Switch windows codesigning over to Azure Trusted Signing (#379)

* Switch windows codesigning over to Azure Trusted Signing

This is the new blessed way of codesigning on windows

* Upgrade windows docker images to v7.10

* sign treehashes

pipelines/main/launch_signed_jobs.yml.signature

@@ -1,3 +1 @@
-Salted__��,�`jsl@�dڇ��^��A{���8%�)��Y
-t�2��t�`�}B�ȮriD�ą�* U�����2S��\�
-�aB
Se��H�ss!
+Salted__<YG7l��"y0?4��=׽ቕ�������ݓ��.���\��*.� &�tÜ�2=��7�T�\00��e������nMQ2������h
��

pipelines/main/launch_upload_jobs.yml.signature

@@ -1 +1 @@
-Salted__�xR���R�7餖�=����>S�Y`�j�Wr'�&��*VM�D����u-b��ɖ?+yϭ�#��ɑcZP��p�[4vE�u��
+Salted__�摏����P��	��#��
�~t��,o����Õ�?`r�VxZA�*��Bd�;�=/
!��%?bF��-+����c�R��$���

pipelines/main/platforms/build_windows.arches

@@ -1,6 +1,6 @@
 # OS     TRIPLET              ARCH       DOCKER_ARCH   MAKE_FLAGS                                TIMEOUT     DOCKER_TAG
-windows  x86_64-w64-mingw32   x86_64     x86_64        VERBOSE=1                                 .           v7.2
-windows  i686-w64-mingw32     x86_64     i686          VERBOSE=1                                 .           v7.2
+windows  x86_64-w64-mingw32   x86_64     x86_64        VERBOSE=1                                 .           v7.10
+windows  i686-w64-mingw32     x86_64     i686          VERBOSE=1                                 .           v7.10
 
 # These special lines allow us to embed default values for the columns above.
 # Any column without a default mapping here will simply substitute a `.` to the empty string

pipelines/main/platforms/upload_windows.arches

@@ -1,6 +1,6 @@
 # OS     TRIPLET                DOCKER_TAG   TIMEOUT
-windows  x86_64-w64-mingw32     v5.44        .
-windows  i686-w64-mingw32       v5.44        .
+windows  x86_64-w64-mingw32     v7.10        .
+windows  i686-w64-mingw32       v7.10        .
 
 # These special lines allow us to embed default values for the columns above.
 # Any column without a default mapping here will simply substitute a `.` to the empty string

pipelines/main/platforms/upload_windows.yml

@@ -21,7 +21,9 @@ steps:
               variables:
                 - AWS_ACCESS_KEY_ID="U2FsdGVkX184v87+NPs3j9r/JoIuOrYt4/Z4wnRdklnY17NP8C8AMZvWYLJfT9t1"
                 - AWS_SECRET_ACCESS_KEY="U2FsdGVkX1+qptnxR/Mo5jZdH8OQfflRPiQBEhjgZIiTpn8KNCJYh/Cb8xxaUWazlcM9ceOlo0InDubL+J8zdg=="
-                - WINDOWS_CODESIGN_PASSWORD="U2FsdGVkX1+wiqniliFf7YWn1f/Y2rppITsOMvLGgK8n+GYWXWJH+POojLhEwU75"
+                - AZURE_TENANT_ID="U2FsdGVkX1+c2HbeSTq1c0fEep5riO3+PSQCiovdRT5akVpyy5hC311cXUCUB+A7ivIezAdJ7oz3dt19t60iuw=="
+                - AZURE_CLIENT_ID="U2FsdGVkX195QeT0ywNdXSa2ctMb9DFXyFVo0zG0/GtZUw95PTycqSZ+qEwXZbRZhGxXjGMVzcP2XZ0f/OuNnQ=="
+                - AZURE_CLIENT_SECRET="U2FsdGVkX1/905nz82Iy5toukRXEO8QS2etwfFCocofgnpBB62wJRDrWClPCNEX6ICo0jQzgoSbwDr2+C1ETSA=="
               files:
                 - .buildkite/secrets/tarball_signing.gpg
                 - .buildkite/secrets/windows_codesigning.pfx
@@ -42,9 +44,11 @@ steps:
                 # Have to include this for `buildkite-agent` to work:
                 - "BUILDKITE_AGENT_ACCESS_TOKEN"
                 # Have to include these for codesigning and uploading
-                - "WINDOWS_CODESIGN_PASSWORD"
                 - "AWS_ACCESS_KEY_ID"
                 - "AWS_SECRET_ACCESS_KEY"
+                - "AZURE_TENANT_ID"
+                - "AZURE_CLIENT_ID"
+                - "AZURE_CLIENT_SECRET"
                 # These control where we upload, important when running on julia-buildkite
                 - "S3_BUCKET"
                 - "S3_BUCKET_PREFIX"

