Merge pull request #8 from joemiller/gpg-release-signing

implement macos codesigning and gpg signing of releases

.gitignore

@@ -7,3 +7,5 @@ cover.out
 .vagrant
 vault-token-helper.exe
 .DS_Store
+.envrc
+vault-token-helper.signing-key.gpg

.goreleaser.yml

@@ -1,7 +1,7 @@
 project_name: vault-token-helper
 env:
   - GO111MODULE=on
-  # - GOPROXY=https://proxy.golang.org
+  - GOPROXY=https://proxy.golang.org
 builds:
   - binary: vault-token-helper
     id: windows
@@ -28,6 +28,9 @@ builds:
       - darwin
     goarch:
       - amd64
+    # TODO: find a way to codesign from linux and integrate into azure pipelines ci/cd
+    # hooks:
+    #   post: ./macos-codesign.sh
 
   - binary: vault-token-helper
     id: linux
@@ -59,7 +62,8 @@ archives:
     format: binary
   # archive releases containg: binary, readme, and license. tarballs (macos, linux), zip (windows)
   - id: archives
-    builds: ["linux", "macos", "windows"]
+    # TODO: add macos tar back when we can do codesign'ing during the goreleaser run
+    builds: ["linux", "windows"]
     format_overrides:
       - goos: windows
         format: zip

Makefile

@@ -26,6 +26,9 @@ release:
 snapshot: GORELEASER_ARGS= --rm-dist --snapshot
 snapshot: release
 
+sign-and-promote-release:
+	bash ./scripts/sign-and-promote-release.sh
+
 build-dev-docker-image:
 	@docker build -t joemiller/vault-token-helper-dev -f ./dev/Dockerfile.dev ./dev
 

README.md

@@ -24,31 +24,25 @@ Install
 
 ### One-line install
 
-| OS    | Command                                          |
-| ----- | ------------------------------------------------ |
-| macOS | `brew install joemiller/taps/vault-token-helper` |
+| OS                                 | Command                                          |
+| ---------------------------------- | ------------------------------------------------ |
+| macOS                              | `brew install joemiller/taps/vault-token-helper` |
+| Linux<br>(LinuxBrew)<br>*untested* | `brew install joemiller/taps/vault-token-helper` |
 
-### Linux package install
+### Linux packages
 
-| Format                                                                 | Architectures |
-| ---------------------------------------------------------------------- | ------------- |
-| [rpm](https://github.com/joemiller/vault-token-helper/releases/latest) | amd64         |
-| [deb](https://github.com/joemiller/vault-token-helper/releases/latest) | amd64         |
+| Format | Arch  |
+| ------ | ----- |
+| [rpm]  | amd64 |
+| [deb]  | amd64 |
 
 ### Pre-built binaries
 
-| OS      | Architectures | release                                                                               |
-| ------- | ------------- | ------------------------------------------------------------------------------------- |
-| macOS   | amd64         | [vault-token-helper](https://github.com/joemiller/vault-token-helper/releases/latest) |
-| Linux   | amd64         | [vault-token-helper](https://github.com/joemiller/vault-token-helper/releases/latest) |
-| Windows | amd64         | [vault-token-helper](https://github.com/joemiller/vault-token-helper/releases/latest) |
-
-
-| OS      | Architectures | binaries                              | packages    | one-line install                                 |
-| ------- | ------------- | ------------------------------------- | ----------- | ------------------------------------------------ |
-| macos   | amd64         | [vault-token-helper][latest-binaries] |             | `brew install joemiller/taps/vault-token-helper` |
-| Linux   | amd64         |                                       | [rpm] [deb] | [vault-token-helper][latest-binaries]            |
-| Windows | amd64         |                                       |             | [vault-token-helper][latest-binaries]            |
+| OS      | Arch  | binary                                |
+| ------- | ----- | ------------------------------------- |
+| macOS   | amd64 | [vault-token-helper][latest-binaries] |
+| Linux   | amd64 | [vault-token-helper][latest-binaries] |
+| Windows | amd64 | [vault-token-helper][latest-binaries] |
 
