From e28bf18c2be138147d48f5d9064ee7eeeb7d5720 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Tue, 1 Aug 2023 13:00:40 +0200 Subject: [PATCH 001/165] Trigger code signing action From f7676e1034600e7ae30012cfe5e23127a4dd4dc4 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Tue, 1 Aug 2023 13:25:13 +0200 Subject: [PATCH 002/165] Print certificate details --- sign.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/sign.ps1 b/sign.ps1 index 816f9ab1..87e59f60 100644 --- a/sign.ps1 +++ b/sign.ps1 @@ -11,6 +11,7 @@ Write-Output "Read certificate into a file" Write-Output "Import code signing certificate to Local Cert Store" Import-PfxCertificate -FilePath "C:\\Users\\runneradmin\\Documents\\cognite_code_signing.pfx" -Password (ConvertTo-SecureString -String $env:CERTIFICATE_PASSWORD -AsPlainText -Force) -Cert "Cert:\\LocalMachine\\My" +Get-ChildItem -Path "Cert:\\LocalMachine\\My" -CodeSigningCert $cert = (Get-ChildItem -Path "Cert:\\LocalMachine\\My" -CodeSigningCert | Where-Object {$_.Subject -Match "Cognite AS"})[0] if ($Recurse) { From 63b9411ee42e2a8b8c7726dbf79b1d4543e5db74 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Tue, 1 Aug 2023 13:36:25 +0200 Subject: [PATCH 003/165] Use updated action version --- .github/workflows/run-action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 51ae063f..68ee078c 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -24,7 +24,7 @@ jobs: env: CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1 + uses: cognitedata/code-sign-action/@v1.1 with: path-to-binary: 'files\wmp.dll' From 0b2e93878cf36aeaf17bb6c8665ebb1cc4e8afe2 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Tue, 1 Aug 2023 14:52:10 +0200 Subject: [PATCH 004/165] Get certificate information --- sign.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sign.ps1 b/sign.ps1 index 87e59f60..9f37a5d5 100644 --- a/sign.ps1 +++ b/sign.ps1 @@ -11,7 +11,7 @@ Write-Output "Read certificate into a file" Write-Output "Import code signing certificate to Local Cert Store" Import-PfxCertificate -FilePath "C:\\Users\\runneradmin\\Documents\\cognite_code_signing.pfx" -Password (ConvertTo-SecureString -String $env:CERTIFICATE_PASSWORD -AsPlainText -Force) -Cert "Cert:\\LocalMachine\\My" -Get-ChildItem -Path "Cert:\\LocalMachine\\My" -CodeSigningCert +Get-ChildItem -Path "Cert:\\LocalMachine\\My" $cert = (Get-ChildItem -Path "Cert:\\LocalMachine\\My" -CodeSigningCert | Where-Object {$_.Subject -Match "Cognite AS"})[0] if ($Recurse) { From 4c6a13b077953f441cc86886c23fdcca56930826 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Tue, 1 Aug 2023 15:53:13 +0200 Subject: [PATCH 005/165] Remove cert filtering --- .github/workflows/run-action.yaml | 4 ++-- sign.ps1 | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 68ee078c..5e13e152 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -24,7 +24,7 @@ jobs: env: CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.1 + uses: cognitedata/code-sign-action/@v1.12 with: path-to-binary: 'files\wmp.dll' @@ -32,7 +32,7 @@ jobs: env: CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1 + uses: cognitedata/code-sign-action/@v1.12 with: path-to-binary: 'files' options: '-Recurse' diff --git a/sign.ps1 b/sign.ps1 index 9f37a5d5..03c9f94e 100644 --- a/sign.ps1 +++ b/sign.ps1 @@ -11,8 +11,7 @@ Write-Output "Read certificate into a file" Write-Output "Import code signing certificate to Local Cert Store" Import-PfxCertificate -FilePath "C:\\Users\\runneradmin\\Documents\\cognite_code_signing.pfx" -Password (ConvertTo-SecureString -String $env:CERTIFICATE_PASSWORD -AsPlainText -Force) -Cert "Cert:\\LocalMachine\\My" -Get-ChildItem -Path "Cert:\\LocalMachine\\My" -$cert = (Get-ChildItem -Path "Cert:\\LocalMachine\\My" -CodeSigningCert | Where-Object {$_.Subject -Match "Cognite AS"})[0] +$cert = (Get-ChildItem -Path "Cert:\\LocalMachine\\My")[0] if ($Recurse) { Write-Host "Sign all files in folder $PathToBinary" From 35bd4220cb51e7270feee4147f282a52b75f5783 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Tue, 1 Aug 2023 15:55:44 +0200 Subject: [PATCH 006/165] Use updated action version --- .github/workflows/run-action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 5e13e152..9733419d 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -24,7 +24,7 @@ jobs: env: CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.12 + uses: cognitedata/code-sign-action/@v1.13 with: path-to-binary: 'files\wmp.dll' @@ -32,7 +32,7 @@ jobs: env: CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.12 + uses: cognitedata/code-sign-action/@v1.13 with: path-to-binary: 'files' options: '-Recurse' From 1fb037947abab2590d6026726d9689b4ad8fb554 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 09:55:14 +0200 Subject: [PATCH 007/165] Test Digicert code signing --- .github/workflows/digicert-signing.yaml | 56 +++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/digicert-signing.yaml diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml new file mode 100644 index 00000000..b94f1d8e --- /dev/null +++ b/.github/workflows/digicert-signing.yaml @@ -0,0 +1,56 @@ +name: digicert-signing +on: + pull_request: + push: + branches: + - main + - 'releases/*' + +jobs: + sign: + runs-on: windows-2022 + steps: + - name: Copy libraries + shell: cmd + run: | + dir + mkdir files + copy C:\Windows\System32\wmp.dll files + cd files + mkdir subdirectory + copy C:\Windows\System32\wmp.dll subdirectory + + - name: Setup Certificate + run: | + echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 + cat /d/Certificate_pkcs12.p12 + shell: bash + + - name: Set variables + id: variables + run: | + echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" + echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH + echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH + echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH + shell: bash + +# - name: Setup SSM KSP on windows latest +# run: | +# curl -X GET https://stage.one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi +# msiexec /i smtools-windows-x64.msi /quiet /qn +# smksp_registrar.exe list +# smctl.exe keypair ls +# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user +# smksp_cert_sync.exe +# shell: cmd + + - name: Signing using Signtool + run: | + signtool.exe sign /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' + + signtool.exe verify /v /pa 'files\wmp.dll' From fdc492589d0d209e9c6ce8c2b70107b74d17bf19 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 10:08:59 +0200 Subject: [PATCH 008/165] Add SM_CODE_SIGNING_CERT_SHA1_HASH to env vars --- .github/workflows/digicert-signing.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index b94f1d8e..99b8642d 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -34,6 +34,7 @@ jobs: echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH From e5b19b1e431af0e9fdc93fc58572f678a9f60ccd Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 10:15:16 +0200 Subject: [PATCH 009/165] Setup SSM KSP on windows latest --- .github/workflows/digicert-signing.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 99b8642d..62501aec 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -40,15 +40,15 @@ jobs: echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH shell: bash -# - name: Setup SSM KSP on windows latest -# run: | -# curl -X GET https://stage.one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi -# msiexec /i smtools-windows-x64.msi /quiet /qn -# smksp_registrar.exe list -# smctl.exe keypair ls -# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user -# smksp_cert_sync.exe -# shell: cmd + - name: Setup SSM KSP on windows latest + run: | + curl -X GET https://stage.one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi + msiexec /i smtools-windows-x64.msi /quiet /qn + smksp_registrar.exe list + smctl.exe keypair ls + C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + smksp_cert_sync.exe + shell: cmd - name: Signing using Signtool run: | From d7eecce601f9b833ed78f91144c2083b857dea3f Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 10:35:54 +0200 Subject: [PATCH 010/165] Fix download URL --- .github/workflows/digicert-signing.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 62501aec..e6b8de78 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -42,8 +42,8 @@ jobs: - name: Setup SSM KSP on windows latest run: | - curl -X GET https://stage.one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi - msiexec /i smtools-windows-x64.msi /quiet /qn + curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download?account_id=fb0b6868-dfb5-4cf0-a33b-3e7b852a9b62 -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi + msiexec /i Keylockertools-windows-x64.msi /quiet /qn smksp_registrar.exe list smctl.exe keypair ls C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user From 7514a0460776426f396a20e0986de6b98c143565 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 10:50:04 +0200 Subject: [PATCH 011/165] Remove nonexisting binaries --- .github/workflows/digicert-signing.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index e6b8de78..46299fb3 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -44,10 +44,7 @@ jobs: run: | curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download?account_id=fb0b6868-dfb5-4cf0-a33b-3e7b852a9b62 -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi msiexec /i Keylockertools-windows-x64.msi /quiet /qn - smksp_registrar.exe list - smctl.exe keypair ls C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user - smksp_cert_sync.exe shell: cmd - name: Signing using Signtool From 39d08ef290bd0384af41ef39ba4c266fdbe7c632 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 10:53:27 +0200 Subject: [PATCH 012/165] Use Digicert GH action --- .github/workflows/digicert-signing.yaml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 46299fb3..eb6beb1c 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -40,12 +40,19 @@ jobs: echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH shell: bash - - name: Setup SSM KSP on windows latest - run: | - curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download?account_id=fb0b6868-dfb5-4cf0-a33b-3e7b852a9b62 -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi - msiexec /i Keylockertools-windows-x64.msi /quiet /qn - C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user - shell: cmd + - name: Code signing with Secure Software Manager + uses: digicert/ssm-code-signing@latest-version + env: + SM_API_KEY: ${{secrets.SM_API_KEY}} + SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} + SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} + +# - name: Setup SSM KSP on windows latest +# run: | +# curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download?account_id=fb0b6868-dfb5-4cf0-a33b-3e7b852a9b62 -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi +# msiexec /i Keylockertools-windows-x64.msi /quiet /qn +# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user +# shell: cmd - name: Signing using Signtool run: | From e0fa2e06e61742f7a8ffa7c5950e81c8529bd204 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 10:55:06 +0200 Subject: [PATCH 013/165] Specify version --- .github/workflows/digicert-signing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index eb6beb1c..6c362666 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -41,7 +41,7 @@ jobs: shell: bash - name: Code signing with Secure Software Manager - uses: digicert/ssm-code-signing@latest-version + uses: digicert/ssm-code-signing@v0.0.2 env: SM_API_KEY: ${{secrets.SM_API_KEY}} SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} From 4da2e34b2c4748e93c7740fd5799ff484943dcc9 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 11:07:25 +0200 Subject: [PATCH 014/165] Try to list key pairs --- .github/workflows/digicert-signing.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 6c362666..8cb7975c 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -47,12 +47,13 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} -# - name: Setup SSM KSP on windows latest -# run: | -# curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download?account_id=fb0b6868-dfb5-4cf0-a33b-3e7b852a9b62 -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi -# msiexec /i Keylockertools-windows-x64.msi /quiet /qn -# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user -# shell: cmd + - name: Setup SSM KSP on windows latest + run: | + smksp_registrar.exe list + smctl.exe keypair ls + C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + smksp_cert_sync.exe + shell: cmd - name: Signing using Signtool run: | From 10fce1141ef220b589b5cc399554d29c69028a95 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 11:15:51 +0200 Subject: [PATCH 015/165] Try signing with smctl --- .github/workflows/digicert-signing.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 8cb7975c..3426fe5f 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -29,7 +29,6 @@ jobs: - name: Set variables id: variables run: | - echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" @@ -55,8 +54,11 @@ jobs: smksp_cert_sync.exe shell: cmd - - name: Signing using Signtool - run: | - signtool.exe sign /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' + - name: Signing using smctl + run: | + smctl.exe windows certsync --keypair-alias='key_464138416' + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' + smctl.exe sign verify --input 'files\wmp.dll' - signtool.exe verify /v /pa 'files\wmp.dll' +# signtool.exe sign /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' +# signtool.exe verify /v /pa 'files\wmp.dll' From e647c3c8f78a64f01ac2826ac36dd95bdc71dae9 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 11:18:58 +0200 Subject: [PATCH 016/165] Remove keypair sync --- .github/workflows/digicert-signing.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 3426fe5f..1d6aaef8 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -56,7 +56,6 @@ jobs: - name: Signing using smctl run: | - smctl.exe windows certsync --keypair-alias='key_464138416' smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' smctl.exe sign verify --input 'files\wmp.dll' From 53cbcde4a65dcca5cdda914730d754032ab9df2e Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 11:22:30 +0200 Subject: [PATCH 017/165] Readd keypair sync --- .github/workflows/digicert-signing.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 1d6aaef8..965cd85a 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -56,6 +56,7 @@ jobs: - name: Signing using smctl run: | + smctl.exe windows certsync --keypair-alias=key_464138416 smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' smctl.exe sign verify --input 'files\wmp.dll' From 7a1f45c8bbd53d69150996c7102aa13a301f99bd Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 11:30:06 +0200 Subject: [PATCH 018/165] List keypairs --- .github/workflows/digicert-signing.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 965cd85a..f5a35078 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -56,6 +56,7 @@ jobs: - name: Signing using smctl run: | + smctl.exe keypair list smctl.exe windows certsync --keypair-alias=key_464138416 smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' smctl.exe sign verify --input 'files\wmp.dll' From 13ec9fbe4793e2abb603ecb0e34fb186d12233fe Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 11:30:26 +0200 Subject: [PATCH 019/165] Include healthcheck --- .github/workflows/digicert-signing.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index f5a35078..8499133a 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -56,6 +56,7 @@ jobs: - name: Signing using smctl run: | + smctl.exe healthcheck smctl.exe keypair list smctl.exe windows certsync --keypair-alias=key_464138416 smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' From f3d36f845dd9871338f58c9307dbfee5dc526b1f Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 12:42:36 +0200 Subject: [PATCH 020/165] Use signtol with debug --- .github/workflows/digicert-signing.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 8499133a..6faf766b 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -56,11 +56,10 @@ jobs: - name: Signing using smctl run: | - smctl.exe healthcheck - smctl.exe keypair list - smctl.exe windows certsync --keypair-alias=key_464138416 - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' - smctl.exe sign verify --input 'files\wmp.dll' - -# signtool.exe sign /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' -# signtool.exe verify /v /pa 'files\wmp.dll' +# smctl.exe healthcheck +# smctl.exe keypair list +# smctl.exe windows certsync --keypair-alias=key_464138416 +# smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' +# smctl.exe sign verify --input 'files\wmp.dll' + signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' + signtool.exe verify /v /pa 'files\wmp.dll' From 29eafe976bef42f92f312bcd84a4db22dd2e4ecd Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 12:43:47 +0200 Subject: [PATCH 021/165] Use signtol with debug --- .github/workflows/digicert-signing.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 6faf766b..fd068190 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -56,10 +56,10 @@ jobs: - name: Signing using smctl run: | + signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' + signtool.exe verify /v /pa 'files\wmp.dll' # smctl.exe healthcheck # smctl.exe keypair list # smctl.exe windows certsync --keypair-alias=key_464138416 # smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' # smctl.exe sign verify --input 'files\wmp.dll' - signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' - signtool.exe verify /v /pa 'files\wmp.dll' From f74a504393735eb0e57e4aa7b01b43c00aeebd5a Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 12:50:57 +0200 Subject: [PATCH 022/165] Move smctl block --- .github/workflows/digicert-signing.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index fd068190..20068b91 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -52,14 +52,14 @@ jobs: smctl.exe keypair ls C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user smksp_cert_sync.exe + smctl.exe healthcheck + smctl.exe keypair list + smctl.exe windows certsync --keypair-alias=key_464138416 + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' + smctl.exe sign verify --input 'files\wmp.dll' shell: cmd - name: Signing using smctl run: | signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' signtool.exe verify /v /pa 'files\wmp.dll' -# smctl.exe healthcheck -# smctl.exe keypair list -# smctl.exe windows certsync --keypair-alias=key_464138416 -# smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' -# smctl.exe sign verify --input 'files\wmp.dll' From 86ac68349a85eaa3ee714605bfa1c150e73532f3 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 13:19:32 +0200 Subject: [PATCH 023/165] List certificates --- .github/workflows/digicert-signing.yaml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 20068b91..dacab6b0 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -22,20 +22,19 @@ jobs: - name: Setup Certificate run: | - echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 - cat /d/Certificate_pkcs12.p12 + echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 shell: bash - name: Set variables id: variables run: | - echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" - echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" - echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH - echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH + echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH + echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH shell: bash @@ -49,12 +48,12 @@ jobs: - name: Setup SSM KSP on windows latest run: | smksp_registrar.exe list - smctl.exe keypair ls C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user smksp_cert_sync.exe smctl.exe healthcheck - smctl.exe keypair list - smctl.exe windows certsync --keypair-alias=key_464138416 + smctl.exe certificate list + smctl.exe keypair ls + smctl.exe windows certsync --keypair-alias="key_464138416" smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' smctl.exe sign verify --input 'files\wmp.dll' shell: cmd From 5ab1e56cb2ee713f0a888799790e2c9cf895418c Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 13:19:49 +0200 Subject: [PATCH 024/165] List certificates --- .github/workflows/digicert-signing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index dacab6b0..99d5eee1 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -51,7 +51,7 @@ jobs: C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user smksp_cert_sync.exe smctl.exe healthcheck - smctl.exe certificate list + smctl.exe certificate list smctl.exe keypair ls smctl.exe windows certsync --keypair-alias="key_464138416" smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' From 7dbf4baf56544cd52a5c2b52410941e49c8bfc1d Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 13:32:01 +0200 Subject: [PATCH 025/165] Remove KSP --- .github/workflows/digicert-signing.yaml | 26 ++++++++----------------- 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 99d5eee1..06cc6cf5 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -10,16 +10,6 @@ jobs: sign: runs-on: windows-2022 steps: - - name: Copy libraries - shell: cmd - run: | - dir - mkdir files - copy C:\Windows\System32\wmp.dll files - cd files - mkdir subdirectory - copy C:\Windows\System32\wmp.dll subdirectory - - name: Setup Certificate run: | echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 @@ -45,20 +35,20 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} - - name: Setup SSM KSP on windows latest + - name: Signing with smctl run: | - smksp_registrar.exe list - C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user - smksp_cert_sync.exe +# smksp_registrar.exe list +# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user +# smksp_cert_sync.exe smctl.exe healthcheck smctl.exe certificate list smctl.exe keypair ls smctl.exe windows certsync --keypair-alias="key_464138416" - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' - smctl.exe sign verify --input 'files\wmp.dll' + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'test.dll' + smctl.exe sign verify --input 'test.dll' shell: cmd - - name: Signing using smctl + - name: Signing using SignTool run: | - signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' + signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'test.dll' signtool.exe verify /v /pa 'files\wmp.dll' From cdb98d50c6d4d7c13698b3cb24c6c80f72f3f06f Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 13:32:55 +0200 Subject: [PATCH 026/165] Remove KSP --- .github/workflows/digicert-signing.