[SEC-2913] Update action to fit the new code signing flow #41
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: digicert-signing-linux | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
- "releases/*" | |
jobs: | |
sign-with-linux: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Setup Certificate | |
run: | | |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 | |
shell: bash | |
- name: Set variables | |
id: variables | |
run: | | |
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" | |
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
shell: bash | |
- name: Install third-party required tools | |
run: | | |
sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode | |
# - name: locate file | |
# run: | | |
# sudo find / -name "libpkcs11.so" | |
- name: Code signing with Secure Software Manager | |
uses: digicert/[email protected] | |
env: | |
SM_API_KEY: ${{ secrets.SM_API_KEY }} | |
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} | |
- name: Sign with smctl | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" | |
OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -h sha256 -t http://timestamp.digicert.com | |
shell: bash | |
# export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" | |
# smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" | |
# osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com | |
# smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" | |
# smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll" | |
# osslsigncode sign -v -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com | |
- name: Verify with smctl | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/test.dll" | |
shell: bash |