-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* New certificate issued. * Connects to Digicert One platform to fetch the certificate necessary for signing. This composite action uses digicert/[email protected] to set up the runner environment for code signing. * The list of required secrets has changed to: CODE_SIGNING_CERT_HOST, CODE_SIGNING_CERT_HOST_API_KEY, CODE_SIGNING_CERT_SHA1_HASH, CODE_SIGNING_CLIENT_CERT, CODE_SIGNING_CLIENT_CERT_PASSWORD. * Removed -Recurse option because it is not needed anymore for recursive signing. * Updated documentation to reflect the use of the new action version v2.
- Loading branch information
1 parent
e567eb1
commit fad1c3d
Showing
6 changed files
with
146 additions
and
160 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,80 @@ | ||
name: 'Sign binary' | ||
description: 'Sign a binary using a code signing certificate' | ||
name: "Sign binary" | ||
description: "Sign a binary using a code signing certificate" | ||
inputs: | ||
path-to-binary: | ||
description: 'The folder that contains the files to sign' | ||
description: "The folder that contains the files to sign" | ||
required: true | ||
options: | ||
description: 'Use "-Recurse" to recursively search for files' | ||
required: false | ||
runs: | ||
using: 'composite' | ||
using: "composite" | ||
steps: | ||
- run: ${{ github.action_path }}/sign.ps1 ${{ inputs.path-to-binary }} ${{ inputs.options }} | ||
- name: Setup Certificate Windows | ||
run: | | ||
echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 | ||
if: runner.os == 'Windows' | ||
shell: pwsh | ||
- run: | | ||
sudo apt install osslsigncode | ||
${{ github.action_path }}/sign.sh ${{ inputs.path-to-binary }} ${{ inputs.options }} | ||
shell: bash | ||
|
||
- name: Setup Certificate Linux | ||
run: | | ||
echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 | ||
if: runner.os == 'Linux' | ||
shell: bash | ||
|
||
- name: Set variables | ||
id: variables | ||
run: | | ||
echo "SM_HOST=${{ env.CERTIFICATE_HOST }}" >> "$GITHUB_ENV" | ||
echo "SM_API_KEY=${{ env.CERTIFICATE_HOST_API_KEY }}" >> "$GITHUB_ENV" | ||
echo "SM_CLIENT_CERT_PASSWORD=${{ env.CLIENT_CERTIFICATE_PASSWORD }}" >> "$GITHUB_ENV" | ||
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ env.CERTIFICATE_SHA1_HASH }}" >> "$GITHUB_ENV" | ||
if [ "${{ runner.os }}" == "Windows" ] | ||
then | ||
echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" | ||
elif [ "${{ runner.os }}" == "Linux" ] | ||
then | ||
echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" | ||
echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV" | ||
echo "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> $GITHUB_PATH | ||
fi | ||
shell: bash | ||
|
||
- name: Code signing with Secure Software Manager | ||
uses: digicert/[email protected] | ||
env: | ||
SM_API_KEY: ${{ env.SM_API_KEY }} | ||
SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }} | ||
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} | ||
|
||
- name: Sign with smctl Windows | ||
env: | ||
GITHUB_WORKSPACE: ${{ github.workspace }} | ||
run: | | ||
smctl windows certsync --keypair-alias="key_464138416" | ||
$file_path = "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" | ||
$files_to_sign = @() | ||
if (Test-Path -Path $file_path -PathType Leaf) { | ||
$files_to_sign = @([PSCustomObject]@{FullName = $file_path}) | ||
} | ||
else { | ||
Get-ChildItem -Path $file_path -File -Recurse | ||
$files_to_sign = @(Get-ChildItem -Path $file_path -File -Recurse) | ||
} | ||
foreach ( $f in $files_to_sign ) | ||
{ | ||
smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $f.FullName | ||
smctl sign verify --input $f.FullName | ||
} | ||
if: runner.os == 'Windows' | ||
shell: powershell | ||
|
||
|
||
- name: Sign with smctl Linux | ||
run: | | ||
curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb | ||
sudo dpkg --install jsign_3.1_all.deb | ||
file_path="${{ inputs.path-to-binary }}" | ||
for f in $(find $file_path -type f); do | ||
echo $f | ||
smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "$f" | ||
done | ||
if: runner.os == 'Linux' | ||
shell: bash |
File renamed without changes.