[feature] Support signing Windows binaries

[makkes]

Is your feature request related to a problem? Please describe.

We're using the slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v2.1.0 workflow to build Go binaries and attestations for an application that our customer runs on Windows machines. To match the customer's security requirements the binaries need to be signed by our code signing certificate that we got from Microsoft (using Azure Trusted Signing).

We have not found a way to sign the binaries that the workflow generates as part of the build process.

Describe the solution you'd like

We would like to integrate signing of the Windows binaries, preferably by integrating the existing trusted signing action.

Describe alternatives you've considered

Currently we sign the binaries after the build process which obviously breaks the provenance attestations.

Additional context

n/a

[ianlewis]

Could you not download the binaries you just built, verify the proveance, and then sign using the azure signing action?

I'm not sure slsa-github-generator would be the right thing here since it doesn't do anything with the binaries. Provanance is the only thing that's ever signed. It's probably also not feasable to support every signing method that might exist.

It also would be a bit difficult currently from tech perspective, as slsa-github-generator currently only supports building on Linux runners and the Azure trusted signing action needs to run on Windows runners. I think it's something we wanted to support eventually, but would require a decent amount of work to get there.

[makkes]

Thanks for your response @ianlewis. I am with you that binary signing would probably not be something that should be directly supported by slsa-github-generator, however the Go builder workflow I mentioned in the original description doesn't have a way to kind of hook into it so that I could sign the binaries it created before it hands over those binaries to the provenance generation step. Without such a hook I would have to completely ditch the Go builder workflow you provide and come up with my own workflow from scratch (which is what I did here as a workaround for now).

[ianlewis]

Ok, I see. Since the binary itself is modified to include the signature you're invalidating the provenance. Yeah, that's tricky. The best bet might be to do as you did there; build it yourself and use the generic generator.