Fix Linux binary signing - replace osslsigncode with SHA256 checksums

LoukaO · LoukaO · commit d8814658ce2d · 2025-08-26T22:53:45.000+02:00
- Remove osslsigncode usage for Linux binaries (incompatible with ELF format)
- Add SHA256 checksum generation for integrity verification
- Add build metadata file with version and build information
- Update artifact uploads to include checksums and metadata
- Improves Linux build reliability and follows standard practices
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -205,134 +205,33 @@ jobs:
         objcopy --add-section .version=version.txt terminusai-linux-amd64
         rm version.txt
 
-    - name: Sign Linux binary
-      if: ${{ vars.ENABLE_SIGNING == 'true' }}
+    - name: Create Linux binary checksum and metadata
       run: |
-        # Install signing tools
-        sudo apt-get update
-        sudo apt-get install -y openssl file build-essential cmake libssl-dev libcurl4-openssl-dev
-        
-        # Build osslsigncode from source for better compatibility
-        echo "Building osslsigncode from source..."
-        timeout 300 git clone --depth 1 https://github.com/mtrojnar/osslsigncode.git || {
-          echo "Failed to clone osslsigncode, falling back to package version"
-          sudo apt-get install -y osslsigncode
-        }
-        
-        if [ -d "osslsigncode" ]; then
-          cd osslsigncode
-          timeout 600 bash -c "
-            mkdir -p build && cd build &&
-            cmake -S .. -B . &&
-            cmake --build . &&
-            sudo cmake --install .
-          " || {
-            echo "Source build failed, falling back to package version"
-            cd ..
-            sudo apt-get install -y osslsigncode
-          }
-          cd ..
-        fi
-        
-        # Verify installation
-        osslsigncode --version || echo "osslsigncode installed but version check failed"
-        
-        # Decode certificate and detect format
-        echo "${{ secrets.CERTIFICATE_BASE64 }}" | base64 --decode > certificate.bin
-        
-        # Check certificate format
-        file_info=$(file certificate.bin)
-        echo "Certificate format detected: $file_info"
-        
-        # Try different certificate formats
-        cert_converted=false
-        
-        # Try as PKCS#12 first
-        if openssl pkcs12 -info -in certificate.bin -noout -passin pass: 2>/dev/null; then
-          echo "Certificate is PKCS#12 format"
-          openssl pkcs12 -in certificate.bin -out cert.pem -nodes -passin pass:
-          openssl pkcs12 -in certificate.bin -nocerts -out key.pem -nodes -passin pass:
-          cert_converted=true
-        elif [ -n "${{ secrets.CERTIFICATE_PASSWORD }}" ] && openssl pkcs12 -info -in certificate.bin -noout -passin pass:"${{ secrets.CERTIFICATE_PASSWORD }}" 2>/dev/null; then
-          echo "Certificate is password-protected PKCS#12 format"
-          openssl pkcs12 -in certificate.bin -out cert.pem -nodes -passin pass:"${{ secrets.CERTIFICATE_PASSWORD }}"
-          openssl pkcs12 -in certificate.bin -nocerts -out key.pem -nodes -passin pass:"${{ secrets.CERTIFICATE_PASSWORD }}"
-          cert_converted=true
-        # Try as PFX (another name for PKCS#12)
-        elif openssl pkcs12 -info -in certificate.bin -noout 2>/dev/null; then
-          echo "Certificate is PFX format"
-          openssl pkcs12 -in certificate.bin -out cert.pem -nodes
-          openssl pkcs12 -in certificate.bin -nocerts -out key.pem -nodes
-          cert_converted=true
-        # Try as DER certificate
-        elif openssl x509 -inform DER -in certificate.bin -noout 2>/dev/null; then
-          echo "Certificate is DER format (certificate only, no private key)"
-          echo "WARNING: DER format certificate detected but no private key available for signing"
-          echo "Linux signing requires both certificate and private key - skipping"
-        # Try as PEM certificate
-        elif openssl x509 -inform PEM -in certificate.bin -noout 2>/dev/null; then
-          echo "Certificate is PEM format (certificate only, no private key)"
-          echo "WARNING: PEM format certificate detected but no private key available for signing"
-          echo "Linux signing requires both certificate and private key - skipping"
-        else
-          echo "Unknown certificate format or corrupted certificate"
-          echo "Certificate file info: $file_info"
-          echo "Skipping Linux signing due to unsupported certificate format"
-        fi
+        # Create SHA256 checksum for integrity verification
+        sha256sum terminusai-linux-amd64 > terminusai-linux-amd64.sha256
         
