Sign fleetctl.exe for Windows users

[getvictor]

Goal

User story
As a Fleet admin on Windows,
I want to use a signed version of fleetctl.exe
so that I can minimize my security risk.

Context

We are signing orbit.exe and fleet-desktop.exe. fleetctl for macOS is now signed as well.

fleetctl is generated using GoReleaser flow. Windows signing uses an HSM hosted by DigiCert (KeyLocker), so the signing flow is more complex than for macOS. Engineering needs to figure out how to use the existing Windows signing workflow with GoReleaser, or create a new flow, or some combination of the two.

• Requestor(s): @getvictor
• Product designer: _____

Changes

Product

• [ ] UI changes: TODO
• [ ] CLI usage changes: TODO
• [ ] REST API changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers: TODO

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

@lukeheath I think this story meets the definition of an engineering-initiated user story.

Adding ~engineering-initiated and removing ~feature-fest.

[lukeheath]

@getvictor Thanks for filing this. I'm prioritizing on to the drafting board for estimation and consideration in the next sprint.

[sharon-fdm]

Hopefully, go-releaser has a post-hook that can call the agitation that does the signing. Other options could also be good.