumi-resource-acme.exe; + env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/test-providers/acme/Makefile b/provider-ci/test-providers/acme/Makefile index 539cf5f5e..6f655e042 100644 --- a/provider-ci/test-providers/acme/Makefile +++ b/provider-ci/test-providers/acme/Makefile @@ -300,6 +300,12 @@ debug_tfgen: # Provider cross-platform build & packaging +# Set these variables to enable signing of the windows binary +AZURE_SIGNING_CLIENT_ID ?= +AZURE_SIGNING_CLIENT_SECRET ?= +AZURE_SIGNING_TENANT_ID ?= +AZURE_SIGNING_KEY_VAULT_URI ?= + # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64 @@ -316,6 +322,35 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: export CGO_ENABLED=0 && \ go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)" + @# Only sign windows binary if fully configured. + @# Test variables set by joining with | between and looking for || showing at least one variable is empty. + @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. + set -e; \ + if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ + echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ + echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ + if [[ ${CI} == "true" ]]; then exit 1; fi; \ + else \ + mv $@ $@.unsigned; \ + az login --service-principal \ + --username "${AZURE_SIGNING_CLIENT_ID}" \ + --password "${AZURE_SIGNING_CLIENT_SECRET}" \ + --tenant "${AZURE_SIGNING_TENANT_ID}" \ + --output none; \ + ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ + java -jar bin/jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ + --storepass "$${ACCESS_TOKEN}" \ + $@.unsigned; \ + mv $@.unsigned $@; \ + az logout; \ + fi; \ + fi + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) diff --git a/provider-ci/test-providers/aws/.github/workflows/build_provider.yml b/provider-ci/test-providers/aws/.github/workflows/build_provider.yml index 86d042669..77c04f273 100644 --- a/provider-ci/test-providers/aws/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/aws/.github/workflows/build_provider.yml @@ -15,7 +15,6 @@ jobs: env: PROVIDER_VERSION: ${{ inputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }} strategy: fail-fast: true matrix: @@ -63,24 +62,11 @@ jobs: - name: Build provider run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}" - - - name: Sign windows provider - if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true' - run: | - az login --service-principal \ - -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \ - -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \ - -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \ - -o none; - - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar; - - java -jar jsign-6.0.jar \ - --storetype AZUREKEYVAULT \ - --keystore "PulumiCodeSigning" \ - --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \ - --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \ - bin/windows-amd64/pulumi-resource-aws.exe; + env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/test-providers/aws/Makefile b/provider-ci/test-providers/aws/Makefile index 2c2b2fddd..b0208592b 100644 --- a/provider-ci/test-providers/aws/Makefile +++ b/provider-ci/test-providers/aws/Makefile @@ -314,6 +314,12 @@ debug_tfgen: # Provider cross-platform build & packaging +# Set these variables to enable signing of the windows binary +AZURE_SIGNING_CLIENT_ID ?= +AZURE_SIGNING_CLIENT_SECRET ?= +AZURE_SIGNING_TENANT_ID ?= +AZURE_SIGNING_KEY_VAULT_URI ?= + # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64 @@ -330,6 +336,35 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: export CGO_ENABLED=0 && \ go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)" + @# Only sign windows binary if fully configured. + @# Test variables set by joining with | between and looking for || showing at least one variable is empty. + @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. + set -e; \ + if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ + echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ + echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ + if [[ ${CI} == "true" ]]; then exit 1; fi; \ + else \ + mv $@ $@.unsigned; \ + az login --service-principal \ + --username "${AZURE_SIGNING_CLIENT_ID}" \ + --password "${AZURE_SIGNING_CLIENT_SECRET}" \ + --tenant "${AZURE_SIGNING_TENANT_ID}" \ + --output none; \ + ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ + java -jar bin/jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ + --storepass "$${ACCESS_TOKEN}" \ + $@.unsigned; \ + mv $@.unsigned $@; \ + az logout; \ + fi; \ + fi + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml b/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml index abb2864c6..af7e1ba70 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml @@ -15,7 +15,6 @@ jobs: env: PROVIDER_VERSION: ${{ inputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }} strategy: fail-fast: true matrix: @@ -54,24 +53,11 @@ jobs: - name: Build provider run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}" - - - name: Sign windows provider - if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true' - run: | - az login --service-principal \ - -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \ - -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \ - -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \ - -o none; - - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar; - - java -jar jsign-6.0.jar \ - --storetype AZUREKEYVAULT \ - --keystore "PulumiCodeSigning" \ - --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \ - --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \ - bin/windows-amd64/pulumi-resource-cloudflare.exe; + env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/test-providers/cloudflare/Makefile b/provider-ci/test-providers/cloudflare/Makefile index 4f7832d09..f38153d09 100644 --- a/provider-ci/test-providers/cloudflare/Makefile +++ b/provider-ci/test-providers/cloudflare/Makefile @@ -310,6 +310,12 @@ debug_tfgen: # Provider cross-platform build & packaging +# Set these variables to enable signing of the windows binary +AZURE_SIGNING_CLIENT_ID ?