-        if [ "$cert_converted" = true ] && [ -f cert.pem ] && [ -f key.pem ]; then
-          echo "Certificate converted successfully, proceeding with signing"
-          
-          # Debug: Show certificate and key info
-          echo "=== Certificate Info ==="
-          openssl x509 -in cert.pem -text -noout | head -10
-          echo "=== Key Info ==="
-          openssl rsa -in key.pem -noout -text | head -5 2>/dev/null || echo "Key validation failed"
-          
-          # Try different osslsigncode approaches
-          echo "=== Attempting to sign binary ==="
-          
-          # Method 1: Try with separate cert and key files
-          if osslsigncode sign -certs cert.pem -key key.pem -n "TerminusAI" -i "https://github.com/${{ github.repository }}" -in terminusai-linux-amd64 -out terminusai-linux-amd64-signed 2>sign_error.log; then
-            mv terminusai-linux-amd64-signed terminusai-linux-amd64
-            echo "Linux binary signed successfully with separate cert/key files"
-          else
-            echo "Method 1 failed, trying alternative approach..."
-            cat sign_error.log
-            
-            # Method 2: Try combining cert and key in one file
-            cat cert.pem key.pem > combined.pem
-            if osslsigncode sign -certs combined.pem -key combined.pem -n "TerminusAI" -i "https://github.com/${{ github.repository }}" -in terminusai-linux-amd64 -out terminusai-linux-amd64-signed 2>sign_error2.log; then
-              mv terminusai-linux-amd64-signed terminusai-linux-amd64
-              echo "Linux binary signed successfully with combined cert/key file"
-            else
-              echo "Method 2 failed, trying PKCS#12 directly..."
-              cat sign_error2.log
-              
-              # Method 3: Try using PKCS#12 directly with osslsigncode
-              if osslsigncode sign -pkcs12 certificate.bin -n "TerminusAI" -i "https://github.com/${{ github.repository }}" -in terminusai-linux-amd64 -out terminusai-linux-amd64-signed 2>sign_error3.log; then
-                mv terminusai-linux-amd64-signed terminusai-linux-amd64
-                echo "Linux binary signed successfully with PKCS#12 directly"
-              else
-                echo "All signing methods failed. Error logs:"
-                echo "=== Final Error Log ==="
-                cat sign_error3.log
-                echo "Linux binary will remain unsigned"
-              fi
-            fi
-          fi
-        else
-          echo "Certificate conversion failed - Linux binary will remain unsigned"
-        fi
+        # Create metadata file with build information
+        cat > terminusai-linux-amd64.info << EOF
+        Binary: terminusai-linux-amd64
+        Version: ${{ github.ref_name }}
+        Architecture: linux/amd64
+        Build Date: $(date -u +%Y-%m-%dT%H:%M:%SZ)
+        Repository: ${{ github.repository }}
+        Commit: ${{ github.sha }}
+        EOF
         
-        # Clean up temporary files
-        rm -f certificate.bin cert.pem key.pem
+        echo "Linux binary checksum and metadata created:"
+        cat terminusai-linux-amd64.sha256
+        cat terminusai-linux-amd64.info
 
     - name: Upload Linux Binary
       uses: actions/upload-artifact@v4
       with:
         name: terminusai-linux-binary
-        path: terminusai-linux-amd64
+        path: |
+          terminusai-linux-amd64
+          terminusai-linux-amd64.sha256
+          terminusai-linux-amd64.info
 
   create-release:
     name: Create GitHub Release
@@ -353,4 +252,6 @@ jobs:
           terminusai-windows-installer/terminusai-setup.exe
           terminusai-macos-binary/terminusai-macos-universal
           terminusai-linux-binary/terminusai-linux-amd64
+          terminusai-linux-binary/terminusai-linux-amd64.sha256
+          terminusai-linux-binary/terminusai-linux-amd64.info
         generate_release_notes: true
