Merge pull request #155 from SpecterOps/anemeth/x509-negative-serials #96

Workflow file for this run

.github/workflows/publish.yml at 41ed6d1

	name: Publish

	on:
	push:
	tags:
	- v..*
	env:
	AZUREHOUND_VERSION: ${{ github.ref_name }}
	jobs:
	build:
	runs-on: ubuntu-latest
	strategy:
	matrix:
	os:
	- darwin
	- linux
	- windows
	arch:
	- amd64
	- arm64

	env:
	FILE_NAME: AzureHound_${{ github.ref_name }}_${{ matrix.os }}_${{ matrix.arch }}

	steps:
	- uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v3
	with:
	go-version-file: go.mod
	check-latest: true
	cache: true

	- name: Build
	run: 'go build -ldflags="-s -w -X github.com/bloodhoundad/azurehound/v2/constants.Version=${{ env.AZUREHOUND_VERSION }}"'
	env:
	GOOS: ${{ matrix.os }}
	GOARCH: ${{ matrix.arch }}

	- name: Upload as Artifact
	if: matrix.os == 'windows'
	uses: actions/upload-artifact@v4
	with:
	name: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
	path: azurehound*

	- name: Zip
	run: 7z a -tzip -mx9 ${{ env.FILE_NAME }}.zip azurehound*

	- name: Compute Checksum
	run: sha256sum ${{ env.FILE_NAME }}.zip > ${{ env.FILE_NAME }}.zip.sha256

	- name: Upload Release
	uses: softprops/action-gh-release@v1
	with:
	files: \|
	${{ env.FILE_NAME }}.zip
	${{ env.FILE_NAME }}.zip.sha256

	sign:
	runs-on: ubuntu-22.04 # INFO: https://docs.digicert.com/en/digicert-keylocker/code-signing/sign-with-third-party-signing-tools/windows-applications/sign-authenticode-files-with-osslsigncode-using-openssl-pkcs11-engine.html#a-note-for-ubuntu-users-488674
	needs: build
	strategy:
	matrix:
	os:
	- windows
	arch:
	- amd64
	- arm64

	env:
	FILE_NAME: AzureHoundEnterprise_${{ github.ref_name }}_${{ matrix.os }}_${{ matrix.arch }}

	steps:
	- uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-access-key-id: ${{ secrets.BHE_AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.BHE_AWS_SECRET_ACCESS_KEY }}
	aws-region: us-east-1

	- uses: actions/download-artifact@v4
	with:
	pattern: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
	path: unsigned/

	- name: Install osslsigncode & pkcs11 engine
	run: \|
	sudo apt-get update
	sudo apt-get install -y osslsigncode libengine-pkcs11-openssl

	- name: Install DigiCert Client Tools
	id: digicert
	uses: digicert/ssm-code-signing@v1.0.0

	- name: Set PKCS#11 Paths
	id: pkcs11
	run: \|
	SM_TOOLS_DIR=$(dirname "$(realpath '${{ steps.digicert.outputs.PKCS11_CONFIG }}')")
	echo "module=${SM_TOOLS_DIR}/smpkcs11.so" >> "$GITHUB_OUTPUT"
	LIB_PKCS11="$(dpkg -L libengine-pkcs11-openssl \| grep "libpkcs11.so")"
	echo "engine=$LIB_PKCS11" >> "$GITHUB_OUTPUT"

	- name: Sign Artifacts via DigiCert Signing Manager
	env:
	SM_HOST: ${{ secrets.SM_HOST }}
	SM_API_KEY: ${{ secrets.SM_API_KEY }}
	SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
	shell: bash
	run: \|
	export SM_CLIENT_CERT_FILE=$(mktemp)
	printenv SM_CLIENT_CERT_FILE_B64 \| base64 --decode > "$SM_CLIENT_CERT_FILE"
	trap 'rm $SM_CLIENT_CERT_FILE' EXIT

	mkdir signed
	artifact=unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
	smctl sign --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --input "$artifact" --openssl-pkcs11-engine "${{ steps.pkcs11.outputs.engine }}" --pkcs11-module "${{ steps.pkcs11.outputs.module }}" --tool osslsigncode --verbose
	mv "$artifact" "signed/azurehound.exe"

	- name: Verify Signed Artifacts
	env:
	SM_HOST: ${{ secrets.SM_HOST }}
	SM_API_KEY: ${{ secrets.SM_API_KEY }}
	SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
	shell: bash
	run: \|
	export SM_CLIENT_CERT_FILE=$(mktemp)
	printenv SM_CLIENT_CERT_FILE_B64 \| base64 --decode > "$SM_CLIENT_CERT_FILE"
	smctl certificate download --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --format pem --chain --name cert-chain.pem
	trap 'rm $SM_CLIENT_CERT_FILE cert-chain.pem' EXIT

	for artifact in signed/*; do
	osslsigncode verify -CAfile cert-chain.pem "$artifact"
	done

	- name: Zip Signed Executables
	run: \|
	mkdir zipped
	7z a -tzip -mx9 zipped/${{ env.FILE_NAME }}.zip signed/*

	- name: Checksum Zipped Files
	run: \|
	sha256sum zipped/${{ env.FILE_NAME }}.zip > zipped/${{ env.FILE_NAME }}.zip.sha256

	- name: Upload Artifacts to S3
	run: \|
	aws s3 cp --recursive zipped/ s3://${{ secrets.BHE_AWS_BUCKET }}

	containerize:
	runs-on: ubuntu-latest
	permissions:
	packages: write
	steps:
	- uses: actions/checkout@v4

	- name: Log in to GHCR
	uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
	with:
	registry: ghcr.io
	username: ${{ secrets.GHCR_USER }}
	password: ${{ secrets.PACKAGE_SCOPE }}

	- name: Log in to ACR
	uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
	with:
	registry: ${{ secrets.ACR_AZUREHOUND_REGISTRY_URL }}
	username: ${{ secrets.ACR_CLIENT_ID }}
	password: ${{ secrets.ACR_SECRET }}

	- name: Extract metadata
	id: meta
	uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
	with:
	images: \|
	ghcr.io/bloodhoundad/azurehound
	${{ secrets.ACR_AZUREHOUND_REGISTRY_URL }}/azurehound
	tags: \|
	type=semver,pattern={{version}},prefix=v
	type=semver,pattern={{major}}.{{minor}},prefix=v

	- name: Build Container Image
	uses: docker/build-push-action@v6
	with:
	context: .
	build-args: VERSION=${{ github.ref_name }}
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	push: true
	secrets: \|
	GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge pull request #155 from SpecterOps/anemeth/x509-negative-serials #96

Workflow file

Merge pull request #155 from SpecterOps/anemeth/x509-negative-serials #96

Uh oh!

Workflow file for this run