[SEC-2913] Update action to fit the new code signing flow #79
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: digicert-signing-linux | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
- "releases/*" | |
jobs: | |
sign-with-linux: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Setup Certificate | |
run: | | |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 | |
shell: bash | |
- name: Set variables | |
id: variables | |
run: | | |
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" | |
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
echo "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> $GITHUB_PATH | |
shell: bash | |
- name: Install third-party required tools | |
run: | | |
curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb | |
sudo dpkg --install jsign_3.1_all.deb | |
sudo apt-get install -y osslsigncode libengine-pkcs11-openssl gnutls-bin xxd | |
shell: bash | |
# sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode | |
# - name: locate file | |
# run: | | |
# sudo find / -name "libpkcs11.so" | |
- name: Code signing with Secure Software Manager | |
uses: digicert/[email protected] | |
env: | |
SM_API_KEY: ${{ secrets.SM_API_KEY }} | |
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} | |
- name: Set PKCS11 config | |
run: | | |
echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV" | |
shell: bash | |
- name: Working version of signing with osslcodesign | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" | |
osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com | |
shell: bash | |
- name: Working version of signing with smctl Jsign | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" | |
shell: bash | |
# I think this works | |
# jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll | |
# export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" | |
# smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" | |
# osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com | |
# smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" | |
# smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll" | |
# osslsigncode sign -v -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com | |
- name: Verify with smctl | |
env: | |
GITHUB_WORKSPACE: ${{ github.workspace }} | |
run: | | |
osslsigncode verify -in "signed-test.dll" | |
osslsigncode verify -in "test.dll" | |
shell: bash |