pipelines/scheduled/launch_signed_jobs.yml.signature

@@ -1 +1 @@
-Salted__���9�ڃ���X]��8�i(�$���tt�@t!���^���B���.$�(�.i��Y�Y0"4�'(��?�k�]:6
���ۉS"I�=���
+Salted__=oT��#�S�f��B�����V�x ��U�VR�����u��Ƶi�C�[Ь����3�ާ���+��*�J��ъF�#

pipelines/scheduled/launch_upload_jobs.yml.signature

@@ -1 +1 @@
-Salted__*b��]��#�At����t�k�ă��ڟ��W�EE�j�E�/YV�Yl"�T`�����&8�]�s�YG�I@	^]�0���E�ys
+Salted__Z=.���܃n-��Y���p��:����4����^W�e����};�~����2��2ͬF7bNN�J]��R���2��^P�G{�m�

utilities/upload_julia.sh

@@ -81,15 +81,15 @@ if [[ "${BUILDKITE_PULL_REQUEST}" == "false" ]]; then
             /F"${UPLOAD_FILENAME}" \
             /O"$(cygpath -w "$(pwd)")" \
             /Dsign=true \
-            /Smysigntool="bash.exe '${codesign_script}' --certificate='${certificate}' \$f" \
+            /Smysigntool="bash.exe '${codesign_script}' \$f" \
             "$(cygpath -w "${iss_file}")"
 
         # Add the `.exe` to our upload targets
         UPLOAD_EXTENSIONS+=( "exe" )
 
         # Next, directly codesign every executable file in the install dir
         echo "--- [windows] Codesign everything in the install directory"
-        "${codesign_script}" --certificate="${certificate}" "${JULIA_INSTALL_DIR}"
+        "${codesign_script}" "${JULIA_INSTALL_DIR}"
 
         echo "--- [windows] Update checksums for stdlib cachefiles"
         ${JULIA_INSTALL_DIR}/bin/julia .buildkite/utilities/update_stdlib_pkgimage_checksums.jl

utilities/windows/codesign.sh

@@ -3,14 +3,18 @@
 
 set -euo pipefail
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+DLIB_DEFAULT_PATH='C:\Program Files\TrustedSigning\bin\x64\Azure.CodeSigning.Dlib.dll'
+DLIB_PATH="${DLIB_DEFAULT_PATH}"
+METADATA_JSON_PATH="$(cygpath -w ${SCRIPT_DIR}/codesign_metadata.json)"
+
 usage() {
-    echo "Usage: $0 --certificate=<path> --password=<password> <target>"
+    echo "Usage: $0 [--dlib-path=<path>] <target>"
     echo
     echo "Parameter descriptions:"
     echo
-    echo "       key: A '.pfx' file that contains the codesigning certificate"
-    echo
-    echo "  password: The password to unlock the given '.pfx' file."
+    echo "  dlib-path: The path to the Trusted Signing .dlib file (defaults to ${DLIB_DEFAULT_PATH})."
     echo
     echo "    target: A file or directory to codesign (must come last!)"
 }
@@ -26,22 +30,13 @@ fi
 
 while [ "$#" -gt 1 ]; do
     case "${1}" in
-        --certificate)
-            CERT_PATH="$2"
+        --dlib-path)
+            DLIB_PATH="$2"
             shift
             shift
             ;;
-        --certificate=*)
-            CERT_PATH="${1#*=}"
-            shift
-            ;;
-        --password)
-            CERT_PASSWORD="$2"
-            shift
-            shift
-            ;;
-        --password=*)
-            CERT_PASSWORD="${1#*=}"
+        --dlib-path=*)
+            DLIB_PATH="${1#*=}"
             shift
             ;;
         *)
@@ -51,32 +46,33 @@ while [ "$#" -gt 1 ]; do
             ;;
     esac
 done
+DLIB_PATH="$(cygpath -w "${DLIB_PATH}")"
 