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 06cc6cf5..45b8b328 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -37,15 +37,15 @@ jobs: - name: Signing with smctl run: | -# smksp_registrar.exe list -# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user -# smksp_cert_sync.exe smctl.exe healthcheck smctl.exe certificate list smctl.exe keypair ls smctl.exe windows certsync --keypair-alias="key_464138416" smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'test.dll' smctl.exe sign verify --input 'test.dll' +# smksp_registrar.exe list +# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user +# smksp_cert_sync.exe shell: cmd - name: Signing using SignTool From 6d30c2ff819d104ebfc6436319517d2e3dc52ec2 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 13:46:51 +0200 Subject: [PATCH 027/165] Copy test .dll --- .github/workflows/digicert-signing.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 45b8b328..9ea69b85 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -10,6 +10,15 @@ jobs: sign: runs-on: windows-2022 steps: + - name: Copy libraries + run: | + ls + mkdir files + wget https://github.com/cognitedata/code-sign-action/raw/0dc0e0fff181f5c2147601d4402d6ce8d64e06ca/test.dll -O files/test.dll + cd files + mkdir subdirectory + cp test.dll subdirectory + - name: Setup Certificate run: | echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 @@ -41,8 +50,8 @@ jobs: smctl.exe certificate list smctl.exe keypair ls smctl.exe windows certsync --keypair-alias="key_464138416" - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'test.dll' - smctl.exe sign verify --input 'test.dll' + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\test.dll' + smctl.exe sign verify --input 'files\test.dll' # smksp_registrar.exe list # C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user # smksp_cert_sync.exe @@ -50,5 +59,5 @@ jobs: - name: Signing using SignTool run: | - signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'test.dll' + signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\test.dll' signtool.exe verify /v /pa 'files\wmp.dll' From 640a7dec640fed8f5ae5548cbc0a70af3c56d07c Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 13:49:57 +0200 Subject: [PATCH 028/165] Copy test .dll --- .github/workflows/digicert-signing.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 9ea69b85..57f44934 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -11,13 +11,14 @@ jobs: runs-on: windows-2022 steps: - name: Copy libraries + shell: cmd run: | - ls + dir mkdir files - wget https://github.com/cognitedata/code-sign-action/raw/0dc0e0fff181f5c2147601d4402d6ce8d64e06ca/test.dll -O files/test.dll + copy C:\Windows\System32\wmp.dll files\test.dll cd files mkdir subdirectory - cp test.dll subdirectory + copy C:\Windows\System32\wmp.dll subdirectory\test.dll - name: Setup Certificate run: | From 5dec3d40c68ab66f7261c65506fee43c1e911dcd Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:15:52 +0200 Subject: [PATCH 029/165] Refactor --- .github/workflows/digicert-signing.yaml | 18 +++++++++--------- .github/workflows/run-action.yaml | 14 +++++++++----- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 57f44934..5e1d2282 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -15,10 +15,10 @@ jobs: run: | dir mkdir files - copy C:\Windows\System32\wmp.dll files\test.dll + copy test.dll files cd files mkdir subdirectory - copy C:\Windows\System32\wmp.dll subdirectory\test.dll + copy test.dll subdirectory - name: Setup Certificate run: | @@ -29,10 +29,10 @@ jobs: id: variables run: | echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" - echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" +# echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" - echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" +# echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" +# echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH @@ -47,10 +47,10 @@ jobs: - name: Signing with smctl run: | - smctl.exe healthcheck - smctl.exe certificate list - smctl.exe keypair ls - smctl.exe windows certsync --keypair-alias="key_464138416" +# smctl.exe healthcheck +# smctl.exe certificate list +# smctl.exe keypair ls +# smctl.exe windows certsync --keypair-alias="key_464138416" smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\test.dll' smctl.exe sign verify --input 'files\test.dll' # smksp_registrar.exe list diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 9733419d..ef0a902c 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -10,15 +10,18 @@ jobs: run-action: runs-on: windows-2022 steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Copy libraries shell: cmd run: | dir mkdir files - copy C:\Windows\System32\wmp.dll files + copy test.dll files cd files mkdir subdirectory - copy C:\Windows\System32\wmp.dll subdirectory + copy test.dll subdirectory - name: Run the action for a single binary env: @@ -41,13 +44,14 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Copy libraries + shell: cmd run: | - ls + dir mkdir files - wget https://github.com/cognitedata/code-sign-action/raw/0dc0e0fff181f5c2147601d4402d6ce8d64e06ca/test.dll -O files/test.dll + copy test.dll files cd files mkdir subdirectory - cp test.dll subdirectory + copy test.dll subdirectory - name: Run the action for a single binary env: From 93c55c261868ef4091cccb7eec562296c9017b62 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:17:06 +0200 Subject: [PATCH 030/165] Refactor --- .github/workflows/digicert-signing.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 5e1d2282..cf5ea2e1 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -47,12 +47,12 @@ jobs: - name: Signing with smctl run: | + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\test.dll' + smctl.exe sign verify --input 'files\test.dll' # smctl.exe healthcheck # smctl.exe certificate list # smctl.exe keypair ls # smctl.exe windows certsync --keypair-alias="key_464138416" - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\test.dll' - smctl.exe sign verify --input 'files\test.dll' # smksp_registrar.exe list # C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user # smksp_cert_sync.exe From 4af17075e5e156830d7b0ef85e6be08031ff551b Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:19:14 +0200 Subject: [PATCH 031/165] Refactor --- .github/workflows/digicert-signing.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index cf5ea2e1..9ef80dc6 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -29,13 +29,13 @@ jobs: id: variables run: | echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" -# echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" -# echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" -# echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH +# echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" +# echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" +# echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" shell: bash - name: Code signing with Secure Software Manager From ad58ec3982c59c1663fa1b440efbeaf4617fbbeb Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:23:47 +0200 Subject: [PATCH 032/165] Fix file copying --- .github/workflows/digicert-signing.yaml | 4 ++-- .github/workflows/run-action.yaml | 14 +++++--------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 9ef80dc6..87b4d234 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -15,10 +15,10 @@ jobs: run: | dir mkdir files - copy test.dll files + copy C:\Windows\System32\wmp.dll files cd files mkdir subdirectory - copy test.dll subdirectory + copy C:\Windows\System32\wmp.dll subdirectory - name: Setup Certificate run: | diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index ef0a902c..9733419d 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -10,18 +10,15 @@ jobs: run-action: runs-on: windows-2022 steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Copy libraries shell: cmd run: | dir mkdir files - copy test.dll files + copy C:\Windows\System32\wmp.dll files cd files mkdir subdirectory - copy test.dll subdirectory + copy C:\Windows\System32\wmp.dll subdirectory - name: Run the action for a single binary env: @@ -44,14 +41,13 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Copy libraries - shell: cmd run: | - dir + ls mkdir files - copy test.dll files + wget https://github.com/cognitedata/code-sign-action/raw/0dc0e0fff181f5c2147601d4402d6ce8d64e06ca/test.dll -O files/test.dll cd files mkdir subdirectory - copy test.dll subdirectory + cp test.dll subdirectory - name: Run the action for a single binary env: From 72d506688096859d33f88bd2a542f51fab6b6045 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:26:44 +0200 Subject: [PATCH 033/165] Readd SM_API_KEY to env vars --- .github/workflows/digicert-signing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 87b4d234..3cfda5c5 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -33,7 +33,7 @@ jobs: echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH -# echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" # echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" # echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" shell: bash From e36e90afb1ef4d5e292f91e7b9f5f2b33c8c6e36 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:29:40 +0200 Subject: [PATCH 034/165] Change name of binary to be signed --- .github/workflows/digicert-signing.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 3cfda5c5..eab88160 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -47,8 +47,8 @@ jobs: - name: Signing with smctl run: | - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\test.dll' - smctl.exe sign verify --input 'files\test.dll' + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' + smctl.exe sign verify --input 'files\wmp.dll' # smctl.exe healthcheck # smctl.exe certificate list # smctl.exe keypair ls @@ -60,5 +60,5 @@ jobs: - name: Signing using SignTool run: | - signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\test.dll' + signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' signtool.exe verify /v /pa 'files\wmp.dll' From cdf680811ba94976f771bd7c963a3e40f2a3c67f Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:40:20 +0200 Subject: [PATCH 035/165] Trigger code signing action From f006264e5a3ba51690b612edbada5f7eb7396622 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:47:22 +0200 Subject: [PATCH 036/165] Revert to old working workflow --- .github/workflows/digicert-signing.yaml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index eab88160..156004ff 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -19,7 +19,6 @@ jobs: cd files mkdir subdirectory copy C:\Windows\System32\wmp.dll subdirectory - - name: Setup Certificate run: | echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 @@ -27,15 +26,15 @@ jobs: - name: Set variables id: variables - run: | + run: | echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH - echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" -# echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" -# echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" shell: bash - name: Code signing with Secure Software Manager @@ -45,17 +44,17 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} - - name: Signing with smctl + - name: Setup SSM KSP on windows latest run: | + smksp_registrar.exe list + C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + smksp_cert_sync.exe + smctl.exe healthcheck + smctl.exe certificate list + smctl.exe keypair ls + smctl.exe windows certsync --keypair-alias="key_464138416" smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' smctl.exe sign verify --input 'files\wmp.dll' -# smctl.exe healthcheck -# smctl.exe certificate list -# smctl.exe keypair ls -# smctl.exe windows certsync --keypair-alias="key_464138416" -# smksp_registrar.exe list -# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user -# smksp_cert_sync.exe shell: cmd - name: Signing using SignTool From 3bda13ab7f037ab9dd8fb242fdda9ba490300733 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:50:45 +0200 Subject: [PATCH 037/165] Remove smctl --- .github/workflows/digicert-signing.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 156004ff..a50e959c 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -44,18 +44,18 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} - - name: Setup SSM KSP on windows latest - run: | - smksp_registrar.exe list - C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user - smksp_cert_sync.exe - smctl.exe healthcheck - smctl.exe certificate list - smctl.exe keypair ls - smctl.exe windows certsync --keypair-alias="key_464138416" - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' - smctl.exe sign verify --input 'files\wmp.dll' - shell: cmd +# - name: Setup SSM KSP on windows latest +# run: | +# smksp_registrar.exe list +# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user +# smksp_cert_sync.exe +# smctl.exe healthcheck +# smctl.exe certificate list +# smctl.exe keypair ls +# smctl.exe windows certsync --keypair-alias="key_464138416" +# smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' +# smctl.exe sign verify --input 'files\wmp.dll' +# shell: cmd - name: Signing using SignTool run: | From c7a4b7d542c9c5a70f3e39ea5fc6acbcb018f517 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:55:06 +0200 Subject: [PATCH 038/165] Sync certificate --- .github/workflows/digicert-signing.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index a50e959c..f2a0b5ed 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -44,15 +44,15 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} -# - name: Setup SSM KSP on windows latest -# run: | + - name: Sync certificate + run: | + smctl.exe windows certsync --keypair-alias="key_464138416" # smksp_registrar.exe list # C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user # smksp_cert_sync.exe # smctl.exe healthcheck # smctl.exe certificate list # smctl.exe keypair ls -# smctl.exe windows certsync --keypair-alias="key_464138416" # smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' # smctl.exe sign verify --input 'files\wmp.dll' # shell: cmd From 19f462f36af3511ea32615b2fa466dd41e028396 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 14:55:34 +0200 Subject: [PATCH 039/165] Sync certificate --- .github/workflows/digicert-signing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index f2a0b5ed..454f2df9 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -47,6 +47,7 @@ jobs: - name: Sync certificate run: | smctl.exe windows certsync --keypair-alias="key_464138416" + shell: cmd # smksp_registrar.exe list # C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user # smksp_cert_sync.exe @@ -55,7 +56,6 @@ jobs: # smctl.exe keypair ls # smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' # smctl.exe sign verify --input 'files\wmp.dll' -# shell: cmd - name: Signing using SignTool run: | From 13949b92a179f635e92bcce359172e24e8bad896 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:03:53 +0200 Subject: [PATCH 040/165] Add absolute path to file to be signed --- .github/workflows/digicert-signing.yaml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 454f2df9..1e73f9fd 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -27,6 +27,7 @@ jobs: - name: Set variables id: variables run: | + echo "GITHUB_WORKSPACE=${{ github.workspace }}" >> "$GITHUB_ENV" echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" @@ -46,16 +47,10 @@ jobs: - name: Sync certificate run: | - smctl.exe windows certsync --keypair-alias="key_464138416" + smctl.exe windows certsync --keypair-alias="key_464138416" + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${GITHUB_WORKSPACE}\files\wmp.dll" + smctl.exe sign verify --input "${GITHUB_WORKSPACE}\wmp.dll" shell: cmd -# smksp_registrar.exe list -# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user -# smksp_cert_sync.exe -# smctl.exe healthcheck -# smctl.exe certificate list -# smctl.exe keypair ls -# smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input 'files\wmp.dll' -# smctl.exe sign verify --input 'files\wmp.dll' - name: Signing using SignTool run: | From b77ad6b7e9109c8c774b304cd5e03f325218944d Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:08:04 +0200 Subject: [PATCH 041/165] Add absolute path to file to be signed --- .github/workflows/digicert-signing.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 1e73f9fd..1d22123d 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -48,8 +48,8 @@ jobs: - name: Sync certificate run: | smctl.exe windows certsync --keypair-alias="key_464138416" - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${GITHUB_WORKSPACE}\files\wmp.dll" - smctl.exe sign verify --input "${GITHUB_WORKSPACE}\wmp.dll" + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$GITHUB_WORKSPACE\files\wmp.dll" + smctl.exe sign verify --input "$GITHUB_WORKSPACE\wmp.dll" shell: cmd - name: Signing using SignTool From 0b89c6b79927bcd38c1abdae41fe82f3d31c305c Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:14:10 +0200 Subject: [PATCH 042/165] Add absolute path to file to be signed --- .github/workflows/digicert-signing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 1d22123d..df7e8316 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -27,7 +27,6 @@ jobs: - name: Set variables id: variables run: | - echo "GITHUB_WORKSPACE=${{ github.workspace }}" >> "$GITHUB_ENV" echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" @@ -46,6 +45,7 @@ jobs: SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} - name: Sync certificate + env: GITHUB_WORKSPACE=${{ github.workspace }} run: | smctl.exe windows certsync --keypair-alias="key_464138416" smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$GITHUB_WORKSPACE\files\wmp.dll" From c636049662666a29118778431e746827bdb17d05 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:16:22 +0200 Subject: [PATCH 043/165] Add absolute path to file to be signed --- .github/workflows/digicert-signing.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index df7e8316..0d2533f8 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -45,7 +45,8 @@ jobs: SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} - name: Sync certificate - env: GITHUB_WORKSPACE=${{ github.workspace }} + env: + GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl.exe windows certsync --keypair-alias="key_464138416" smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$GITHUB_WORKSPACE\files\wmp.dll" From 1426f2426b1cc0c606edcaa84b1418b67e5e5da4 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:18:49 +0200 Subject: [PATCH 044/165] Add absolute path to file to be signed --- .github/workflows/digicert-signing.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 0d2533f8..0bbbd7c8 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -49,8 +49,8 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl.exe windows certsync --keypair-alias="key_464138416" - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$GITHUB_WORKSPACE\files\wmp.dll" - smctl.exe sign verify --input "$GITHUB_WORKSPACE\wmp.dll" + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "{{ env.$GITHUB_WORKSPACE }}\files\wmp.dll" + smctl.exe sign verify --input "{{ env.$GITHUB_WORKSPACE }}\wmp.dll" shell: cmd - name: Signing using SignTool From 94dcc27e0166caf7a61be0d74835db5f94b0966c Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:20:37 +0200 Subject: [PATCH 045/165] Add absolute path to file to be signed --- .github/workflows/digicert-signing.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index 0bbbd7c8..a302e008 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -49,8 +49,8 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl.exe windows certsync --keypair-alias="key_464138416" - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "{{ env.$GITHUB_WORKSPACE }}\files\wmp.dll" - smctl.exe sign verify --input "{{ env.$GITHUB_WORKSPACE }}\wmp.dll" + smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" + smctl.exe sign verify --input "${{ env.GITHUB_WORKSPACE }}\wmp.dll" shell: cmd - name: Signing using SignTool From 6629b3537879d7c702381f1400696ea626440f8d Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:22:14 +0200 Subject: [PATCH 046/165] Trigger code signing action From 0bbe56c86a45b7c4ab7ecd97fb23fbbce355a163 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:25:10 +0200 Subject: [PATCH 047/165] Trigger code signing action --- .github/workflows/digicert-signing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index a302e008..b0808c97 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -50,7 +50,7 @@ jobs: run: | smctl.exe windows certsync --keypair-alias="key_464138416" smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" - smctl.exe sign verify --input "${{ env.GITHUB_WORKSPACE }}\wmp.dll" + smctl.exe sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" shell: cmd - name: Signing using SignTool From 96385ae77c3d34f3e53c7f4effd78d2239ed12c8 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 15:28:11 +0200 Subject: [PATCH 048/165] Remove .exe --- .github/workflows/digicert-signing.