The code-sign-action action integrates with Digicert One and uses SignTool on Windows runners and JSign on Linux runners. It has been tested on windows-2022
, ubuntu-20.04
and ubuntu-22.04
runners.
CERTIFICATE_HOST
: https://clientauth.one.digicert.comCERTIFICATE_HOST_API_KEY
: An API key created for the GitHub Actions service user in Digicert One.CERTIFICATE_SHA1_HASH
: SHA1 fingerprint of the code signing certificate.CLIENT_CERTIFICATE
: Client authentication certificate created for the GitHub Actions service user in Digicert One.(.p12 file)CLIENT_CERTIFICATE_PASSWORD
: Client authentication certificate password created for the GitHub Actions service user in Digicert One.KEYPAIR_ALIAS
: Keypair alias value found in the "Keypair details" section of the "Certificates" page in your KeyLocker dashboard.
path-to-binary
: Takes either a file path or a directory path containing the files to be signed.
name: codesign-example-single-file
on:
push:
branches:
- main
- 'releases/*'
jobs:
run-action:
runs-on: windows-2022
steps:
- name: Run the action for a single file
env:
CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }}
CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }}
CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}
CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }}
CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }}
KEYPAIR_ALIAS: ${{ secrets.CODE_SIGNING_KEYPAIR_ALIAS }}
uses: cognitedata/code-sign-action/@v3
with:
path-to-binary: 'test\test.dll'
name: codesign-example-multiple-files
on:
pull_request:
push:
branches:
- main
- "releases/*"
jobs:
run-action-linux:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run the action for multiple files in directory
env:
CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }}
CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }}
CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}
CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }}
CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }}
KEYPAIR_ALIAS: ${{ secrets.CODE_SIGNING_KEYPAIR_ALIAS }}
uses: cognitedata/code-sign-action/@v3
with:
path-to-binary: "test"