= +AZURE_SIGNING_CLIENT_SECRET ?= +AZURE_SIGNING_TENANT_ID ?= +AZURE_SIGNING_KEY_VAULT_URI ?= + # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64 @@ -326,6 +332,35 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: export CGO_ENABLED=0 && \ go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)" + @# Only sign windows binary if fully configured. + @# Test variables set by joining with | between and looking for || showing at least one variable is empty. + @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. + set -e; \ + if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ + echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ + echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ + if [[ ${CI} == "true" ]]; then exit 1; fi; \ + else \ + mv $@ $@.unsigned; \ + az login --service-principal \ + --username "${AZURE_SIGNING_CLIENT_ID}" \ + --password "${AZURE_SIGNING_CLIENT_SECRET}" \ + --tenant "${AZURE_SIGNING_TENANT_ID}" \ + --output none; \ + ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ + java -jar bin/jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ + --storepass "$${ACCESS_TOKEN}" \ + $@.unsigned; \ + mv $@.unsigned $@; \ + az logout; \ + fi; \ + fi + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) diff --git a/provider-ci/test-providers/docker/.github/workflows/build_provider.yml b/provider-ci/test-providers/docker/.github/workflows/build_provider.yml index 9bdf2775f..47714038c 100644 --- a/provider-ci/test-providers/docker/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/docker/.github/workflows/build_provider.yml @@ -15,7 +15,6 @@ jobs: env: PROVIDER_VERSION: ${{ inputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }} strategy: fail-fast: true matrix: @@ -54,24 +53,11 @@ jobs: - name: Build provider run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}" - - - name: Sign windows provider - if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true' - run: | - az login --service-principal \ - -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \ - -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \ - -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \ - -o none; - - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar; - - java -jar jsign-6.0.jar \ - --storetype AZUREKEYVAULT \ - --keystore "PulumiCodeSigning" \ - --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \ - --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \ - bin/windows-amd64/pulumi-resource-docker.exe; + env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/test-providers/docker/Makefile b/provider-ci/test-providers/docker/Makefile index 0f2c19da8..9a0d30595 100644 --- a/provider-ci/test-providers/docker/Makefile +++ b/provider-ci/test-providers/docker/Makefile @@ -313,6 +313,12 @@ debug_tfgen: # Provider cross-platform build & packaging +# Set these variables to enable signing of the windows binary +AZURE_SIGNING_CLIENT_ID ?= +AZURE_SIGNING_CLIENT_SECRET ?= +AZURE_SIGNING_TENANT_ID ?= +AZURE_SIGNING_KEY_VAULT_URI ?= + # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64 @@ -329,6 +335,35 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: export CGO_ENABLED=0 && \ go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)" + @# Only sign windows binary if fully configured. + @# Test variables set by joining with | between and looking for || showing at least one variable is empty. + @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. + set -e; \ + if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ + echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ + echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ + if [[ ${CI} == "true" ]]; then exit 1; fi; \ + else \ + mv $@ $@.unsigned; \ + az login --service-principal \ + --username "${AZURE_SIGNING_CLIENT_ID}" \ + --password "${AZURE_SIGNING_CLIENT_SECRET}" \ + --tenant "${AZURE_SIGNING_TENANT_ID}" \ + --output none; \ + ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ + java -jar bin/jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ + --storepass "$${ACCESS_TOKEN}" \ + $@.unsigned; \ + mv $@.unsigned $@; \ + az logout; \ + fi; \ + fi + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) From 00a23ba1457b10dfc85a8929b7f0b0e82709d2d5 Mon Sep 17 00:00:00 2001 From: Daniel Bradley Date: Fri, 13 Dec 2024 16:20:24 +0000 Subject: [PATCH 2/3] Allow skipping signing for third party providers This is implicit based on all configuration being missing. --- .../bridged-provider/.github/workflows/build_provider.yml | 1 + provider-ci/internal/pkg/templates/bridged-provider/Makefile | 3 ++- .../test-providers/acme/.github/workflows/build_provider.yml | 1 + provider-ci/test-providers/acme/Makefile | 3 ++- .../test-providers/aws/.github/workflows/build_provider.yml | 1 + provider-ci/test-providers/aws/Makefile | 3 ++- .../cloudflare/.github/workflows/build_provider.yml | 1 + provider-ci/test-providers/cloudflare/Makefile | 3 ++- .../test-providers/docker/.github/workflows/build_provider.yml | 1 + provider-ci/test-providers/docker/Makefile | 3 ++- 10 files changed, 15 insertions(+), 5 deletions(-) diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml index 820aa7b8b..1379c0a35 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml @@ -71,6 +71,7 @@ jobs: AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/internal/pkg/templates/bridged-provider/Makefile b/provider-ci/internal/pkg/templates/bridged-provider/Makefile index 94a9e1c49..9c5bf857a 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/Makefile +++ b/provider-ci/internal/pkg/templates/bridged-provider/Makefile @@ -347,6 +347,7 @@ AZURE_SIGNING_CLIENT_ID ?