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index b0808c97..a2a5625e 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -48,12 +48,12 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl.exe windows certsync --keypair-alias="key_464138416" - smctl.exe sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" - smctl.exe sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" + smctl windows certsync --keypair-alias="key_464138416" + smctl sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" shell: cmd - name: Signing using SignTool run: | - signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' - signtool.exe verify /v /pa 'files\wmp.dll' + signtool sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' + signtool verify /v /pa 'files\wmp.dll' From 4c6c2c4b1eb6c7b90959fa9b1463cfdbeec9d80d Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 17:33:41 +0200 Subject: [PATCH 049/165] Remove apps from path --- .github/workflows/digicert-signing.yaml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml index a2a5625e..abb2a72f 100644 --- a/.github/workflows/digicert-signing.yaml +++ b/.github/workflows/digicert-signing.yaml @@ -19,6 +19,7 @@ jobs: cd files mkdir subdirectory copy C:\Windows\System32\wmp.dll subdirectory + - name: Setup Certificate run: | echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 @@ -32,9 +33,6 @@ jobs: echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" - echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH - echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH - echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH shell: bash - name: Code signing with Secure Software Manager @@ -44,7 +42,7 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} - - name: Sync certificate + - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | @@ -52,8 +50,3 @@ jobs: smctl sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" shell: cmd - - - name: Signing using SignTool - run: | - signtool sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 'files\wmp.dll' - signtool verify /v /pa 'files\wmp.dll' From fb6212e8acb51519d7f833705d4429017d697829 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 18:03:11 +0200 Subject: [PATCH 050/165] Run composite action --- .github/workflows/run-action.yaml | 36 ++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 9733419d..3aa97806 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -22,17 +22,23 @@ jobs: - name: Run the action for a single binary env: - CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} - CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.13 + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v1.2 with: path-to-binary: 'files\wmp.dll' - name: Run the action for all binaries under a folder env: - CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} - CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.13 + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v1.2 with: path-to-binary: 'files' options: '-Recurse' @@ -51,17 +57,23 @@ jobs: - name: Run the action for a single binary env: - CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} - CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1 + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v1.2 with: path-to-binary: 'files/test.dll' - name: Run the action for all binaries under a folder env: - CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} - CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1 + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v1.2 with: path-to-binary: 'files' options: '-Recurse' From 189405227dc48c70a7459e109067e95f12a26e11 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 18:21:43 +0200 Subject: [PATCH 051/165] Run composite action --- .github/workflows/run-action.yaml | 8 +++--- action.yaml | 46 ++++++++++++++++++++++++++----- 2 files changed, 43 insertions(+), 11 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 3aa97806..3f443db8 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.2 + uses: cognitedata/code-sign-action/@v1.21 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.2 + uses: cognitedata/code-sign-action/@v1.21 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.2 + uses: cognitedata/code-sign-action/@v1.21 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.2 + uses: cognitedata/code-sign-action/@v1.21 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 99314eb7..b587532c 100644 --- a/action.yaml +++ b/action.yaml @@ -10,11 +10,43 @@ inputs: runs: using: 'composite' steps: - - run: ${{ github.action_path }}/sign.ps1 ${{ inputs.path-to-binary }} ${{ inputs.options }} - if: runner.os == 'Windows' - shell: pwsh - - run: | - sudo apt install osslsigncode - ${{ github.action_path }}/sign.sh ${{ inputs.path-to-binary }} ${{ inputs.options }} - if: runner.os == 'Linux' + - name: Setup Certificate + run: | + echo "${{secrets.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 + shell: bash + + - name: Set variables + id: variables + run: | + echo "SM_HOST=${{ env.CERTIFICATE_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ env.CERTIFICATE_HOST_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ env.CLIENT_CERTIFICATE_PASSWORD }}" >> "$GITHUB_ENV" + echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ env.CERTIFICATE_SHA1_HASH }}" >> "$GITHUB_ENV" + shell: bash + + - name: Code signing with Secure Software Manager + uses: digicert/ssm-code-signing@v0.0.2 + env: + SM_API_KEY: ${{ env.SM_API_KEY }} + SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }} + SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} + +# - run: ${{ github.action_path }}/sign.ps1 ${{ inputs.path-to-binary }} ${{ inputs.options }} +# if: runner.os == 'Windows' +# shell: pwsh +# +# - run: | +# sudo apt install osslsigncode +# ${{ github.action_path }}/sign.sh ${{ inputs.path-to-binary }} ${{ inputs.options }} +# if: runner.os == 'Linux' +# shell: bash + + - name: Sign with smctl + env: + GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + smctl windows certsync --keypair-alias="key_464138416" + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" shell: bash From eacdae92cd0296be8f1260552c4ca498b9577b9f Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 18:23:38 +0200 Subject: [PATCH 052/165] Run composite action --- action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index b587532c..5941d3fe 100644 --- a/action.yaml +++ b/action.yaml @@ -12,7 +12,7 @@ runs: steps: - name: Setup Certificate run: | - echo "${{secrets.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 + echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 shell: bash - name: Set variables From 10ab1c903cb2e76275f592205a2ee1e3570bcb08 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 18:24:22 +0200 Subject: [PATCH 053/165] Updat action version --- .github/workflows/run-action.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 3f443db8..f0168b0a 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.21 + uses: cognitedata/code-sign-action/@v1.22 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.21 + uses: cognitedata/code-sign-action/@v1.22 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.21 + uses: cognitedata/code-sign-action/@v1.22 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.21 + uses: cognitedata/code-sign-action/@v1.22 with: path-to-binary: 'files' options: '-Recurse' From a5b38124b08d9a8897c8824dad3118a4b2a53bf5 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 19:27:36 +0200 Subject: [PATCH 054/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index f0168b0a..0b521ecb 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.22 + uses: cognitedata/code-sign-action/@v1.23 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.22 + uses: cognitedata/code-sign-action/@v1.23 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.22 + uses: cognitedata/code-sign-action/@v1.23 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.22 + uses: cognitedata/code-sign-action/@v1.23 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 5941d3fe..2c3d1734 100644 --- a/action.yaml +++ b/action.yaml @@ -12,6 +12,7 @@ runs: steps: - name: Setup Certificate run: | + mkdir /d echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 shell: bash From 843c4be0de96fb14ac0804dcfdc7d530dcf9eaa2 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 19:34:05 +0200 Subject: [PATCH 055/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 3 +-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 0b521ecb..cbc33085 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.23 + uses: cognitedata/code-sign-action/@v1.24 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.23 + uses: cognitedata/code-sign-action/@v1.24 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.23 + uses: cognitedata/code-sign-action/@v1.24 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.23 + uses: cognitedata/code-sign-action/@v1.24 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 2c3d1734..5ebf7769 100644 --- a/action.yaml +++ b/action.yaml @@ -12,8 +12,7 @@ runs: steps: - name: Setup Certificate run: | - mkdir /d - echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 + echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 shell: bash - name: Set variables From 5c50b445bb6636171d400ad4bec1b39dca843e13 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 19:37:13 +0200 Subject: [PATCH 056/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index cbc33085..8f0277e6 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.24 + uses: cognitedata/code-sign-action/@v1.25 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.24 + uses: cognitedata/code-sign-action/@v1.25 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.24 + uses: cognitedata/code-sign-action/@v1.25 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.24 + uses: cognitedata/code-sign-action/@v1.25 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 5ebf7769..6a1ab630 100644 --- a/action.yaml +++ b/action.yaml @@ -12,6 +12,7 @@ runs: steps: - name: Setup Certificate run: | + chmod +w /d echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 shell: bash From 693028b53b7ee97999e3219713812365998bc76b Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 19:38:36 +0200 Subject: [PATCH 057/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 8f0277e6..b2f53155 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.25 + uses: cognitedata/code-sign-action/@v1.251 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.25 + uses: cognitedata/code-sign-action/@v1.251 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.25 + uses: cognitedata/code-sign-action/@v1.251 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.25 + uses: cognitedata/code-sign-action/@v1.251 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 6a1ab630..cf276ab5 100644 --- a/action.yaml +++ b/action.yaml @@ -12,6 +12,7 @@ runs: steps: - name: Setup Certificate run: | + mkdir /d chmod +w /d echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 shell: bash From 30dbc9b1ac6c2ef7fc5c9cb6514952288e5838b1 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 19:41:41 +0200 Subject: [PATCH 058/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 4 +--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index b2f53155..c69d867c 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.251 + uses: cognitedata/code-sign-action/@v1.252 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.251 + uses: cognitedata/code-sign-action/@v1.252 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.251 + uses: cognitedata/code-sign-action/@v1.252 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.251 + uses: cognitedata/code-sign-action/@v1.252 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index cf276ab5..77b6aa89 100644 --- a/action.yaml +++ b/action.yaml @@ -12,9 +12,7 @@ runs: steps: - name: Setup Certificate run: | - mkdir /d - chmod +w /d - echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 + echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 shell: bash - name: Set variables From 3413988b877f69e4bf64b09529dbb287408cbc00 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 19:51:50 +0200 Subject: [PATCH 059/165] Update action version --- action.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index 77b6aa89..dabb2301 100644 --- a/action.yaml +++ b/action.yaml @@ -46,7 +46,8 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl windows certsync --keypair-alias="key_464138416" +# smctl windows certsync --keypair-alias="key_464138416" + smctl cert save --keypair-alias="key_464138416" smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" shell: bash From fb89a6dec4b678dd567db4ad557510b2518f8262 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 19:55:18 +0200 Subject: [PATCH 060/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index c69d867c..40e6fc9f 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.252 + uses: cognitedata/code-sign-action/@v1.253 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.252 + uses: cognitedata/code-sign-action/@v1.253 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.252 + uses: cognitedata/code-sign-action/@v1.253 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.252 + uses: cognitedata/code-sign-action/@v1.253 with: path-to-binary: 'files' options: '-Recurse' From d7c8dd5ea81efaff4d725626ef281dbcbe73058a Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:00:52 +0200 Subject: [PATCH 061/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 40e6fc9f..a3c167cb 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.253 + uses: cognitedata/code-sign-action/@v1.254 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.253 + uses: cognitedata/code-sign-action/@v1.254 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.253 + uses: cognitedata/code-sign-action/@v1.254 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.253 + uses: cognitedata/code-sign-action/@v1.254 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index dabb2301..5e60c23e 100644 --- a/action.yaml +++ b/action.yaml @@ -46,8 +46,8 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | -# smctl windows certsync --keypair-alias="key_464138416" smctl cert save --keypair-alias="key_464138416" smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" +# smctl windows certsync --keypair-alias="key_464138416" shell: bash From 56a93fe01a651fd6951694cb7c78815e2d414b73 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:02:05 +0200 Subject: [PATCH 062/165] Update action version --- action.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/action.yaml b/action.yaml index 5e60c23e..16b58726 100644 --- a/action.yaml +++ b/action.yaml @@ -49,5 +49,4 @@ runs: smctl cert save --keypair-alias="key_464138416" smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" -# smctl windows certsync --keypair-alias="key_464138416" shell: bash From b03c35f6ef6bef30d9eea8e20b1c0c6afa3a9870 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:04:02 +0200 Subject: [PATCH 063/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index a3c167cb..84f9c96b 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.254 + uses: cognitedata/code-sign-action/@v1.255 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.254 + uses: cognitedata/code-sign-action/@v1.255 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.254 + uses: cognitedata/code-sign-action/@v1.255 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.254 + uses: cognitedata/code-sign-action/@v1.255 with: path-to-binary: 'files' options: '-Recurse' From 25ee02f7e24ac2dab0a1e68cb1a4a4440b6650ed Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:18:36 +0200 Subject: [PATCH 064/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 21 ++++++++++++++++++--- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 84f9c96b..e6a08fac 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.255 + uses: cognitedata/code-sign-action/@v1.256 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.255 + uses: cognitedata/code-sign-action/@v1.256 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.255 + uses: cognitedata/code-sign-action/@v1.256 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.255 + uses: cognitedata/code-sign-action/@v1.256 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 16b58726..1fb86fc5 100644 --- a/action.yaml +++ b/action.yaml @@ -12,7 +12,11 @@ runs: steps: - name: Setup Certificate run: | - echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 + if ${{ runner.os }} == 'Windows'; then + echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12; + elif {{ runner.os }} == 'Linux'; then + echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12; + fi shell: bash - name: Set variables @@ -46,7 +50,18 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl cert save --keypair-alias="key_464138416" - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" + smctl windows certsync --keypair-alias="key_464138416" + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" + if: runner.os == 'Windows' + shell: bash + + - name: Sign with smctl + env: + GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + smctl cert save --keypair-alias="key_464138416" + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/files/test.dll" + if: runner.os == 'Linux' shell: bash From fc3e589b37cabed1cff6a41e0500fe91f68ce338 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:27:53 +0200 Subject: [PATCH 065/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index e6a08fac..194f49b5 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.256 + uses: cognitedata/code-sign-action/@v1.257 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.256 + uses: cognitedata/code-sign-action/@v1.257 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.256 + uses: cognitedata/code-sign-action/@v1.257 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.256 + uses: cognitedata/code-sign-action/@v1.257 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 1fb86fc5..f02bfa59 100644 --- a/action.yaml +++ b/action.yaml @@ -60,8 +60,8 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl cert save --keypair-alias="key_464138416" - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" + smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" + smctl sign --keypair-alias="key_464138416" --certificate "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/files/test.dll" if: runner.os == 'Linux' shell: bash From 190b8ada8cd987acff448ec04e49e20565e3b3a5 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:33:44 +0200 Subject: [PATCH 066/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 194f49b5..d735cc13 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.257 + uses: cognitedata/code-sign-action/@v1.258 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.257 + uses: cognitedata/code-sign-action/@v1.258 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.257 + uses: cognitedata/code-sign-action/@v1.258 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.257 + uses: cognitedata/code-sign-action/@v1.258 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index f02bfa59..457e0f6b 100644 --- a/action.yaml +++ b/action.yaml @@ -52,7 +52,7 @@ runs: run: | smctl windows certsync --keypair-alias="key_464138416" smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" if: runner.os == 'Windows' shell: bash @@ -60,8 +60,8 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias="key_464138416" --certificate "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/files/test.dll" + smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" + osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -out "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -h sha256 -t http://timestamp.digicert.com + osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" if: runner.os == 'Linux' shell: bash From 72528da4f81fdbf6dda0a20b83fb7ae2f7eaba3a Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:37:24 +0200 Subject: [PATCH 067/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index d735cc13..a3d909a1 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.258 + uses: cognitedata/code-sign-action/@v1.259 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.258 + uses: cognitedata/code-sign-action/@v1.259 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.258 + uses: cognitedata/code-sign-action/@v1.259 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.258 + uses: cognitedata/code-sign-action/@v1.259 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 457e0f6b..5e68502e 100644 --- a/action.yaml +++ b/action.yaml @@ -60,6 +60,7 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | + sudo apt install osslsigncode smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -out "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -h sha256 -t http://timestamp.digicert.com osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" From 534c07de6631c1695af53e063c6078e8c4b35c8e Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:40:52 +0200 Subject: [PATCH 068/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 8 +++----- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index a3d909a1..d5c1bb5a 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.259 + uses: cognitedata/code-sign-action/@v1.26 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.259 + uses: cognitedata/code-sign-action/@v1.26 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.259 + uses: cognitedata/code-sign-action/@v1.26 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.259 + uses: cognitedata/code-sign-action/@v1.26 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 5e68502e..f5f244cf 100644 --- a/action.yaml +++ b/action.yaml @@ -52,7 +52,7 @@ runs: run: | smctl windows certsync --keypair-alias="key_464138416" smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" if: runner.os == 'Windows' shell: bash @@ -60,9 +60,7 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - sudo apt install osslsigncode - smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -out "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -h sha256 -t http://timestamp.digicert.com - osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/files/test.dll" if: runner.os == 'Linux' shell: bash From 66d11f1be3c906cb1be28fb41576bfd17dc89458 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:47:14 +0200 Subject: [PATCH 069/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 8 +++++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index d5c1bb5a..0444298a 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.26 + uses: cognitedata/code-sign-action/@v1.261 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.26 + uses: cognitedata/code-sign-action/@v1.261 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.26 + uses: cognitedata/code-sign-action/@v1.261 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.26 + uses: cognitedata/code-sign-action/@v1.261 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index f5f244cf..96808e33 100644 --- a/action.yaml +++ b/action.yaml @@ -52,7 +52,7 @@ runs: run: | smctl windows certsync --keypair-alias="key_464138416" smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" if: runner.os == 'Windows' shell: bash @@ -60,7 +60,9 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/files/test.dll" + export SM_LOG_LEVEL=TRACE + smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" + smctl sign --keypair-alias="key_464138416" --certificate "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }} + echo %USERPROFILE%/.signingmanager/logs if: runner.os == 'Linux' shell: bash From f888b45bdaf2778a69c30273d6d240c115136ca6 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:48:56 +0200 Subject: [PATCH 070/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 0444298a..85662e4c 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.261 + uses: cognitedata/code-sign-action/@v1.262 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.261 + uses: cognitedata/code-sign-action/@v1.262 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.261 + uses: cognitedata/code-sign-action/@v1.262 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.261 + uses: cognitedata/code-sign-action/@v1.262 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 96808e33..318c02fd 100644 --- a/action.yaml +++ b/action.yaml @@ -62,7 +62,7 @@ runs: run: | export SM_LOG_LEVEL=TRACE smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias="key_464138416" --certificate "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }} + smctl sign --keypair-alias="key_464138416" --certificate "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" echo %USERPROFILE%/.signingmanager/logs if: runner.os == 'Linux' shell: bash From 5fb5ef0cd657ed13dbce6ec58be09e13c56e3c33 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 20:59:40 +0200 Subject: [PATCH 071/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 7 +++---- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 85662e4c..d81c4c58 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.262 + uses: cognitedata/code-sign-action/@v1.263 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.262 + uses: cognitedata/code-sign-action/@v1.263 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.262 + uses: cognitedata/code-sign-action/@v1.263 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.262 + uses: cognitedata/code-sign-action/@v1.263 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 318c02fd..52b252d3 100644 --- a/action.yaml +++ b/action.yaml @@ -60,9 +60,8 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - export SM_LOG_LEVEL=TRACE - smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias="key_464138416" --certificate "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" - echo %USERPROFILE%/.signingmanager/logs + smksp_cert_sync + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" if: runner.os == 'Linux' shell: bash From c868244cc50446b6099c368ef6d72b2fa6e3e59e Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 21:08:38 +0200 Subject: [PATCH 072/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index d81c4c58..89c0deb5 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.263 + uses: cognitedata/code-sign-action/@v1.264 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.263 + uses: cognitedata/code-sign-action/@v1.264 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.263 + uses: cognitedata/code-sign-action/@v1.264 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.263 + uses: cognitedata/code-sign-action/@v1.264 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index 52b252d3..a0da5ceb 100644 --- a/action.yaml +++ b/action.yaml @@ -60,8 +60,8 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smksp_cert_sync - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" - if: runner.os == 'Linux' + sudo apt install osslsigncode + smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" + osslsigncode sign -pkcs11engine /tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -out "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -h sha256 -t http://timestamp.digicert.com + osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" if: runner.os == 'Linux' shell: bash From 691a8893a774e8564b152614fdde0020bed3757b Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 21:15:47 +0200 Subject: [PATCH 073/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 89c0deb5..ebb4ae51 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.264 + uses: cognitedata/code-sign-action/@v1.265 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.264 + uses: cognitedata/code-sign-action/@v1.265 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.264 + uses: cognitedata/code-sign-action/@v1.265 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.264 + uses: cognitedata/code-sign-action/@v1.265 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index a0da5ceb..e0e7f8f7 100644 --- a/action.yaml +++ b/action.yaml @@ -63,5 +63,6 @@ runs: sudo apt install osslsigncode smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" osslsigncode sign -pkcs11engine /tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -out "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -h sha256 -t http://timestamp.digicert.com - osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" if: runner.os == 'Linux' + osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" + if: runner.os == 'Linux' shell: bash From 066b247e5146e1747e0b6c03be82970b5e162f2b Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Wed, 2 Aug 2023 21:17:23 +0200 Subject: [PATCH 074/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index ebb4ae51..9082c89e 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.265 + uses: cognitedata/code-sign-action/@v1.266 with: path-to-binary: 'files\wmp.dll' @@ -38,7 +38,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.265 + uses: cognitedata/code-sign-action/@v1.266 with: path-to-binary: 'files' options: '-Recurse' @@ -62,7 +62,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.265 + uses: cognitedata/code-sign-action/@v1.266 with: path-to-binary: 'files/test.dll' @@ -73,7 +73,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.265 + uses: cognitedata/code-sign-action/@v1.266 with: path-to-binary: 'files' options: '-Recurse' diff --git a/action.yaml b/action.yaml index e0e7f8f7..e42deabd 100644 --- a/action.yaml +++ b/action.yaml @@ -62,7 +62,7 @@ runs: run: | sudo apt install osslsigncode smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -out "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -pkcs11engine "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -out "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -h sha256 -t http://timestamp.digicert.com osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" if: runner.os == 'Linux' shell: bash From f29f3e798a9c846a8c919f260eb9368041b7c3e3 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 13:52:40 +0200 Subject: [PATCH 075/165] add linux signing workflow file --- .github/workflows/digicert-signing-linux.yaml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/digicert-signing-linux.yaml diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml new file mode 100644 index 00000000..322cd8e0 --- /dev/null +++ b/.github/workflows/digicert-signing-linux.yaml @@ -0,0 +1,44 @@ +name: digicert-signing-linux +on: + pull_request: + push: + branches: + - main + - "releases/*" + +jobs: + sign-with-linux: + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Certificate + run: | + echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 + shell: bash + + - name: Set variables + id: variables + run: | + echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + shell: bash + + - name: Code signing with Secure Software Manager + uses: digicert/ssm-code-signing@v0.0.2 + env: + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} + + - name: Sign with smctl + env: + GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + sudo apt install osslsigncode + smctl sign --keypair-alias key_464138416 --certificate ${{ secrets.SM_CLIENT_CERT_FILE }} --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/test.dll" + shell: bash From 6f5327a393f7a6a4c28af008aa8021bb9b1480d3 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 13:55:42 +0200 Subject: [PATCH 076/165] use linux install command to create and write certificate to /d --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 322cd8e0..b95f8506 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -15,7 +15,7 @@ jobs: - name: Setup Certificate run: | - echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 + echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 shell: bash - name: Set variables From 67f092987a4b5c847a5ca458465ed9a54dfa3652 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 14:10:54 +0200 Subject: [PATCH 077/165] Use apt-get to install osslcode and separate steps --- .github/workflows/digicert-signing-linux.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index b95f8506..3341192a 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -34,11 +34,20 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} + - name: Install third-party signing tool + run: | + sudo apt-get install -y osslsigncode + - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - sudo apt install osslsigncode smctl sign --keypair-alias key_464138416 --certificate ${{ secrets.SM_CLIENT_CERT_FILE }} --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode + shell: bash + + - name: Verify with smctl + env: + GITHUB_WORKSPACE: ${{ github.workspace }} + run: | smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/test.dll" shell: bash From b6ba115cd417072e2ed95e6749dcebe5224d8417 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 14:14:04 +0200 Subject: [PATCH 078/165] add quotes around certificate input --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 3341192a..7bde7aaf 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -42,7 +42,7 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --keypair-alias key_464138416 --certificate ${{ secrets.SM_CLIENT_CERT_FILE }} --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode + smctl sign --keypair-alias key_464138416 --certificate "${{ secrets.SM_CLIENT_CERT_FILE }}" --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode shell: bash - name: Verify with smctl From a179eb50a7f36ad33c4002caea6efbccd0533389 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 14:19:01 +0200 Subject: [PATCH 079/165] Fix env reference --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 7bde7aaf..b7cdb405 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -42,7 +42,7 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --keypair-alias key_464138416 --certificate "${{ secrets.SM_CLIENT_CERT_FILE }}" --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode + smctl sign --keypair-alias key_464138416 --certificate "${{ env.SM_CLIENT_CERT_FILE }}" --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode shell: bash - name: Verify with smctl From b31003b3a96c167d9ad421f4134fb87e656e606d Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 14:36:43 +0200 Subject: [PATCH 080/165] Add cert save command --- .github/workflows/digicert-signing-linux.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index b7cdb405..1af5d5dc 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -42,7 +42,8 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --keypair-alias key_464138416 --certificate "${{ env.SM_CLIENT_CERT_FILE }}" --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode + smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" + smctl sign --keypair-alias key_464138416 --certificate "${{ env.GITHUB_WORKSPACE }}/code-sign-cert" --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode shell: bash - name: Verify with smctl From cc30784e887a8322e884560037e40d9317502dfb Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 15:29:03 +0200 Subject: [PATCH 081/165] output files in folder --- .github/workflows/digicert-signing-linux.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 1af5d5dc..fd6332c2 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -34,16 +34,21 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} - - name: Install third-party signing tool + # - name: Install third-party signing tool + # run: | + # sudo apt-get install -y osslsigncode + + - name: Output files in folder run: | - sudo apt-get install -y osslsigncode + ls -a + shell: bash - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias key_464138416 --certificate "${{ env.GITHUB_WORKSPACE }}/code-sign-cert" --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode + smctl sign --keypair-alias="key_464138416" --certificate "${{ env.GITHUB_WORKSPACE }}/code-sign-cert" --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode shell: bash - name: Verify with smctl From 9cc38829c45bc0d1e90d7db00977b8b6fc3736c2 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 15:44:36 +0200 Subject: [PATCH 082/165] update linux signing --- .github/workflows/digicert-signing-linux.yaml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index fd6332c2..f528419a 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -37,23 +37,19 @@ jobs: # - name: Install third-party signing tool # run: | # sudo apt-get install -y osslsigncode - - - name: Output files in folder - run: | - ls -a - shell: bash - - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias="key_464138416" --certificate "${{ env.GITHUB_WORKSPACE }}/code-sign-cert" --input "${{ env.GITHUB_WORKSPACE }}/test.dll" --tool osslsigncode + smctl sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "test.dll" shell: bash + # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" + # smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll" + - name: Verify with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/test.dll" + smctl sign verify --input "test.dll" shell: bash From e547e764045fc5ca5d20888f74aca3962c8f410b Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 15:55:37 +0200 Subject: [PATCH 083/165] update --- .github/workflows/digicert-signing-linux.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index f528419a..0ac2b68c 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -25,6 +25,7 @@ jobs: echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ env.CERTIFICATE_SHA1_HASH }}" >> "$GITHUB_ENV" shell: bash - name: Code signing with Secure Software Manager @@ -41,7 +42,7 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "test.dll" + smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input README.md shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" @@ -51,5 +52,5 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign verify --input "test.dll" + smctl sign verify --input README.md shell: bash From 94a359ae1c683a84396ee81fb34a9d4493630385 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:01:40 +0200 Subject: [PATCH 084/165] update --- .github/workflows/digicert-signing-linux.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 0ac2b68c..fd07b7fb 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -42,7 +42,7 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input README.md + smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "${{ env.GITHUB_WORKSPACE }}/action.yaml" shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" @@ -52,5 +52,5 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign verify --input README.md + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/action.yaml" shell: bash From 45f7ee17613b75974eb4688e3b42fb5f59c114d9 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:06:26 +0200 Subject: [PATCH 085/165] try signing curl --- .github/workflows/digicert-signing-linux.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index fd07b7fb..dde4f716 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -38,11 +38,17 @@ jobs: # - name: Install third-party signing tool # run: | # sudo apt-get install -y osslsigncode + + - name: Copy libraries + run: | + mkdir files + cp /bin/curl files + - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "${{ env.GITHUB_WORKSPACE }}/action.yaml" + smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "${{ env.GITHUB_WORKSPACE }}/files/curl" shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" @@ -52,5 +58,5 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/action.yaml" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/files/curl" shell: bash From e74bf98426a58d1e7235613a47c2217bf9c16cbd Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:12:25 +0200 Subject: [PATCH 086/165] test --- .github/workflows/digicert-signing-linux.yaml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index dde4f716..5614a308 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -35,20 +35,18 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} - # - name: Install third-party signing tool - # run: | - # sudo apt-get install -y osslsigncode - - - name: Copy libraries + - name: Install third-party signing tool run: | - mkdir files - cp /bin/curl files + sudo apt-get install -y osslsigncode - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "${{ env.GITHUB_WORKSPACE }}/files/curl" + sudo apt install osslsigncode + smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" + osslsigncode sign -pkcs11engine "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/test.dll" -out "${{ env.GITHUB_WORKSPACE }}/test.dll" -h sha256 -t http://timestamp.digicert.com + osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/test.dll" shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" @@ -58,5 +56,5 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/files/curl" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/test.dll" shell: bash From 0800418ca50914648b458b674412d2eb74e3fb31 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:22:07 +0200 Subject: [PATCH 087/165] update --- .github/workflows/digicert-signing-linux.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 5614a308..230c389f 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -35,18 +35,17 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} - - name: Install third-party signing tool - run: | - sudo apt-get install -y osslsigncode - + # - name: Install third-party signing tool + # run: | + # sudo apt-get install -y osslsigncode - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | sudo apt install osslsigncode - smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/test.dll" -out "${{ env.GITHUB_WORKSPACE }}/test.dll" -h sha256 -t http://timestamp.digicert.com - osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/test.dll" + smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" + osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs cert.pem -key 'pkcs11:object=key_464138416;type=private' -in test.dll -out test.dll -h sha256 -t http://timestamp.digicert.com + osslsigncode verify -in test.dll shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From 4b14c7ec467d538c7c6555b22572ee480d797f3b Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:35:53 +0200 Subject: [PATCH 088/165] update --- .github/workflows/digicert-signing-linux.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 230c389f..ab73b987 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -38,13 +38,18 @@ jobs: # - name: Install third-party signing tool # run: | # sudo apt-get install -y osslsigncode + + - name: locate file + run: | + sudo find / -name "*libpkcs11.so" + shell: bash + - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - sudo apt install osslsigncode smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs cert.pem -key 'pkcs11:object=key_464138416;type=private' -in test.dll -out test.dll -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs cert.pem -key 'pkcs11:object=key_464138416;type=private' -in test.dll -out test.dll -h sha256 -t http://timestamp.digicert.com osslsigncode verify -in test.dll shell: bash From 9b2a087199db4c3882ea9a5689528e0c4e705d05 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:40:52 +0200 Subject: [PATCH 089/165] update --- .github/workflows/digicert-signing-linux.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index ab73b987..c07086f1 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -35,21 +35,20 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} - # - name: Install third-party signing tool - # run: | - # sudo apt-get install -y osslsigncode - - - name: locate file + - name: Install third-party signing tool run: | - sudo find / -name "*libpkcs11.so" - shell: bash + sudo apt-get install -y osslsigncode + # - name: locate file + # run: | + # sudo find / -name "*libpkcs11.so" + # shell: bash - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs cert.pem -key 'pkcs11:object=key_464138416;type=private' -in test.dll -out test.dll -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -pkcs11engine /snap/core20/1974/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs cert.pem -key 'pkcs11:object=key_464138416;type=private' -in test.dll -out test.dll -h sha256 -t http://timestamp.digicert.com osslsigncode verify -in test.dll shell: bash From 36e578c898e0edd5b662d7857bf931250360dc1a Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:43:13 +0200 Subject: [PATCH 090/165] update --- .github/workflows/digicert-signing-linux.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index c07086f1..764b2485 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -39,10 +39,11 @@ jobs: run: | sudo apt-get install -y osslsigncode - # - name: locate file - # run: | - # sudo find / -name "*libpkcs11.so" - # shell: bash + - name: locate file + run: | + ls -a /tmp/DigiCert One Signing Manager Tools/smtools-linux-x64 + shell: bash + - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} From 92a075481c5338e60bf1188e58e9a3ab6ef3aceb Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:44:40 +0200 Subject: [PATCH 091/165] update --- .github/workflows/digicert-signing-linux.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 764b2485..aa874bce 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -41,7 +41,7 @@ jobs: - name: locate file run: | - ls -a /tmp/DigiCert One Signing Manager Tools/smtools-linux-x64 + sudo ls -a "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" shell: bash - name: Sign with smctl @@ -49,7 +49,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /snap/core20/1974/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs cert.pem -key 'pkcs11:object=key_464138416;type=private' -in test.dll -out test.dll -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs cert.pem -key 'pkcs11:object=key_464138416;type=private' -in test.dll -out test.dll -h sha256 -t http://timestamp.digicert.com osslsigncode verify -in test.dll shell: bash From 6f2a6e0e95ad6871f89b2d9d5108ec9d3eabb575 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:48:33 +0200 Subject: [PATCH 092/165] update --- .github/workflows/digicert-signing-linux.