[SEC-2913] Update action to fit the new code signing flow #60

Workflow file for this run

.github/workflows/digicert-signing-linux.yaml at 20c9cab

	name: digicert-signing-linux
	on:
	pull_request:
	push:
	branches:
	- main
	- "releases/*"

	jobs:
	sign-with-linux:
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Setup Certificate
	run: \|
	echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" \| base64 --decode \| sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12
	shell: bash

	- name: Set variables
	id: variables
	run: \|
	echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
	echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
	echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV"
	echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
	echo "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> $GITHUB_PATH
	shell: bash

	- name: Install third-party required tools
	run: \|
	curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb
	sudo dpkg --install jsign_3.1_all.deb
	sudo apt-get install -y osslsigncode libengine-pkcs11-openssl gnutls-bin xxd
	shell: bash

	# sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode

	# - name: locate file
	# run: \|
	# sudo find / -name "libpkcs11.so"

	- name: Code signing with Secure Software Manager
	uses: digicert/[email protected]
	env:
	SM_API_KEY: ${{ secrets.SM_API_KEY }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
	SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }}

	- name: Set PKCS11 config
	run: \|
	echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV"
	shell: bash

	- name: Working version of signing with osslcodesign
	env:
	GITHUB_WORKSPACE: ${{ github.workspace }}
	run: \|
	smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}"
	osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com
	shell: bash

	- name: Working version of signing with smctl Jsign
	env:
	GITHUB_WORKSPACE: ${{ github.workspace }}
	run: \|
	smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll"
	shell: bash

	# I think this works
	# jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll

	# export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf"
	# smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}"
	# osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com

	# smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}"
	# smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll"
	# osslsigncode sign -v -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com

	- name: Verify with smctl
	env:
	GITHUB_WORKSPACE: ${{ github.workspace }}
	run: \|
	osslsigncode verify -in "signed-test.dll"
	osslsigncode verify -in "test.dll"
	shell: bash

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SEC-2913] Update action to fit the new code signing flow #60

Workflow file

[SEC-2913] Update action to fit the new code signing flow #60

Jobs

Run details

Workflow file for this run