= AZURE_SIGNING_CLIENT_SECRET ?= AZURE_SIGNING_TENANT_ID ?= AZURE_SIGNING_KEY_VAULT_URI ?= +SKIP_SIGNING ?= # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. @@ -368,7 +369,7 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: @# Test variables set by joining with | between and looking for || showing at least one variable is empty. @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. set -e; \ - if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \ if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ diff --git a/provider-ci/test-providers/acme/.github/workflows/build_provider.yml b/provider-ci/test-providers/acme/.github/workflows/build_provider.yml index 85bb2d58a..665f27846 100644 --- a/provider-ci/test-providers/acme/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/acme/.github/workflows/build_provider.yml @@ -58,6 +58,7 @@ jobs: AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/test-providers/acme/Makefile b/provider-ci/test-providers/acme/Makefile index 6f655e042..04f020eeb 100644 --- a/provider-ci/test-providers/acme/Makefile +++ b/provider-ci/test-providers/acme/Makefile @@ -305,6 +305,7 @@ AZURE_SIGNING_CLIENT_ID ?= AZURE_SIGNING_CLIENT_SECRET ?= AZURE_SIGNING_TENANT_ID ?= AZURE_SIGNING_KEY_VAULT_URI ?= +SKIP_SIGNING ?= # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. @@ -326,7 +327,7 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: @# Test variables set by joining with | between and looking for || showing at least one variable is empty. @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. set -e; \ - if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \ if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ diff --git a/provider-ci/test-providers/aws/.github/workflows/build_provider.yml b/provider-ci/test-providers/aws/.github/workflows/build_provider.yml index 77c04f273..e834f0916 100644 --- a/provider-ci/test-providers/aws/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/aws/.github/workflows/build_provider.yml @@ -67,6 +67,7 @@ jobs: AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/test-providers/aws/Makefile b/provider-ci/test-providers/aws/Makefile index b0208592b..0244b794c 100644 --- a/provider-ci/test-providers/aws/Makefile +++ b/provider-ci/test-providers/aws/Makefile @@ -319,6 +319,7 @@ AZURE_SIGNING_CLIENT_ID ?= AZURE_SIGNING_CLIENT_SECRET ?= AZURE_SIGNING_TENANT_ID ?= AZURE_SIGNING_KEY_VAULT_URI ?= +SKIP_SIGNING ?= # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. @@ -340,7 +341,7 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: @# Test variables set by joining with | between and looking for || showing at least one variable is empty. @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. set -e; \ - if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \ if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml b/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml index af7e1ba70..7b86f4ba4 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml @@ -58,6 +58,7 @@ jobs: AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/test-providers/cloudflare/Makefile b/provider-ci/test-providers/cloudflare/Makefile index f38153d09..ad8fae111 100644 --- a/provider-ci/test-providers/cloudflare/Makefile +++ b/provider-ci/test-providers/cloudflare/Makefile @@ -315,6 +315,7 @@ AZURE_SIGNING_CLIENT_ID ?= AZURE_SIGNING_CLIENT_SECRET ?= AZURE_SIGNING_TENANT_ID ?= AZURE_SIGNING_KEY_VAULT_URI ?= +SKIP_SIGNING ?= # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. @@ -336,7 +337,7 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: @# Test variables set by joining with | between and looking for || showing at least one variable is empty. @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. set -e; \ - if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \ if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ diff --git a/provider-ci/test-providers/docker/.github/workflows/build_provider.yml b/provider-ci/test-providers/docker/.github/workflows/build_provider.yml index 47714038c..081ce8ecf 100644 --- a/provider-ci/test-providers/docker/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/docker/.github/workflows/build_provider.yml @@ -58,6 +58,7 @@ jobs: AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/provider-ci/test-providers/docker/Makefile b/provider-ci/test-providers/docker/Makefile index 9a0d30595..aaeae3c2a 100644 --- a/provider-ci/test-providers/docker/Makefile +++ b/provider-ci/test-providers/docker/Makefile @@ -318,6 +318,7 @@ AZURE_SIGNING_CLIENT_ID ?= AZURE_SIGNING_CLIENT_SECRET ?= AZURE_SIGNING_TENANT_ID ?= AZURE_SIGNING_KEY_VAULT_URI ?= +SKIP_SIGNING ?= # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. @@ -339,7 +340,7 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: @# Test variables set by joining with | between and looking for || showing at least one variable is empty. @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. set -e; \ - if [[ "${TARGET}" = "windows-amd64" ]]; then \ + if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \ if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ From 939161e435a054234e9f53b9cf11c66d21eaca89 Mon Sep 17 00:00:00 2001 From: Daniel Bradley Date: Fri, 13 Dec 2024 17:16:43 +0000 Subject: [PATCH 3/3] Extract jsign binary to standalone target --- .../internal/pkg/templates/bridged-provider/Makefile | 6 ++++-- provider-ci/test-providers/acme/Makefile | 6 ++++-- provider-ci/test-providers/aws/Makefile | 6 ++++-- provider-ci/test-providers/cloudflare/Makefile | 6 ++++-- provider-ci/test-providers/docker/Makefile | 6 ++++-- 5 files changed, 20 insertions(+), 10 deletions(-) diff --git a/provider-ci/internal/pkg/templates/bridged-provider/Makefile b/provider-ci/internal/pkg/templates/bridged-provider/Makefile index 9c5bf857a..83f488fee 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/Makefile +++ b/provider-ci/internal/pkg/templates/bridged-provider/Makefile @@ -356,7 +356,7 @@ bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64 -bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: +bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar @# check the TARGET is set test $(TARGET) cd provider && \ @@ -382,7 +382,6 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: --tenant "${AZURE_SIGNING_TENANT_ID}" \ --output none; \ ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ java -jar bin/jsign-6.0.jar \ --storetype AZUREKEYVAULT \ --keystore "PulumiCodeSigning" \ @@ -394,6 +393,9 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: fi; \ fi +bin/jsign-6.0.jar: + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) diff --git a/provider-ci/test-providers/acme/Makefile b/provider-ci/test-providers/acme/Makefile index 04f020eeb..25a4d083a 100644 --- a/provider-ci/test-providers/acme/Makefile +++ b/provider-ci/test-providers/acme/Makefile @@ -314,7 +314,7 @@ bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64 -bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: +bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar @# check the TARGET is set test $(TARGET) cd provider && \ @@ -340,7 +340,6 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: --tenant "${AZURE_SIGNING_TENANT_ID}" \ --output none; \ ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ java -jar bin/jsign-6.0.jar \ --storetype AZUREKEYVAULT \ --keystore "PulumiCodeSigning" \ @@ -352,6 +351,9 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: fi; \ fi +bin/jsign-6.0.jar: + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) diff --git a/provider-ci/test-providers/aws/Makefile b/provider-ci/test-providers/aws/Makefile index 0244b794c..121ff5b97 100644 --- a/provider-ci/test-providers/aws/Makefile +++ b/provider-ci/test-providers/aws/Makefile @@ -328,7 +328,7 @@ bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64 -bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: +bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar @# check the TARGET is set test $(TARGET) cd provider && \ @@ -354,7 +354,6 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: --tenant "${AZURE_SIGNING_TENANT_ID}" \ --output none; \ ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ java -jar bin/jsign-6.0.jar \ --storetype AZUREKEYVAULT \ --keystore "PulumiCodeSigning" \ @@ -366,6 +365,9 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: fi; \ fi +bin/jsign-6.0.jar: + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) diff --git a/provider-ci/test-providers/cloudflare/Makefile b/provider-ci/test-providers/cloudflare/Makefile index ad8fae111..4c9f205a1 100644 --- a/provider-ci/test-providers/cloudflare/Makefile +++ b/provider-ci/test-providers/cloudflare/Makefile @@ -324,7 +324,7 @@ bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64 -bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: +bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar @# check the TARGET is set test $(TARGET) cd provider && \ @@ -350,7 +350,6 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: --tenant "${AZURE_SIGNING_TENANT_ID}" \ --output none; \ ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ java -jar bin/jsign-6.0.jar \ --storetype AZUREKEYVAULT \ --keystore "PulumiCodeSigning" \ @@ -362,6 +361,9 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: fi; \ fi +bin/jsign-6.0.jar: + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) diff --git a/provider-ci/test-providers/docker/Makefile b/provider-ci/test-providers/docker/Makefile index aaeae3c2a..c463f717b 100644 --- a/provider-ci/test-providers/docker/Makefile +++ b/provider-ci/test-providers/docker/Makefile @@ -327,7 +327,7 @@ bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64 -bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: +bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar @# check the TARGET is set test $(TARGET) cd provider && \ @@ -353,7 +353,6 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: --tenant "${AZURE_SIGNING_TENANT_ID}" \ --output none; \ ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar; \ java -jar bin/jsign-6.0.jar \ --storetype AZUREKEYVAULT \ --keystore "PulumiCodeSigning" \ @@ -365,6 +364,9 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: fi; \ fi +bin/jsign-6.0.jar: + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)