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index aa874bce..d4f2217e 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -49,8 +49,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs cert.pem -key 'pkcs11:object=key_464138416;type=private' -in test.dll -out test.dll -h sha256 -t http://timestamp.digicert.com - osslsigncode verify -in test.dll + smctl sign --keypair-alias="key_464138416" --certificate cert.pem --input test.dll shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From 1eeb59bd47a290a85a1eace0057f7ff90f0bcad3 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 16:53:46 +0200 Subject: [PATCH 093/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index d4f2217e..5b89774e 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -49,7 +49,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias="key_464138416" --certificate cert.pem --input test.dll + smctl sign --keypair-alias key_464138416 --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input /home/runner/work/code-sign-action/code-sign-action/test.dll --tool osslsigncode shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From 06a62f4660ca9018cd77e4b94518d7259ab1ac01 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:00:09 +0200 Subject: [PATCH 094/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 5b89774e..b5d1f1e0 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -49,7 +49,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias key_464138416 --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input /home/runner/work/code-sign-action/code-sign-action/test.dll --tool osslsigncode + smctl sign --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --config-file "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --input /home/runner/work/code-sign-action/code-sign-action/test.dll --tool jsign shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From b7abbf8ba4f0a5d78ed162fc5ab351b3983dd9f3 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:04:21 +0200 Subject: [PATCH 095/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index b5d1f1e0..cebe66d4 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -49,7 +49,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --config-file "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --input /home/runner/work/code-sign-action/code-sign-action/test.dll --tool jsign + smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --config-file "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --input /home/runner/work/code-sign-action/code-sign-action/test.dll --tool jsign shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From c74610a685bba40efc6ad673764506696714ae2f Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:06:09 +0200 Subject: [PATCH 096/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index cebe66d4..e666fd4d 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -49,7 +49,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --config-file "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --input /home/runner/work/code-sign-action/code-sign-action/test.dll --tool jsign + smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --config-file "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --input /home/runner/work/code-sign-action/code-sign-action/test.dll --tool="jsign" shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From 93d7cccb5834cc027f61032eb4024d67c6ec05fd Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:10:09 +0200 Subject: [PATCH 097/165] update --- .github/workflows/digicert-signing-linux.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index e666fd4d..e60a0332 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -39,17 +39,12 @@ jobs: run: | sudo apt-get install -y osslsigncode - - name: locate file - run: | - sudo ls -a "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" - shell: bash - - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --config-file "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --input /home/runner/work/code-sign-action/code-sign-action/test.dll --tool="jsign" + smctl sign --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool="osslsigncode" shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From 4cd9d74f2795b2f77f8ed2875cc4f33695dc36ad Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:11:14 +0200 Subject: [PATCH 098/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index e60a0332..0400cc36 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -44,7 +44,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool="osslsigncode" + smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool="osslsigncode" shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From 1d033fb270adf575bfe48675ac2665c3e7e9e5ac Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:14:44 +0200 Subject: [PATCH 099/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 0400cc36..fedd2fc4 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -8,7 +8,7 @@ on: jobs: sign-with-linux: - runs-on: ubuntu-22.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code uses: actions/checkout@v3 From 3be8650aa5a1d4711fb3cfc27111945d6f5365b2 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:24:53 +0200 Subject: [PATCH 100/165] update2 --- .github/workflows/digicert-signing-linux.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index fedd2fc4..7026746a 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -8,7 +8,7 @@ on: jobs: sign-with-linux: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@v3 @@ -28,6 +28,10 @@ jobs: echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ env.CERTIFICATE_SHA1_HASH }}" >> "$GITHUB_ENV" shell: bash + - name: Install third-party required tools + run: | + sudo apt install -y openssl libengine-pkcs11-openssl gnutls-bin xxd osslsigncode + - name: Code signing with Secure Software Manager uses: digicert/ssm-code-signing@v0.0.2 env: @@ -35,10 +39,6 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} - - name: Install third-party signing tool - run: | - sudo apt-get install -y osslsigncode - - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} From e6e3e00e0c0e7f1981f8f57f0d2f8f8a77457d37 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:33:00 +0200 Subject: [PATCH 101/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 7026746a..9e56fac0 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -44,7 +44,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool="osslsigncode" + osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From a82594cf72cd8b7ae661ea38951350968e1ed6eb Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:42:20 +0200 Subject: [PATCH 102/165] update --- .github/workflows/digicert-signing-linux.yaml | 4 +++- openssl-linux.conf | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 openssl-linux.conf diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 9e56fac0..1b75e259 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -43,12 +43,14 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | + export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" # smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll" + # osslsigncode sign -v -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com - name: Verify with smctl env: diff --git a/openssl-linux.conf b/openssl-linux.conf new file mode 100644 index 00000000..dae8615b --- /dev/null +++ b/openssl-linux.conf @@ -0,0 +1,11 @@ +openssl_conf = openssl_init +[openssl_init] +engines = engine_section +[engine_section] +pkcs11 = pkcs11_section +[pkcs11_section] + +#Path to the OpenSSL PKCS11 Engine +dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" + +MODULE_PATH = "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" \ No newline at end of file From b7b4aad73cd2261b36fcb73b64cd8454765f5762 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:44:49 +0200 Subject: [PATCH 103/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 1b75e259..1d235ae4 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -45,7 +45,7 @@ jobs: run: | export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" + smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool="osslsigncode" shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From 92e30da3fb42a6a6dc45c062fedd4e2d1f6bf367 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:47:23 +0200 Subject: [PATCH 104/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 1d235ae4..983f53ab 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -45,7 +45,7 @@ jobs: run: | export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool="osslsigncode" + osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" From 7427c5a769cf7d5bd5e8d7d1070c81cdb8d222a6 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:50:30 +0200 Subject: [PATCH 105/165] update --- .github/workflows/digicert-signing-linux.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 983f53ab..9f831b3c 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -32,6 +32,10 @@ jobs: run: | sudo apt install -y openssl libengine-pkcs11-openssl gnutls-bin xxd osslsigncode + - name: locate file + run: | + sudo find / -name "libpkcs11.so" + - name: Code signing with Secure Software Manager uses: digicert/ssm-code-signing@v0.0.2 env: From 9327d4fac635227f6a298cfdecb7bd870051eda9 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 17:58:25 +0200 Subject: [PATCH 106/165] update --- .github/workflows/digicert-signing-linux.yaml | 8 ++++---- openssl-linux.conf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 9f831b3c..9b3e39c1 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -32,9 +32,9 @@ jobs: run: | sudo apt install -y openssl libengine-pkcs11-openssl gnutls-bin xxd osslsigncode - - name: locate file - run: | - sudo find / -name "libpkcs11.so" + # - name: locate file + # run: | + # sudo find / -name "libpkcs11.so" - name: Code signing with Secure Software Manager uses: digicert/ssm-code-signing@v0.0.2 @@ -49,7 +49,7 @@ jobs: run: | export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" diff --git a/openssl-linux.conf b/openssl-linux.conf index dae8615b..8f06a806 100644 --- a/openssl-linux.conf +++ b/openssl-linux.conf @@ -6,6 +6,6 @@ pkcs11 = pkcs11_section [pkcs11_section] #Path to the OpenSSL PKCS11 Engine -dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" +dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so" MODULE_PATH = "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" \ No newline at end of file From a60d069b643eb4c03c033c92a00dba1e0bad69d8 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 18:04:55 +0200 Subject: [PATCH 107/165] update --- .github/workflows/digicert-signing-linux.yaml | 4 ++-- openssl-linux.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 9b3e39c1..55953ee1 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -30,7 +30,7 @@ jobs: - name: Install third-party required tools run: | - sudo apt install -y openssl libengine-pkcs11-openssl gnutls-bin xxd osslsigncode + sudo apt install -y openssl=1.1.1f libengine-pkcs11-openssl gnutls-bin xxd osslsigncode # - name: locate file # run: | @@ -49,7 +49,7 @@ jobs: run: | export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" diff --git a/openssl-linux.conf b/openssl-linux.conf index 8f06a806..dae8615b 100644 --- a/openssl-linux.conf +++ b/openssl-linux.conf @@ -6,6 +6,6 @@ pkcs11 = pkcs11_section [pkcs11_section] #Path to the OpenSSL PKCS11 Engine -dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so" +dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" MODULE_PATH = "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" \ No newline at end of file From c020b9d27acbefc64c1c3bdf3d08f93b42d5c5e0 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 18:08:54 +0200 Subject: [PATCH 108/165] update --- .github/workflows/digicert-signing-linux.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 55953ee1..088840cf 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -8,7 +8,7 @@ on: jobs: sign-with-linux: - runs-on: ubuntu-22.04 + runs-on: ubuntu-20.04 steps: - name: Checkout code uses: actions/checkout@v3 @@ -30,7 +30,7 @@ jobs: - name: Install third-party required tools run: | - sudo apt install -y openssl=1.1.1f libengine-pkcs11-openssl gnutls-bin xxd osslsigncode + sudo apt install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode # - name: locate file # run: | From 14df25aacf3920c99fed7aca95f5f8bf7d77590d Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 18:11:54 +0200 Subject: [PATCH 109/165] update --- .github/workflows/digicert-signing-linux.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 088840cf..1309873e 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -30,11 +30,11 @@ jobs: - name: Install third-party required tools run: | - sudo apt install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode + sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode - # - name: locate file - # run: | - # sudo find / -name "libpkcs11.so" + - name: locate file + run: | + sudo find / -name "libpkcs11.so" - name: Code signing with Secure Software Manager uses: digicert/ssm-code-signing@v0.0.2 From aee2c0ba793548e1230ee18048cc29e995d38b91 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 18:17:14 +0200 Subject: [PATCH 110/165] update --- .github/workflows/digicert-signing-linux.yaml | 8 ++++---- openssl-linux.conf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 1309873e..f9dd19e7 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -32,9 +32,9 @@ jobs: run: | sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode - - name: locate file - run: | - sudo find / -name "libpkcs11.so" + # - name: locate file + # run: | + # sudo find / -name "libpkcs11.so" - name: Code signing with Secure Software Manager uses: digicert/ssm-code-signing@v0.0.2 @@ -49,7 +49,7 @@ jobs: run: | export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" diff --git a/openssl-linux.conf b/openssl-linux.conf index dae8615b..eb28afc3 100644 --- a/openssl-linux.conf +++ b/openssl-linux.conf @@ -8,4 +8,4 @@ pkcs11 = pkcs11_section #Path to the OpenSSL PKCS11 Engine dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -MODULE_PATH = "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" \ No newline at end of file +MODULE_PATH = "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" From a5df91f3e370f953186ffeda8062cd698a5c4070 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 18:35:47 +0200 Subject: [PATCH 111/165] update --- .github/workflows/digicert-signing-linux.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index f9dd19e7..d2d221ee 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -25,7 +25,6 @@ jobs: echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" - echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ env.CERTIFICATE_SHA1_HASH }}" >> "$GITHUB_ENV" shell: bash - name: Install third-party required tools @@ -47,11 +46,13 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" - smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + smctl sign --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" --tool="osslsigncode" shell: bash + # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" + # smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" + # osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" # smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll" # osslsigncode sign -v -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com From cd74ce8fc6b515c5310b2800687c887118683bec Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 18:37:41 +0200 Subject: [PATCH 112/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index d2d221ee..1d608d82 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -46,7 +46,7 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" --tool="osslsigncode" + smctl sign -v --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" --tool="osslsigncode" shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 37d8223116031372f3a2504006ea3cd52e28691a Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 18:54:33 +0200 Subject: [PATCH 113/165] update --- .github/workflows/digicert-signing-linux.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 1d608d82..91053fdf 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -29,7 +29,9 @@ jobs: - name: Install third-party required tools run: | - sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode + sudo apt-get install -y osslsigncode + + # sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode # - name: locate file # run: | @@ -46,7 +48,8 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign -v --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" --tool="osslsigncode" + smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" + osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 339c48ae4ddc7656d7c89ea8900ae64eac202abb Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 18:57:34 +0200 Subject: [PATCH 114/165] update --- .github/workflows/digicert-signing-linux.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 91053fdf..58502396 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -29,9 +29,7 @@ jobs: - name: Install third-party required tools run: | - sudo apt-get install -y osslsigncode - - # sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode + sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode # - name: locate file # run: | @@ -49,7 +47,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 93bcb075f65d941f85e99dfa7e3e9264e03d54a0 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 19:02:29 +0200 Subject: [PATCH 115/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 58502396..30a5f170 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -47,7 +47,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 2a9f54c40fd8a1ec951d72bb7319a8e01595c2b2 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 19:13:33 +0200 Subject: [PATCH 116/165] update --- .github/workflows/digicert-signing-linux.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 30a5f170..c0361cee 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -29,7 +29,10 @@ jobs: - name: Install third-party required tools run: | - sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode + wget https://github.com/ebourg/jsign/releases/download/4.0/jsign_4.0_all.deb + sudo dpkg --install jsign_4.0_all.deb + + # sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode # - name: locate file # run: | @@ -47,7 +50,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -h sha256 -t http://timestamp.digicert.com + smctl sign --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool jsign shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 93fbe870bd38dd49ff503023d5d7fd4ca4a9707b Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 19:14:45 +0200 Subject: [PATCH 117/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index c0361cee..209bc03f 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -50,7 +50,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool jsign + smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool jsign shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 6b6cd9ce323f109cc921c8f6ac497865e191ec9e Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 19:50:46 +0200 Subject: [PATCH 118/165] update --- .github/workflows/digicert-signing-linux.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 209bc03f..39cf3d6a 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -29,8 +29,8 @@ jobs: - name: Install third-party required tools run: | - wget https://github.com/ebourg/jsign/releases/download/4.0/jsign_4.0_all.deb - sudo dpkg --install jsign_4.0_all.deb + curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb + sudo dpkg --install jsign_3.1_all.deb # sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode @@ -49,8 +49,7 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - smctl sign -v --keypair-alias="key_464138416" --certificate /home/runner/work/code-sign-action/code-sign-action/cert.pem --input "test.dll" --tool jsign + smctl healthcheck shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 6866ec2d0422072ab33f5ea5548c5451a45b236b Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 20:07:05 +0200 Subject: [PATCH 119/165] update --- .github/workflows/digicert-signing-linux.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 39cf3d6a..95939bec 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -25,12 +25,14 @@ jobs: echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> $GITHUB_PATH shell: bash - name: Install third-party required tools run: | curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb sudo dpkg --install jsign_3.1_all.deb + shell: bash # sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode @@ -45,11 +47,16 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} + - name: Set PKCS11 config + run: | + echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV" + shell: bash + - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl healthcheck + smctl keypair list shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 5ded5cbd538ac67e42ee7c29768ab80a67e05bac Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 20:18:50 +0200 Subject: [PATCH 120/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 95939bec..1a2e59d8 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -56,7 +56,7 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl keypair list + jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll shell: bash # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" From 6da7bdf46294011494e1042966e569542b162fc6 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 20:26:37 +0200 Subject: [PATCH 121/165] update --- .github/workflows/digicert-signing-linux.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 1a2e59d8..afb7e57d 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -71,5 +71,6 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}/test.dll" + sudo apt-get install mono-devel + chktrust "${{ env.GITHUB_WORKSPACE }}/test.dll" shell: bash From d121563b228747be44f6299f3f0f864861200d91 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 20:38:45 +0200 Subject: [PATCH 122/165] update --- .github/workflows/digicert-signing-linux.