diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ec84130a..02892d93 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,7 @@ env: jobs: build: runs-on: windows-2022 + environment: build steps: - uses: actions/checkout@v4 with: @@ -68,6 +69,40 @@ jobs: Get-ChildItem -Path output + - name: Sign build artifacts + if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'prometheus-community/windows_exporter' || github.repository == 'prometheus-community/windows_exporter' }} + run: | + $ErrorActionPreference = "Stop" + $Version = Get-Content VERSION + + $b64 = $env:CODE_SIGN_KEY + $filename = 'windows_exporter_CodeSign.pfx' + + $bytes = [Convert]::FromBase64String($b64) + [IO.File]::WriteAllBytes($filename, $bytes) + + $basePath = "C:\Program Files (x86)\Windows Kits\10\bin" + $latestSigntool = Get-ChildItem -Path $basePath -Directory | + Where-Object { $_.Name -match "^\d+\.\d+\.\d+\.\d+$" } | + Sort-Object { [Version]$_.Name } -Descending | + Select-Object -First 1 | + ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" } + + if (Test-Path $latestSigntool) { + Write-Output $latestSigntool + } else { + Write-Output "signtool.exe not found" + } + + foreach($Arch in "amd64", "arm64") { + & $latestSigntool sign /v /tr "http://timestamp.digicert.com" /d "Prometheus exporter for Windows machines" /td SHA256 /fd SHA256 /a /f "windows_exporter_CodeSign.pfx" /p $env:CODE_SIGN_PASSWORD "output\windows_exporter-$Version-$Arch.exe" + } + + rm windows_exporter_CodeSign.pfx + env: + CODE_SIGN_KEY: ${{ secrets.CODE_SIGN_KEY }} + CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }} + - name: Build Release Artifacts run: | $ErrorActionPreference = "Stop" @@ -83,6 +118,40 @@ jobs: promu checksum output\ + - name: Sign installer artifacts + if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'prometheus-community/windows_exporter' || github.repository == 'prometheus-community/windows_exporter' }} + run: | + $ErrorActionPreference = "Stop" + $Version = Get-Content VERSION + + $b64 = $env:CODE_SIGN_KEY + $filename = 'windows_exporter_CodeSign.pfx' + + $bytes = [Convert]::FromBase64String($b64) + [IO.File]::WriteAllBytes($filename, $bytes) + + $basePath = "C:\Program Files (x86)\Windows Kits\10\bin" + $latestSigntool = Get-ChildItem -Path $basePath -Directory | + Where-Object { $_.Name -match "^\d+\.\d+\.\d+\.\d+$" } | + Sort-Object { [Version]$_.Name } -Descending | + Select-Object -First 1 | + ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" } + + if (Test-Path $latestSigntool) { + Write-Output $latestSigntool + } else { + Write-Output "signtool.exe not found" + } + + foreach($Arch in "amd64", "arm64") { + & $latestSigntool sign /v /tr "http://timestamp.digicert.com" /d "Prometheus exporter for Windows machines" /td SHA256 /fd SHA256 /a /f "windows_exporter_CodeSign.pfx" /p $env:CODE_SIGN_PASSWORD "output\windows_exporter-$Version-$Arch.msi" + } + + rm windows_exporter_CodeSign.pfx + env: + CODE_SIGN_KEY: ${{ secrets.CODE_SIGN_KEY }} + CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }} + - name: Upload Artifacts uses: actions/upload-artifact@v4 with: @@ -103,6 +172,9 @@ jobs: runs-on: ubuntu-latest needs: - build + env: + DOCKER_BUILD_SUMMARY: false + DOCKER_BUILD_RECORD_UPLOAD: false steps: - uses: actions/checkout@v4 with: @@ -165,3 +237,4 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: windows/amd64 + annotations: ${{ steps.meta.outputs.labels }} diff --git a/README.md b/README.md index d5037e5d..48d2df80 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,9 @@ windows_exporter accepts flags to configure certain behaviours. The ones configu The latest release can be downloaded from the [releases page](https://github.com/prometheus-community/windows_exporter/releases). +All binaries and installation packages are signed with an self-signed certificate. The public key can be found [here](https://github.com/prometheus-community/windows_exporter/blob/master/installer/codesign.cer). +Once import into the trusted root certificate store, the binaries and installation packages will be trusted. + Each release provides a .msi installer. The installer will setup the windows_exporter as a Windows service, as well as create an exception in the Windows Firewall. If the installer is run without any parameters, the exporter will run with default settings for enabled collectors, ports, etc. diff --git a/installer/codesign.cer b/installer/codesign.cer new file mode 100644 index 00000000..bc0e524c Binary files /dev/null and b/installer/codesign.cer differ