-# We tend to receive this via an environment variable on CI, so as to
-# not print it out when `make` is run in verbose mode
-CERT_PASSWORD="${CERT_PASSWORD:-${WINDOWS_CODESIGN_PASSWORD}}"
+if [[ -z "${AZURE_TENANT_ID:-}" ]] ||
+   [[ -z "${AZURE_CLIENT_ID:-}" ]] ||
+   [[ -z "${AZURE_CLIENT_SECRET:-}" ]]; then
+    echo "ERROR: Missing AZURE_* secret variables!" >&2
+    exit 1
+fi
 
-if [[ ! -f "${CERT_PATH}" ]]; then
-    echo "ERROR: Certificate path '${CERT_PATH}' does not exist!" >&2
+if [[ ! -f "${DLIB_PATH}" ]]; then
+    echo "ERROR: No Trusted Signing dlib found at '${DLIB_PATH}'" >&2
     exit 1
 fi
-CERT_PATH="$(cygpath -w "$(abspath "${CERT_PATH}")")"
+
 
 # We will try to codesign, using multiple timestamping servers in case one is down
 SERVERS=(
-    "http://timestamp.digicert.com/?alg=sha1"
-    "http://timestamp.globalsign.com/scripts/timstamp.dll"
-    "http://timestamp.comodoca.com/authenticode"
+    "http://timestamp.acs.microsoft.com"
+    "http://timestamp.digicert.com"
     "http://tsa.starfieldtech.com"
 )
 NUM_RETRIES=3
 
 function do_codesign() {
     for retry in $(seq 1 ${NUM_RETRIES}); do
         for SERVER in ${SERVERS[@]}; do
-            # Note that we're using SHA1 signing here, because that's what our certificate supports.
-            # In the future, we may be able to upgrade to SHA256.
-            if MSYS2_ARG_CONV_EXCL='*' signtool sign /debug /fd certHash /f "${CERT_PATH}" /p "${CERT_PASSWORD}" /t "${SERVER}" "$1"; then
+            if MSYS2_ARG_CONV_EXCL='*' signtool sign /q /fd SHA256 /tr "${SERVER}" /td SHA256 /dlib "${DLIB_PATH}" /dmdf "${METADATA_JSON_PATH}" "$1"; then
                 return 0
             fi
         done
@@ -89,7 +85,7 @@ function do_codesign() {
 # This codesign script only works on files
 if [ -f "${1}" ]; then
     # If we're codesigning a single file, directly invoke codesign on that file
-    echo "Codesigning file ${1} with certificate ${CERT_PATH}"
+    echo "Codesigning file ${1}"
     do_codesign "${1}"
 elif [ -d "${1}" ]; then
     # Create a fifo to communicate from `find` to `while`
@@ -105,7 +101,7 @@ elif [ -d "${1}" ]; then
     # This while loop reads in from the fifo, and invokes `do_codesign`,
     # but it does so in a background task, so that the codesigning can
     # happen in parallel.  This speeds things up by a few seconds.
-    echo "Codesigning dir ${1} with certificate ${CERT_PATH}"
+    echo "Codesigning dir ${1}"
     NUM_CODESIGNS=0
     while IFS= read -r -d '' exe_file; do
         do_codesign "${exe_file}" &

utilities/windows/codesign_metadata.json

@@ -0,0 +1,16 @@
+{
+    "Endpoint": "https://eus.codesigning.azure.net/",
+    "CodeSigningAccountName": "juliahubwincertsaccount",
+    "CertificateProfileName": "JuliaHubWinCert",
+    "ExcludeCredentials": [
+        "WorkloadIdentityCredential",
+        "ManagedIdentityCredential",
+        "SharedTokenCacheCredential",
+        "VisualStudioCredential",
+        "VisualStudioCodeCredential",
+        "AzureCliCredential",
+        "AzurePowerShellCredential",
+        "AzureDeveloperCliCredential",
+        "InteractiveBrowserCredential"
+    ]
+}