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index afb7e57d..1f01bc3b 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -56,9 +56,12 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll + smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" shell: bash + # I think this works + # jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll + # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" # smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" # osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com From d1f92a4ba96923c2e08149afe6dfc9ff6ab13017 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 20:42:03 +0200 Subject: [PATCH 123/165] update --- .github/workflows/digicert-signing-linux.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 1f01bc3b..a356feaf 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -74,6 +74,5 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - sudo apt-get install mono-devel - chktrust "${{ env.GITHUB_WORKSPACE }}/test.dll" + smctl sign verify --input "test.dll" shell: bash From 31839f9ec4533d26861aaae0efb9c961c62688e4 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Thu, 3 Aug 2023 20:44:49 +0200 Subject: [PATCH 124/165] update --- .github/workflows/digicert-signing-linux.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index a356feaf..cc1093a0 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -32,6 +32,7 @@ jobs: run: | curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb sudo dpkg --install jsign_3.1_all.deb + sudo apt-get install -y osslsigncode shell: bash # sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode @@ -74,5 +75,5 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign verify --input "test.dll" + osslsigncode verify -in "test.dll" shell: bash From 5275c204253bd78218dc6ae2ea9182bacce09b0a Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 09:41:02 +0200 Subject: [PATCH 125/165] update --- .github/workflows/digicert-signing-linux.yaml | 27 ++++++++++++------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index cc1093a0..adde1577 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -53,23 +53,30 @@ jobs: echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV" shell: bash - - name: Sign with smctl + - name: Sign with osslcodesign env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" + smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" --tool="osslsigncode" shell: bash - # I think this works - # jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll + # - name: Working version of signing with smctl Jsign + # env: + # GITHUB_WORKSPACE: ${{ github.workspace }} + # run: | + # smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" + # shell: bash + + # I think this works + # jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll - # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" - # smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - # osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" + # smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" + # osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com - # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" - # smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll" - # osslsigncode sign -v -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com + # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" + # smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll" + # osslsigncode sign -v -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com - name: Verify with smctl env: From a9fe85dfdacc19467fe723380363f46570ab28f0 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 09:56:15 +0200 Subject: [PATCH 126/165] update --- .github/workflows/digicert-signing-linux.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index adde1577..89addaa5 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -57,7 +57,8 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" --tool="osslsigncode" + smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" + osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # - name: Working version of signing with smctl Jsign From 26460106eb683ef5da3acd0f4064f107eac273cd Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 09:58:12 +0200 Subject: [PATCH 127/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index 89addaa5..e8bef706 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -32,7 +32,7 @@ jobs: run: | curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb sudo dpkg --install jsign_3.1_all.deb - sudo apt-get install -y osslsigncode + sudo apt-get install -y osslsigncode libengine-pkcs11-openssl gnutls-bin xxd shell: bash # sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode From fb83bf038312132e855b0e26096aa2b5c58305fd Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 10:03:48 +0200 Subject: [PATCH 128/165] update --- .github/workflows/digicert-signing-linux.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index e8bef706..beddcc7c 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -58,7 +58,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "sign.sh" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # - name: Working version of signing with smctl Jsign @@ -83,5 +83,5 @@ jobs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - osslsigncode verify -in "test.dll" + osslsigncode verify -in "signed-test.dll" shell: bash From 01e611b4097b1a74ca8be21cb1b372535c5a703e Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 10:05:09 +0200 Subject: [PATCH 129/165] update --- .github/workflows/digicert-signing-linux.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index beddcc7c..b17a99d2 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -58,7 +58,7 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "sign.sh" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com + osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash # - name: Working version of signing with smctl Jsign From 80dde5f48f31f199165a5da020b7f6c04cfd395c Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 10:09:05 +0200 Subject: [PATCH 130/165] update --- .github/workflows/digicert-signing-linux.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml index b17a99d2..df34cdfe 100644 --- a/.github/workflows/digicert-signing-linux.yaml +++ b/.github/workflows/digicert-signing-linux.yaml @@ -53,7 +53,7 @@ jobs: echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV" shell: bash - - name: Sign with osslcodesign + - name: Working version of signing with osslcodesign env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | @@ -61,12 +61,12 @@ jobs: osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com shell: bash - # - name: Working version of signing with smctl Jsign - # env: - # GITHUB_WORKSPACE: ${{ github.workspace }} - # run: | - # smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" - # shell: bash + - name: Working version of signing with smctl Jsign + env: + GITHUB_WORKSPACE: ${{ github.workspace }} + run: | + smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" + shell: bash # I think this works # jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll @@ -84,4 +84,5 @@ jobs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | osslsigncode verify -in "signed-test.dll" + osslsigncode verify -in "test.dll" shell: bash From de2023e7b3be4e6a9442577e3381c1213363d28b Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 10:47:58 +0200 Subject: [PATCH 131/165] Try updated action file --- .github/workflows/run-action.yaml | 64 ++++++++++++++----------------- action.yaml | 33 ++++++++-------- 2 files changed, 45 insertions(+), 52 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 9082c89e..9e00d1fa 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -4,7 +4,7 @@ on: push: branches: - main - - 'releases/*' + - "releases/*" jobs: run-action: @@ -27,33 +27,27 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.266 + uses: cognitedata/code-sign-action/@v1.267 with: path-to-binary: 'files\wmp.dll' - - name: Run the action for all binaries under a folder - env: - CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} - CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} - CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} - CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} - CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.266 - with: - path-to-binary: 'files' - options: '-Recurse' + # - name: Run the action for all binaries under a folder + # env: + # CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + # CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + # uses: cognitedata/code-sign-action/@v1.267 + # with: + # path-to-binary: "files" + # options: "-Recurse" run-action-linux: - runs-on: ubuntu-22.04 + runs-on: ubuntu-20.04 steps: - - name: Copy libraries - run: | - ls - mkdir files - wget https://github.com/cognitedata/code-sign-action/raw/0dc0e0fff181f5c2147601d4402d6ce8d64e06ca/test.dll -O files/test.dll - cd files - mkdir subdirectory - cp test.dll subdirectory + - name: Checkout code + uses: actions/checkout@v3 - name: Run the action for a single binary env: @@ -62,18 +56,18 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.266 + uses: cognitedata/code-sign-action/@v1.267 with: - path-to-binary: 'files/test.dll' + path-to-binary: "test.dll" - - name: Run the action for all binaries under a folder - env: - CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} - CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} - CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} - CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} - CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.266 - with: - path-to-binary: 'files' - options: '-Recurse' + # - name: Run the action for all binaries under a folder + # env: + # CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + # CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + # uses: cognitedata/code-sign-action/@v1.267 + # with: + # path-to-binary: 'files' + # options: '-Recurse' diff --git a/action.yaml b/action.yaml index e42deabd..aabef645 100644 --- a/action.yaml +++ b/action.yaml @@ -1,14 +1,14 @@ -name: 'Sign binary' -description: 'Sign a binary using a code signing certificate' +name: "Sign binary" +description: "Sign a binary using a code signing certificate" inputs: path-to-binary: - description: 'The folder that contains the files to sign' + description: "The folder that contains the files to sign" required: true options: description: 'Use "-Recurse" to recursively search for files' required: false runs: - using: 'composite' + using: "composite" steps: - name: Setup Certificate run: | @@ -36,15 +36,15 @@ runs: SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} -# - run: ${{ github.action_path }}/sign.ps1 ${{ inputs.path-to-binary }} ${{ inputs.options }} -# if: runner.os == 'Windows' -# shell: pwsh -# -# - run: | -# sudo apt install osslsigncode -# ${{ github.action_path }}/sign.sh ${{ inputs.path-to-binary }} ${{ inputs.options }} -# if: runner.os == 'Linux' -# shell: bash + # - run: ${{ github.action_path }}/sign.ps1 ${{ inputs.path-to-binary }} ${{ inputs.options }} + # if: runner.os == 'Windows' + # shell: pwsh + # + # - run: | + # sudo apt install osslsigncode + # ${{ github.action_path }}/sign.sh ${{ inputs.path-to-binary }} ${{ inputs.options }} + # if: runner.os == 'Linux' + # shell: bash - name: Sign with smctl env: @@ -60,9 +60,8 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - sudo apt install osslsigncode - smctl cert save --keypair-alias="key_464138416" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -pkcs11engine "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -pkcs11module /root/smpkcs11.so -certs "${{ env.GITHUB_WORKSPACE }}/cert_464138416.pem" -key 'pkcs11:object=key_464138416;type=private' -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -out "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" -h sha256 -t http://timestamp.digicert.com - osslsigncode verify -in "${{ env.GITHUB_WORKSPACE }}/${{ inputs.path-to-binary }}" + curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb + sudo dpkg --install jsign_3.1_all.deb + smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" if: runner.os == 'Linux' shell: bash From fdef969c699e6eafdcff2e028672f3a8c02bf8f3 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 10:56:47 +0200 Subject: [PATCH 132/165] Try updated action file --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 9e00d1fa..b34221f6 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.267 + uses: cognitedata/code-sign-action/@v1.268 with: path-to-binary: 'files\wmp.dll' @@ -56,7 +56,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.267 + uses: cognitedata/code-sign-action/@v1.268 with: path-to-binary: "test.dll" diff --git a/action.yaml b/action.yaml index aabef645..4ab12ba5 100644 --- a/action.yaml +++ b/action.yaml @@ -62,6 +62,6 @@ runs: run: | curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb sudo dpkg --install jsign_3.1_all.deb - smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" + smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" if: runner.os == 'Linux' shell: bash From 6b9c999d634c28333885a54e82be2cdb8739c43e Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 11:07:22 +0200 Subject: [PATCH 133/165] Try updated action file --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index b34221f6..fa22cd3e 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.268 + uses: cognitedata/code-sign-action/@v1.269 with: path-to-binary: 'files\wmp.dll' @@ -56,7 +56,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.268 + uses: cognitedata/code-sign-action/@v1.269 with: path-to-binary: "test.dll" diff --git a/action.yaml b/action.yaml index 4ab12ba5..588d2dfd 100644 --- a/action.yaml +++ b/action.yaml @@ -12,9 +12,9 @@ runs: steps: - name: Setup Certificate run: | - if ${{ runner.os }} == 'Windows'; then + if "${{ runner.os }}" == 'Windows'; then echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12; - elif {{ runner.os }} == 'Linux'; then + elif "${{ runner.os }}" == 'Linux'; then echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12; fi shell: bash From 5a6748126152787d7f28d89254403cc1dcaf1dd7 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 11:12:37 +0200 Subject: [PATCH 134/165] Try updated action file --- action.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/action.yaml b/action.yaml index 588d2dfd..3ff9a5b6 100644 --- a/action.yaml +++ b/action.yaml @@ -10,13 +10,16 @@ inputs: runs: using: "composite" steps: - - name: Setup Certificate + - name: Setup Certificate Windows run: | - if "${{ runner.os }}" == 'Windows'; then - echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12; - elif "${{ runner.os }}" == 'Linux'; then - echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12; - fi + echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 + if: runner.os == 'Windows' + shell: bash + + - name: Setup Certificate Linux + run: | + echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 + if: runner.os == 'Linux' shell: bash - name: Set variables From 20c9cabeba344eeb4c2031954a57fd89d18e5111 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 11:13:15 +0200 Subject: [PATCH 135/165] Try updated action file --- .github/workflows/run-action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index fa22cd3e..1ca8fb65 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.269 + uses: cognitedata/code-sign-action/@v1.270 with: path-to-binary: 'files\wmp.dll' @@ -56,7 +56,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.269 + uses: cognitedata/code-sign-action/@v1.270 with: path-to-binary: "test.dll" From 60db8b5227844dd4f290c6b2f0d147f9728c8288 Mon Sep 17 00:00:00 2001 From: Sondre Solbakken Date: Fri, 4 Aug 2023 11:29:21 +0200 Subject: [PATCH 136/165] Try updated action file --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 10 +++++++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 1ca8fb65..495dfaed 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -27,7 +27,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.270 + uses: cognitedata/code-sign-action/@v1.271 with: path-to-binary: 'files\wmp.dll' @@ -56,7 +56,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.270 + uses: cognitedata/code-sign-action/@v1.271 with: path-to-binary: "test.dll" diff --git a/action.yaml b/action.yaml index 3ff9a5b6..388b7fa0 100644 --- a/action.yaml +++ b/action.yaml @@ -27,9 +27,17 @@ runs: run: | echo "SM_HOST=${{ env.CERTIFICATE_HOST }}" >> "$GITHUB_ENV" echo "SM_API_KEY=${{ env.CERTIFICATE_HOST_API_KEY }}" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" echo "SM_CLIENT_CERT_PASSWORD=${{ env.CLIENT_CERTIFICATE_PASSWORD }}" >> "$GITHUB_ENV" echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ env.CERTIFICATE_SHA1_HASH }}" >> "$GITHUB_ENV" + if [ "${{ runner.os }}" == "Windows" ] + then + echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" + elif [ "${{ runner.os }}" == "Linux" ] + then + echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" + echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV" + echo "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> $GITHUB_PATH + fi shell: bash - name: Code signing with Secure Software Manager From 6a9379fb4b44441df47778d16594b4ebd64841ae Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 13:54:50 +0200 Subject: [PATCH 137/165] Update action version --- .github/workflows/run-action.yaml | 73 ++++++++++++++++-------------- action.yaml | 37 ++++++--------- test.dll => test/test.dll | Bin 3 files changed, 52 insertions(+), 58 deletions(-) rename test.dll => test/test.dll (100%) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 495dfaed..509278c0 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -10,15 +10,18 @@ jobs: run-action: runs-on: windows-2022 steps: - - name: Copy libraries - shell: cmd - run: | - dir - mkdir files - copy C:\Windows\System32\wmp.dll files - cd files - mkdir subdirectory - copy C:\Windows\System32\wmp.dll subdirectory + - name: Checkout code + uses: actions/checkout@v3 + +# - name: Copy libraries +# shell: cmd +# run: | +# dir +# mkdir files +# copy C:\Windows\System32\wmp.dll files +# cd files +# mkdir subdirectory +# copy C:\Windows\System32\wmp.dll subdirectory - name: Run the action for a single binary env: @@ -27,21 +30,21 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.271 + uses: cognitedata/code-sign-action/@v1.272 with: - path-to-binary: 'files\wmp.dll' + path-to-binary: 'files\test.dll' + + - name: Run the action for a single binary + env: + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v1.272 + with: + path-to-binary: 'files' - # - name: Run the action for all binaries under a folder - # env: - # CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} - # CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} - # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} - # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} - # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - # uses: cognitedata/code-sign-action/@v1.267 - # with: - # path-to-binary: "files" - # options: "-Recurse" run-action-linux: runs-on: ubuntu-20.04 @@ -56,18 +59,18 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.271 + uses: cognitedata/code-sign-action/@v1.272 + with: + path-to-binary: "test/test.dll" + + - name: Run the action for a single binary + env: + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v1.272 with: - path-to-binary: "test.dll" + path-to-binary: "test" - # - name: Run the action for all binaries under a folder - # env: - # CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} - # CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} - # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} - # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} - # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - # uses: cognitedata/code-sign-action/@v1.267 - # with: - # path-to-binary: 'files' - # options: '-Recurse' diff --git a/action.yaml b/action.yaml index 388b7fa0..9778842b 100644 --- a/action.yaml +++ b/action.yaml @@ -47,32 +47,23 @@ runs: SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} - # - run: ${{ github.action_path }}/sign.ps1 ${{ inputs.path-to-binary }} ${{ inputs.options }} - # if: runner.os == 'Windows' - # shell: pwsh - # - # - run: | - # sudo apt install osslsigncode - # ${{ github.action_path }}/sign.sh ${{ inputs.path-to-binary }} ${{ inputs.options }} - # if: runner.os == 'Linux' - # shell: bash - - name: Sign with smctl env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - smctl windows certsync --keypair-alias="key_464138416" - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" + file_path="${{ inputs.path-to-binary }}" + for f in $(find $file_path -type f); do + if [ "${{ runner.os }}" == "Windows" ] + then + smctl windows certsync --keypair-alias="key_464138416" + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\$f" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" + elif [ "${{ runner.os }}" == "Linux" ] + then + curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb + sudo dpkg --install jsign_3.1_all.deb + smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "${{ env.GITHUB_WORKSPACE }}/$f" + fi + done if: runner.os == 'Windows' shell: bash - - - name: Sign with smctl - env: - GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb - sudo dpkg --install jsign_3.1_all.deb - smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" - if: runner.os == 'Linux' - shell: bash diff --git a/test.dll b/test/test.dll similarity index 100% rename from test.dll rename to test/test.dll From 6503b00ef35eb6e11653e571b41cf2a58b19fdcb Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 14:04:08 +0200 Subject: [PATCH 138/165] Echo file path --- .github/workflows/run-action.yaml | 12 ++++++------ action.yaml | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 509278c0..dfde0572 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,18 +30,18 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.272 + uses: cognitedata/code-sign-action/@v1.273 with: path-to-binary: 'files\test.dll' - - name: Run the action for a single binary + - name: Run the action for multiple binaries in a directory env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.272 + uses: cognitedata/code-sign-action/@v1.273 with: path-to-binary: 'files' @@ -52,14 +52,14 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Run the action for a single binary + - name: Run the action for multiple binaries in a directory env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.272 + uses: cognitedata/code-sign-action/@v1.273 