 [latest-binaries]: https://github.com/joemiller/vault-token-helper/releases/latest
 [rpm]: https://github.com/joemiller/vault-token-helper/releases/latest
@@ -210,6 +204,18 @@ $ GPG_KEY="$(cat vault-token-helper.signing-key.gpg | base64)" make release
 $ GPG_KEY="$(cat vault-token-helper.signing-key.gpg | base64)" make snapshot
 ```
 
+#### Apple codesign
+
+In order to avoid macOS keychain from always prompting for passwords the macOS binaries
+are codesigned with a cert issued by Apple. Unfortunately this can't be done easily in CI
+while still being able to leverage all the advantages of [goreleaser](https://goreleaser.com/).
+This will hopefully change one day when there is a `codesign` compatible binary available
+for Linux.
+
+In the meantime, all releases pushed by CI are created as draft releases. In order to promote
+a release, run `make sign-and-promote-release TAG=vX.Y.Z` from a macOS system with both the
+project GPG key and an apple code signing cert available.
+
 TODO
 ----
 

scripts/sign-and-promote-release.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+set -eou pipefail
+shopt -s nullglob
+
+# inputs:
+# - tag, eg: v0.1.1
+#
+# outcome:
+# - download all existing artifacts from the release
+# - codesign the macos binary
+# - create a shasum file of all assets
+# - sign the shasum file with GPG (created a detached sig file)
+# - re-upload the codesign'd macos binary
+# - upload the shasum file
+# - upload the shasum signature file
+# - promote release from draft to published
+
+TAG="${TAG:-}"
+ORG="joemiller"
+REPO="vault-token-helper"
+BINARY="vault-token-helper"
+CODESIGN_CERT="Developer ID Application: JOSEPH MILLER (P3MF48HUD7)"
+GPG_KEY="6720A9FD78AC13F5"
+
+export PATH="$HOME/bin:$PATH" # TODO
+
+if [[ -z "$TAG" ]]; then
+  echo "Missing env var 'TAG'"
+  exit 1
+fi
+
+release_info_json=''
+assets=()
+modified_assets=()
+checksum_file=''
+sig_file=''
+description=''
+tempdir="$(mktemp -d)"
+
+echo "==> Created tempdir: $tempdir"
+trap 'rm -rf -- "$tempdir"' EXIT
+
+echo
+echo "==> Fetching existing release info for $TAG"
+release_info_json=$(gothub info -t "$TAG" -u "$ORG" -r "$REPO" -j)
+
+echo
+echo "==> Generating a list of assets"
+for i in $(jq -r '.Releases[0].assets[] | .name' <<<"$release_info_json"); do
+  assets+=("$i")
+  echo "$i"
+done
+echo "==> Found: ${#assets[@]} assets"
+
+echo
+echo "==> Downloading assets to: $tempdir"
+pushd "$tempdir" >/dev/null
+for i in "${assets[@]}"; do
+  echo "==> Downloading: $i"
+  gothub download -t "$TAG" -u "$ORG" -r "$REPO" -n "$i"
+done
+ls -l "$tempdir"
+
+echo
+echo "==> Apple codesigning the macOS binaries"
+for i in ./*_darwin_amd64; do
+  echo "==> codesigning $i"
+  codesign -s "$CODESIGN_CERT" -i "$BINARY" "$i"
+  modified_assets+=("$i")
+done
+
+echo
+echo "==> Generating new checksum file"
+# delete existing checksum file before gathering new checksums
+rm -f -- "*.checksums.txt"
+checksum_file="${BINARY}_$(sed -e 's/^v//' <<<"$TAG")_checksums.txt"
+shasum -a 256 -- * >"$checksum_file"
+cat "$checksum_file"
+modified_assets+=("$checksum_file")
+
+echo
+echo "==> GPG-singing checksum file"
+sig_file="${checksum_file}.sig"
+gpg -u "$GPG_KEY" --output "$sig_file" --detach-sign "$checksum_file"
+modified_assets+=("$sig_file")
+
+echo
+echo "==> Re-uploading modified assets"
+#for i in ./*; do
+for i in "${modified_assets[@]}"; do
+  echo "==> Uploading: $i"
+  gothub upload -t "$TAG" -u "$ORG" -r "$REPO" -n "$(basename "$i")" -f "$i" --replace
+done
+
+echo
+echo "==> Promoting release from draft to published"
+# in order to preserve the current description we must provide it to the edit command:
+description="$(jq -r '.Releases[0].body' <<<"$release_info_json")"
+gothub edit -t "$TAG" -u "$ORG" -r "$REPO" -d "$description"
+
+echo
+echo "DONE!"