with: path-to-binary: "test/test.dll" @@ -70,7 +70,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.272 + uses: cognitedata/code-sign-action/@v1.273 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index 9778842b..d9ea273a 100644 --- a/action.yaml +++ b/action.yaml @@ -53,6 +53,7 @@ runs: run: | file_path="${{ inputs.path-to-binary }}" for f in $(find $file_path -type f); do + echo $f if [ "${{ runner.os }}" == "Windows" ] then smctl windows certsync --keypair-alias="key_464138416" From fdeeb71c3e809eed9af5f0f1d2c951a756b09af0 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 14:09:22 +0200 Subject: [PATCH 139/165] Change to absolute path --- action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index d9ea273a..b42afb99 100644 --- a/action.yaml +++ b/action.yaml @@ -51,7 +51,7 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | - file_path="${{ inputs.path-to-binary }}" + file_path="${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" for f in $(find $file_path -type f); do echo $f if [ "${{ runner.os }}" == "Windows" ] From 56ba5d38ee1eecf7349a54c0338239f5ff3e7329 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 14:10:47 +0200 Subject: [PATCH 140/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index dfde0572..2d88e62b 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.273 + uses: cognitedata/code-sign-action/@v1.274 with: path-to-binary: 'files\test.dll' @@ -41,7 +41,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.273 + uses: cognitedata/code-sign-action/@v1.274 with: path-to-binary: 'files' @@ -59,7 +59,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.273 + uses: cognitedata/code-sign-action/@v1.274 with: path-to-binary: "test/test.dll" @@ -70,7 +70,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.273 + uses: cognitedata/code-sign-action/@v1.274 with: path-to-binary: "test" From 43eddacc0b3f8a0aa7c62435f2accdf638b859e5 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 14:23:06 +0200 Subject: [PATCH 141/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 28 +++++++++++++++++----------- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 2d88e62b..0b07e64e 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.274 + uses: cognitedata/code-sign-action/@v1.275 with: path-to-binary: 'files\test.dll' @@ -41,7 +41,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.274 + uses: cognitedata/code-sign-action/@v1.275 with: path-to-binary: 'files' @@ -59,7 +59,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.274 + uses: cognitedata/code-sign-action/@v1.275 with: path-to-binary: "test/test.dll" @@ -70,7 +70,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.274 + uses: cognitedata/code-sign-action/@v1.275 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index b42afb99..207a531b 100644 --- a/action.yaml +++ b/action.yaml @@ -51,20 +51,26 @@ runs: env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | + smctl windows certsync --keypair-alias="key_464138416" file_path="${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" for f in $(find $file_path -type f); do echo $f - if [ "${{ runner.os }}" == "Windows" ] - then - smctl windows certsync --keypair-alias="key_464138416" - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\$f" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" - elif [ "${{ runner.os }}" == "Linux" ] - then - curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb - sudo dpkg --install jsign_3.1_all.deb - smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "${{ env.GITHUB_WORKSPACE }}/$f" - fi + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" done if: runner.os == 'Windows' shell: bash + + + - name: Sign with smctl + env: + run: | + curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb + sudo dpkg --install jsign_3.1_all.deb + file_path="${{ inputs.path-to-binary }}" + for f in $(find $file_path -type f); do + echo $f + smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "$f" + done + if: runner.os == 'Linux' + shell: bash From 45792581c61819b4ea42008b74274e92d3515397 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 14:25:00 +0200 Subject: [PATCH 142/165] Update action version --- .github/workflows/run-action.yaml | 8 ++++---- action.yaml | 5 ++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 0b07e64e..2acd3cea 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.275 + uses: cognitedata/code-sign-action/@v1.276 with: path-to-binary: 'files\test.dll' @@ -41,7 +41,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.275 + uses: cognitedata/code-sign-action/@v1.276 with: path-to-binary: 'files' @@ -59,7 +59,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.275 + uses: cognitedata/code-sign-action/@v1.276 with: path-to-binary: "test/test.dll" @@ -70,7 +70,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.275 + uses: cognitedata/code-sign-action/@v1.276 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index 207a531b..ba8a96da 100644 --- a/action.yaml +++ b/action.yaml @@ -47,7 +47,7 @@ runs: SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }} SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} - - name: Sign with smctl + - name: Sign with smctl Windows env: GITHUB_WORKSPACE: ${{ github.workspace }} run: | @@ -62,8 +62,7 @@ runs: shell: bash - - name: Sign with smctl - env: + - name: Sign with smctl Linux run: | curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb sudo dpkg --install jsign_3.1_all.deb From ce1fcc74192b58f0eb95724cb7650ed294f85d8a Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 14:39:23 +0200 Subject: [PATCH 143/165] Only run action for single binary on Linux --- .github/workflows/run-action.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 2acd3cea..5c8f1167 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -52,16 +52,16 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Run the action for multiple binaries in a directory - env: - CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} - CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} - CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} - CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} - CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.276 - with: - path-to-binary: "test/test.dll" +# - name: Run the action for multiple binaries in a directory +# env: +# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} +# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} +# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} +# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} +# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} +# uses: cognitedata/code-sign-action/@v1.276 +# with: +# path-to-binary: "test/test.dll" - name: Run the action for a single binary env: From d6f7ead28999c5aeca0a1a627c57cc33d17e8b2b Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 14:44:17 +0200 Subject: [PATCH 144/165] Try dir instead of find on Windows --- .github/workflows/run-action.yaml | 25 ++++++++++++------------- action.yaml | 2 +- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 5c8f1167..ca997b4c 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,20 +30,20 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.276 + uses: cognitedata/code-sign-action/@v1.277 with: path-to-binary: 'files\test.dll' - - name: Run the action for multiple binaries in a directory - env: - CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} - CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} - CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} - CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} - CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.276 - with: - path-to-binary: 'files' +# - name: Run the action for multiple binaries in a directory +# env: +# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} +# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} +# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} +# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} +# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} +# uses: cognitedata/code-sign-action/@v1.276 +# with: +# path-to-binary: 'files' run-action-linux: @@ -70,7 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.276 + uses: cognitedata/code-sign-action/@v1.277 with: path-to-binary: "test" - diff --git a/action.yaml b/action.yaml index ba8a96da..7f75cad5 100644 --- a/action.yaml +++ b/action.yaml @@ -53,7 +53,7 @@ runs: run: | smctl windows certsync --keypair-alias="key_464138416" file_path="${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" - for f in $(find $file_path -type f); do + for f in $(dir /B /s /A-D $file_path); do echo $f smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" From 4322a4a6ee341887289e84a18ac9314d45930084 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 15:01:25 +0200 Subject: [PATCH 145/165] Try Windows powershell --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 13 +++++++++---- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index ca997b4c..729abdb8 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.277 + uses: cognitedata/code-sign-action/@v1.278 with: path-to-binary: 'files\test.dll' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.277 + uses: cognitedata/code-sign-action/@v1.278 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index 7f75cad5..47f54601 100644 --- a/action.yaml +++ b/action.yaml @@ -53,13 +53,18 @@ runs: run: | smctl windows certsync --keypair-alias="key_464138416" file_path="${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" - for f in $(dir /B /s /A-D $file_path); do - echo $f + Get-ChildItem -Path $file_path -File -Recurse | % { + Write-Host $_.FullName smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" - done + } +# for f in $(dir /B /s /A-D $file_path); do +# echo $f +# smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" +# smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" +# done if: runner.os == 'Windows' - shell: bash + shell: powershell - name: Sign with smctl Linux From 301bc3b95e2cfe766049e668abffef3447f10e3a Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 15:03:48 +0200 Subject: [PATCH 146/165] Try Windows powershell --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 729abdb8..01504b73 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.278 + uses: cognitedata/code-sign-action/@v1.279 with: path-to-binary: 'files\test.dll' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.278 + uses: cognitedata/code-sign-action/@v1.279 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index 47f54601..9f518d20 100644 --- a/action.yaml +++ b/action.yaml @@ -55,8 +55,8 @@ runs: file_path="${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" Get-ChildItem -Path $file_path -File -Recurse | % { Write-Host $_.FullName - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$_.FullName" + smctl sign verify --input "$_.FullName" } # for f in $(dir /B /s /A-D $file_path); do # echo $f From b9c9b22cca12b0fd5fa00f8992cdf2e89fb2b07e Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 15:15:48 +0200 Subject: [PATCH 147/165] Try Windows bash --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 17 ++++++----------- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 01504b73..50bbd741 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.279 + uses: cognitedata/code-sign-action/@v1.28 with: path-to-binary: 'files\test.dll' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.279 + uses: cognitedata/code-sign-action/@v1.28 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index 9f518d20..6f888942 100644 --- a/action.yaml +++ b/action.yaml @@ -53,18 +53,13 @@ runs: run: | smctl windows certsync --keypair-alias="key_464138416" file_path="${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" - Get-ChildItem -Path $file_path -File -Recurse | % { - Write-Host $_.FullName - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$_.FullName" - smctl sign verify --input "$_.FullName" - } -# for f in $(dir /B /s /A-D $file_path); do -# echo $f -# smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" -# smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" -# done + for f in $(ls -R1 $file_path | while read l; do case $l in *:) d=${l%:};; "") d=;; *) echo "$d/$l";; esac; done); do + echo $f + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" + smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" + done if: runner.os == 'Windows' - shell: powershell + shell: bash - name: Sign with smctl Linux From a6817acc7cb121b82e199aa67b1c9f8b463ea01b Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 15:19:12 +0200 Subject: [PATCH 148/165] Replace checkout --- .github/workflows/run-action.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 50bbd741..fb550b12 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -13,15 +13,15 @@ jobs: - name: Checkout code uses: actions/checkout@v3 -# - name: Copy libraries -# shell: cmd -# run: | -# dir -# mkdir files -# copy C:\Windows\System32\wmp.dll files -# cd files -# mkdir subdirectory -# copy C:\Windows\System32\wmp.dll subdirectory + - name: Copy libraries + shell: cmd + run: | + dir + mkdir files + copy C:\Windows\System32\wmp.dll files + cd files + mkdir subdirectory + copy C:\Windows\System32\wmp.dll subdirectory - name: Run the action for a single binary env: @@ -32,7 +32,7 @@ jobs: CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} uses: cognitedata/code-sign-action/@v1.28 with: - path-to-binary: 'files\test.dll' + path-to-binary: 'files\wmp.dll' # - name: Run the action for multiple binaries in a directory # env: From 5c5af77874b12f46ee3b9193623e1f796776510a Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Fri, 4 Aug 2023 16:02:15 +0200 Subject: [PATCH 149/165] Try Windows powershell --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 16 +++++++++++----- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index fb550b12..347ecfe9 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.28 + uses: cognitedata/code-sign-action/@v1.281 with: path-to-binary: 'files\wmp.dll' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.28 + uses: cognitedata/code-sign-action/@v1.281 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index 6f888942..f046faa9 100644 --- a/action.yaml +++ b/action.yaml @@ -53,13 +53,19 @@ runs: run: | smctl windows certsync --keypair-alias="key_464138416" file_path="${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" - for f in $(ls -R1 $file_path | while read l; do case $l in *:) d=${l%:};; "") d=;; *) echo "$d/$l";; esac; done); do - echo $f + if (Test-Path -Path $file_path -PathType Leaf) { smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\$f" - done + smctl sign verify --input "$f" + } + else { + Get-ChildItem -Path $file_path -File -Recurse | % { + Write-Host $_.FullName + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" + smctl sign verify --input "$f" + } + } if: runner.os == 'Windows' - shell: bash + shell: powershell - name: Sign with smctl Linux From fbafcac10b972ad74d6a3a7b33efe80f6b2fd0c7 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 12:41:20 +0200 Subject: [PATCH 150/165] Try Windows powershell --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 347ecfe9..e9b5431b 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.281 + uses: cognitedata/code-sign-action/@v1.282 with: path-to-binary: 'files\wmp.dll' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.281 + uses: cognitedata/code-sign-action/@v1.282 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index f046faa9..fec8ed4f 100644 --- a/action.yaml +++ b/action.yaml @@ -52,7 +52,7 @@ runs: GITHUB_WORKSPACE: ${{ github.workspace }} run: | smctl windows certsync --keypair-alias="key_464138416" - file_path="${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" + $file_path = "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" if (Test-Path -Path $file_path -PathType Leaf) { smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" smctl sign verify --input "$f" From ae9a5a92fc47944f44011b28ed0f8256be75e514 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 12:50:11 +0200 Subject: [PATCH 151/165] Try Windows powershell --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index e9b5431b..a0a4ba16 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.282 + uses: cognitedata/code-sign-action/@v1.283 with: path-to-binary: 'files\wmp.dll' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.282 + uses: cognitedata/code-sign-action/@v1.283 with: path-to-binary: "test" diff --git a/action.yaml b/action.yaml index fec8ed4f..8b799820 100644 --- a/action.yaml +++ b/action.yaml @@ -54,14 +54,14 @@ runs: smctl windows certsync --keypair-alias="key_464138416" $file_path = "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" if (Test-Path -Path $file_path -PathType Leaf) { - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" - smctl sign verify --input "$f" + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $file_path + smctl sign verify --input $file_path } else { Get-ChildItem -Path $file_path -File -Recurse | % { Write-Host $_.FullName - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "$f" - smctl sign verify --input "$f" + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $_.FullName + smctl sign verify --input $_.FullName } } if: runner.os == 'Windows' From 0b9b372c6b422e1dc8e76d9d442ce04f0bc77359 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 12:53:34 +0200 Subject: [PATCH 152/165] Try Windows powershell --- .github/workflows/run-action.yaml | 52 +++++++++++++++---------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index a0a4ba16..19ba62d6 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -23,7 +23,18 @@ jobs: mkdir subdirectory copy C:\Windows\System32\wmp.dll subdirectory - - name: Run the action for a single binary +# - name: Run the action for a single binary +# env: +# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} +# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} +# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} +# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} +# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} +# uses: cognitedata/code-sign-action/@v1.283 +# with: +# path-to-binary: 'files\wmp.dll' + + - name: Run the action for multiple binaries in a directory env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} @@ -32,18 +43,7 @@ jobs: CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} uses: cognitedata/code-sign-action/@v1.283 with: - path-to-binary: 'files\wmp.dll' - -# - name: Run the action for multiple binaries in a directory -# env: -# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} -# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} -# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} -# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} -# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.276 -# with: -# path-to-binary: 'files' + path-to-binary: 'files' run-action-linux: @@ -52,18 +52,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 -# - name: Run the action for multiple binaries in a directory -# env: -# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} -# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} -# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} -# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} -# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.276 -# with: -# path-to-binary: "test/test.dll" - - - name: Run the action for a single binary + - name: Run the action for multiple binaries in a directory env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} @@ -72,4 +61,15 @@ jobs: CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} uses: cognitedata/code-sign-action/@v1.283 with: - path-to-binary: "test" + path-to-binary: "test/test.dll" + +# - name: Run the action for a single binary +# env: +# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} +# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} +# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} +# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} +# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} +# uses: cognitedata/code-sign-action/@v1.283 +# with: +# path-to-binary: "test" From fdf5269ae1e9a3cc8a7dc9a3b31465976f02fab0 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 13:17:36 +0200 Subject: [PATCH 153/165] Try Windows powershell --- .github/workflows/run-action.yaml | 38 +++++++++++++++---------------- action.yaml | 15 ++++++------ 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 19ba62d6..d620831c 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -23,27 +23,27 @@ jobs: mkdir subdirectory copy C:\Windows\System32\wmp.dll subdirectory -# - name: Run the action for a single binary -# env: -# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} -# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} -# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} -# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} -# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.283 -# with: -# path-to-binary: 'files\wmp.dll' - - - name: Run the action for multiple binaries in a directory + - name: Run the action for a single binary env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.283 + uses: cognitedata/code-sign-action/@v1.284 with: - path-to-binary: 'files' + path-to-binary: 'files\wmp.dll' + +# - name: Run the action for multiple binaries in a directory +# env: +# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} +# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} +# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} +# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} +# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} +# uses: cognitedata/code-sign-action/@v1.2 +# with: +# path-to-binary: 'files' run-action-linux: @@ -52,18 +52,18 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Run the action for multiple binaries in a directory + - name: Run the action for a single binary env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.283 + uses: cognitedata/code-sign-action/@v1.284 with: - path-to-binary: "test/test.dll" + path-to-binary: "test" -# - name: Run the action for a single binary +# - name: Run the action for multiple binaries in a directory # env: # CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} # CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} @@ -72,4 +72,4 @@ jobs: # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} # uses: cognitedata/code-sign-action/@v1.283 # with: -# path-to-binary: "test" +# path-to-binary: "test/test.dll" diff --git a/action.yaml b/action.yaml index 8b799820..3c49f563 100644 --- a/action.yaml +++ b/action.yaml @@ -53,16 +53,17 @@ runs: run: | smctl windows certsync --keypair-alias="key_464138416" $file_path = "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" + $files_to_sign = @() if (Test-Path -Path $file_path -PathType Leaf) { - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $file_path - smctl sign verify --input $file_path + $files_to_sign = @($file_path) } else { - Get-ChildItem -Path $file_path -File -Recurse | % { - Write-Host $_.FullName - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $_.FullName - smctl sign verify --input $_.FullName - } + $files_to_sign = @(Get-ChildItem -Path $file_path -File -Recurse) + } + foreach ( $f in $files_to_sign ) + { + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $f + smctl sign verify --input $f } if: runner.os == 'Windows' shell: powershell From a5cc6ec44773d8b1440394e85bb57bf4148fa8d6 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 13:21:16 +0200 Subject: [PATCH 154/165] Test multiple binaries --- .github/workflows/run-action.yaml | 54 +++++++++++++++---------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index d620831c..44de4cea 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -23,53 +23,53 @@ jobs: mkdir subdirectory copy C:\Windows\System32\wmp.dll subdirectory - - name: Run the action for a single binary - env: - CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} - CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} - CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} - CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} - CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.284 - with: - path-to-binary: 'files\wmp.dll' - -# - name: Run the action for multiple binaries in a directory +# - name: Run the action for a single binary # env: # CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} # CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.2 +# uses: cognitedata/code-sign-action/@v1.284 # with: -# path-to-binary: 'files' - - - run-action-linux: - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v3 +# path-to-binary: 'files\wmp.dll' - - name: Run the action for a single binary + - name: Run the action for multiple binaries in a directory env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.284 + uses: cognitedata/code-sign-action/@v1.2 with: - path-to-binary: "test" + path-to-binary: 'files' -# - name: Run the action for multiple binaries in a directory + + run-action-linux: + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + +# - name: Run the action for a single binary # env: # CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} # CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.283 +# uses: cognitedata/code-sign-action/@v1.284 # with: -# path-to-binary: "test/test.dll" +# path-to-binary: "test" + + - name: Run the action for multiple binaries in a directory + env: + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v1.283 + with: + path-to-binary: "test/test.dll" From 9bf5c5b56f4d98c7726a4a9b85553e94ec747699 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 13:23:23 +0200 Subject: [PATCH 155/165] Update action version --- .github/workflows/run-action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 44de4cea..ea159d9a 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -41,7 +41,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.2 + uses: cognitedata/code-sign-action/@v1.284 with: path-to-binary: 'files' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.283 + uses: cognitedata/code-sign-action/@v1.284 with: path-to-binary: "test/test.dll" From 6f7178a5a9c09f43a20a337b6efc255d385e5832 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 13:31:36 +0200 Subject: [PATCH 156/165] Update action version --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index ea159d9a..55df4e43 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -41,7 +41,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.284 + uses: cognitedata/code-sign-action/@v1.285 with: path-to-binary: 'files' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.284 + uses: cognitedata/code-sign-action/@v1.285 with: path-to-binary: "test/test.dll" diff --git a/action.yaml b/action.yaml index 3c49f563..6f15e3ef 100644 --- a/action.yaml +++ b/action.yaml @@ -57,8 +57,9 @@ runs: if (Test-Path -Path $file_path -PathType Leaf) { $files_to_sign = @($file_path) } - else { - $files_to_sign = @(Get-ChildItem -Path $file_path -File -Recurse) + else { + Get-ChildItem -Path $file_path -File -Recurse + $files_to_sign = @(Get-ChildItem -Path $file_path -File -Recurse | Select-Object FullName) } foreach ( $f in $files_to_sign ) { From b2f8667d7db4df8bbcac138af52e1f0c4b599369 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 13:36:45 +0200 Subject: [PATCH 157/165] Update action version --- .github/workflows/run-action.yaml | 4 ++-- action.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 55df4e43..68aecf2f 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -41,7 +41,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.285 + uses: cognitedata/code-sign-action/@v1.286 with: path-to-binary: 'files' @@ -70,6 +70,6 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.285 + uses: cognitedata/code-sign-action/@v1.286 with: path-to-binary: "test/test.dll" diff --git a/action.yaml b/action.yaml index 6f15e3ef..9dce1f40 100644 --- a/action.yaml +++ b/action.yaml @@ -59,12 +59,12 @@ runs: } else { Get-ChildItem -Path $file_path -File -Recurse - $files_to_sign = @(Get-ChildItem -Path $file_path -File -Recurse | Select-Object FullName) + $files_to_sign = @(Get-ChildItem -Path $file_path -File -Recurse) } foreach ( $f in $files_to_sign ) { - smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $f - smctl sign verify --input $f + smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $f.FullName + smctl sign verify --input $f.FullName } if: runner.os == 'Windows' shell: powershell From dc3743719c97bed6d3faa6b03a834805b6011115 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 13:43:04 +0200 Subject: [PATCH 158/165] Test signle binary --- .github/workflows/run-action.yaml | 54 +++++++++++++++---------------- action.yaml | 2 +- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 68aecf2f..5040bd70 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -23,53 +23,53 @@ jobs: mkdir subdirectory copy C:\Windows\System32\wmp.dll subdirectory -# - name: Run the action for a single binary -# env: -# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} -# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} -# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} -# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} -# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.284 -# with: -# path-to-binary: 'files\wmp.dll' - - - name: Run the action for multiple binaries in a directory + - name: Run the action for a single binary env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.286 + uses: cognitedata/code-sign-action/@v1.287 with: - path-to-binary: 'files' - - - run-action-linux: - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v3 + path-to-binary: 'files\wmp.dll' -# - name: Run the action for a single binary +# - name: Run the action for multiple binaries in a directory # env: # CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} # CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.284 +# uses: cognitedata/code-sign-action/@v1.287 # with: -# path-to-binary: "test" +# path-to-binary: 'files' - - name: Run the action for multiple binaries in a directory + + run-action-linux: + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run the action for a single binary env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.286 + uses: cognitedata/code-sign-action/@v1.287 with: - path-to-binary: "test/test.dll" + path-to-binary: "test" + +# - name: Run the action for multiple binaries in a directory +# env: +# CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} +# CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} +# CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} +# CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} +# CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} +# uses: cognitedata/code-sign-action/@v1.287 +# with: +# path-to-binary: "test/test.dll" diff --git a/action.yaml b/action.yaml index 9dce1f40..5899e5a2 100644 --- a/action.yaml +++ b/action.yaml @@ -55,7 +55,7 @@ runs: $file_path = "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}" $files_to_sign = @() if (Test-Path -Path $file_path -PathType Leaf) { - $files_to_sign = @($file_path) + $files_to_sign = @([PSCustomObject]@{FullName = $file_path}) } else { Get-ChildItem -Path $file_path -File -Recurse From c6e2babc1d1b83717e280236a21cc0563aeecc16 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 13:58:48 +0200 Subject: [PATCH 159/165] Cleanup --- .github/workflows/digicert-signing-linux.yaml | 88 ------------------- .github/workflows/digicert-signing.yaml | 52 ----------- .github/workflows/run-action.yaml | 2 +- sign.ps1 | 31 ------- sign.sh | 50 ----------- 5 files changed, 1 insertion(+), 222 deletions(-) delete mode 100644 .github/workflows/digicert-signing-linux.yaml delete mode 100644 .github/workflows/digicert-signing.yaml delete mode 100644 sign.ps1 delete mode 100755 sign.sh diff --git a/.github/workflows/digicert-signing-linux.yaml b/.github/workflows/digicert-signing-linux.yaml deleted file mode 100644 index df34cdfe..00000000 --- a/.github/workflows/digicert-signing-linux.yaml +++ /dev/null @@ -1,88 +0,0 @@ -name: digicert-signing-linux -on: - pull_request: - push: - branches: - - main - - "releases/*" - -jobs: - sign-with-linux: - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Setup Certificate - run: | - echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12 - shell: bash - - - name: Set variables - id: variables - run: | - echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" - echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" - echo "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> $GITHUB_PATH - shell: bash - - - name: Install third-party required tools - run: | - curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb - sudo dpkg --install jsign_3.1_all.deb - sudo apt-get install -y osslsigncode libengine-pkcs11-openssl gnutls-bin xxd - shell: bash - - # sudo apt-get install -y openssl=1.1.1f-1ubuntu2.19 libengine-pkcs11-openssl gnutls-bin xxd osslsigncode - - # - name: locate file - # run: | - # sudo find / -name "libpkcs11.so" - - - name: Code signing with Secure Software Manager - uses: digicert/ssm-code-signing@v0.0.2 - env: - SM_API_KEY: ${{ secrets.SM_API_KEY }} - SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - SM_CLIENT_CERT_FILE: ${{ secrets.SM_CLIENT_CERT_FILE }} - - - name: Set PKCS11 config - run: | - echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV" - shell: bash - - - name: Working version of signing with osslcodesign - env: - GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "signed-test.dll" -h sha256 -t http://timestamp.digicert.com - shell: bash - - - name: Working version of signing with smctl Jsign - env: - GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}" --input "test.dll" - shell: bash - - # I think this works - # jsign --keystore "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --storepass NONE --storetype PKCS11 --alias key_464138416 test.dll - - # export OPENSSL_CONF="${{ env.GITHUB_WORKSPACE }}/openssl-linux.conf" - # smctl cert save --keypair-alias="key_464138416" --name "cert.pem" --out "${{ env.GITHUB_WORKSPACE }}" - # osslsigncode sign -v -pkcs11engine "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com - - # smctl cert save --keypair-alias="key_464138416" --name "code-sign-cert" --out "${{ env.GITHUB_WORKSPACE }}" - # smctl sign --keypair-alias="key_464138416" --certificate "/d/cognite_code_signing_github_actions.p12" --input "test.dll" - # osslsigncode sign -v -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" -certs /home/runner/work/code-sign-action/code-sign-action/cert.pem -key 'pkcs11:object=key_464138416;type=private' -in "test.dll" -out "test.dll" -h sha256 -t http://timestamp.digicert.com - - - name: Verify with smctl - env: - GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - osslsigncode verify -in "signed-test.dll" - osslsigncode verify -in "test.dll" - shell: bash diff --git a/.github/workflows/digicert-signing.yaml b/.github/workflows/digicert-signing.yaml deleted file mode 100644 index abb2a72f..00000000 --- a/.github/workflows/digicert-signing.yaml +++ /dev/null @@ -1,52 +0,0 @@ -name: digicert-signing -on: - pull_request: - push: - branches: - - main - - 'releases/*' - -jobs: - sign: - runs-on: windows-2022 - steps: - - name: Copy libraries - shell: cmd - run: | - dir - mkdir files - copy C:\Windows\System32\wmp.dll files - cd files - mkdir subdirectory - copy C:\Windows\System32\wmp.dll subdirectory - - - name: Setup Certificate - run: | - echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12 - shell: bash - - - name: Set variables - id: variables - run: | - echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" - echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" - echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" - shell: bash - - - name: Code signing with Secure Software Manager - uses: digicert/ssm-code-signing@v0.0.2 - env: - SM_API_KEY: ${{secrets.SM_API_KEY}} - SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD}} - SM_CLIENT_CERT_FILE: ${{secrets.SM_CLIENT_CERT_FILE}} - - - name: Sign with smctl - env: - GITHUB_WORKSPACE: ${{ github.workspace }} - run: | - smctl windows certsync --keypair-alias="key_464138416" - smctl sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" - smctl sign verify --input "${{ env.GITHUB_WORKSPACE }}\files\wmp.dll" - shell: cmd diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 5040bd70..3d9de827 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -47,7 +47,7 @@ jobs: run-action-linux: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@v3 diff --git a/sign.ps1 b/sign.ps1 deleted file mode 100644 index 03c9f94e..00000000 --- a/sign.ps1 +++ /dev/null @@ -1,31 +0,0 @@ -Param( - [Parameter(Mandatory)] - [string]$PathToBinary, - - [Parameter()] - [switch]$Recurse -) - -Write-Output "Read certificate into a file" -[IO.File]::WriteAllBytes("C:\\Users\\runneradmin\\Documents\\cognite_code_signing.pfx", [Convert]::FromBase64String($env:CERTIFICATE)) - -Write-Output "Import code signing certificate to Local Cert Store" -Import-PfxCertificate -FilePath "C:\\Users\\runneradmin\\Documents\\cognite_code_signing.pfx" -Password (ConvertTo-SecureString -String $env:CERTIFICATE_PASSWORD -AsPlainText -Force) -Cert "Cert:\\LocalMachine\\My" -$cert = (Get-ChildItem -Path "Cert:\\LocalMachine\\My")[0] - -if ($Recurse) { - Write-Host "Sign all files in folder $PathToBinary" - Get-ChildItem -Path $PathToBinary -File -Recurse | % { - Write-Host $_.FullName - Set-AuthenticodeSignature -FilePath $_.FullName -Certificate $cert - } -} -else { - Write-Output "Sign a single binary" - Set-AuthenticodeSignature -FilePath $PathToBinary -Certificate $cert -} - -Write-Output "Remove code signing certificate from Local Cert Store" -Get-ChildItem Cert:\\LocalMachine\\My | Where-Object {$_.Subject -Match "Cognite AS"} | Remove-Item - -Write-Output "Code signing completed" diff --git a/sign.sh b/sign.sh deleted file mode 100755 index 2bea562b..00000000 --- a/sign.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash -set -e - -echo -n "$CERTIFICATE" | base64 -w 0 --decode > ./cognite_code_signing.pfx - - -osslver="$(openssl version)" -if [[ "$osslver" == "OpenSSL 3"* ]]; then - # Convert the pkcs12 file into a compatible format by passing it through openssl... - # Technically the sign tool is also based on openssl, but it doesn't let you set the "legacy" flag, - # so we have to convert it using openssl first. - # Note that this is dependent on the version of openssl, and the type of certificate. - # This works for the cognite code certificate - openssl pkcs12 -in ./cognite_code_signing.pfx -out ./cognite_code_signing.pem -legacy \ - -passin "pass:$CERTIFICATE_PASSWORD" -passout "pass:$CERTIFICATE_PASSWORD" - openssl pkcs12 -in ./cognite_code_signing.pem \ - -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES \ - -export -out ./cognite_code_signing_2.pfx \ - -passin "pass:$CERTIFICATE_PASSWORD" -passout "pass:$CERTIFICATE_PASSWORD" - mv ./cognite_code_signing_2.pfx ./cognite_code_signing.pfx - rm ./cognite_code_signing.pem -fi - -recurse=false -file_path="$1" - -for var in "$@"; do - if [ "$var" = "-Recurse" ] ; then - recurse=true - fi -done - -sign_binary() { - osslsigncode sign -pkcs12 ./cognite_code_signing.pfx -pass "$CERTIFICATE_PASSWORD" \ - -t "http://timestamp.digicert.com" \ - -in "$1" -out "$1.signed" - mv "$1.signed" "$1" -} - -if [ $recurse = true ] ; then - echo "Sign all files in folder $file_path" - for f in $(find $file_path -type f); do - sign_binary $f - done -else - echo "Sign a single binary" - sign_binary $file_path -fi - -rm ./cognite_code_signing.pfx From de7d7b8e619744aed4cf890ad775f1c33ae905c9 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 13:59:53 +0200 Subject: [PATCH 160/165] Update version --- .github/workflows/run-action.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 3d9de827..386452e1 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -30,7 +30,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.287 + uses: cognitedata/code-sign-action/@v2 with: path-to-binary: 'files\wmp.dll' @@ -41,7 +41,7 @@ jobs: # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.287 +# uses: cognitedata/code-sign-action/@v2 # with: # path-to-binary: 'files' @@ -59,7 +59,7 @@ jobs: CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} - uses: cognitedata/code-sign-action/@v1.287 + uses: cognitedata/code-sign-action/@v2 with: path-to-binary: "test" @@ -70,6 +70,6 @@ jobs: # CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} # CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} -# uses: cognitedata/code-sign-action/@v1.287 +# uses: cognitedata/code-sign-action/@v2 # with: # path-to-binary: "test/test.dll" From b33f1bfb01875f1393afafa270caba4c10e488f0 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 14:02:41 +0200 Subject: [PATCH 161/165] Cleanup --- openssl-linux.conf | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 openssl-linux.conf diff --git a/openssl-linux.conf b/openssl-linux.conf deleted file mode 100644 index eb28afc3..00000000 --- a/openssl-linux.conf +++ /dev/null @@ -1,11 +0,0 @@ -openssl_conf = openssl_init -[openssl_init] -engines = engine_section -[engine_section] -pkcs11 = pkcs11_section -[pkcs11_section] - -#Path to the OpenSSL PKCS11 Engine -dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so" - -MODULE_PATH = "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/smpkcs11.so" From a994de2f777c5f5bac06919f2a243a18c442867d Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 14:25:28 +0200 Subject: [PATCH 162/165] Sign test binary in repository with Windows --- .github/workflows/run-action.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 386452e1..22bee0b3 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -13,15 +13,15 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Copy libraries - shell: cmd - run: | - dir - mkdir files - copy C:\Windows\System32\wmp.dll files - cd files - mkdir subdirectory - copy C:\Windows\System32\wmp.dll subdirectory +# - name: Copy libraries +# shell: cmd +# run: | +# dir +# mkdir files +# copy C:\Windows\System32\wmp.dll files +# cd files +# mkdir subdirectory +# copy C:\Windows\System32\wmp.dll subdirectory - name: Run the action for a single binary env: @@ -32,7 +32,7 @@ jobs: CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} uses: cognitedata/code-sign-action/@v2 with: - path-to-binary: 'files\wmp.dll' + path-to-binary: 'test\test.dll' # - name: Run the action for multiple binaries in a directory # env: @@ -43,7 +43,7 @@ jobs: # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} # uses: cognitedata/code-sign-action/@v2 # with: -# path-to-binary: 'files' +# path-to-binary: 'test' run-action-linux: @@ -61,7 +61,7 @@ jobs: CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} uses: cognitedata/code-sign-action/@v2 with: - path-to-binary: "test" + path-to-binary: "test/test.dll" # - name: Run the action for multiple binaries in a directory # env: @@ -72,4 +72,4 @@ jobs: # CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} # uses: cognitedata/code-sign-action/@v2 # with: -# path-to-binary: "test/test.dll" +# path-to-binary: "test" From f5b6161d7bc25759c006141684c838f493ec3c8c Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 14:55:23 +0200 Subject: [PATCH 163/165] Remove -Recurse option --- action.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/action.yaml b/action.yaml index 5899e5a2..255d0887 100644 --- a/action.yaml +++ b/action.yaml @@ -4,9 +4,6 @@ inputs: path-to-binary: description: "The folder that contains the files to sign" required: true - options: - description: 'Use "-Recurse" to recursively search for files' - required: false runs: using: "composite" steps: From 014b8208bfb3b86f38aae1322aa3b3c2512b222f Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 14:56:22 +0200 Subject: [PATCH 164/165] Remove copying of binary --- .github/workflows/run-action.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/workflows/run-action.yaml b/.github/workflows/run-action.yaml index 22bee0b3..3b76ab30 100644 --- a/.github/workflows/run-action.yaml +++ b/.github/workflows/run-action.yaml @@ -6,6 +6,7 @@ on: - main - "releases/*" +# Run this action only once on a single runner. Multiple consecutive runs on the same runner could cause issues. jobs: run-action: runs-on: windows-2022 @@ -13,16 +14,6 @@ jobs: - name: Checkout code uses: actions/checkout@v3 -# - name: Copy libraries -# shell: cmd -# run: | -# dir -# mkdir files -# copy C:\Windows\System32\wmp.dll files -# cd files -# mkdir subdirectory -# copy C:\Windows\System32\wmp.dll subdirectory - - name: Run the action for a single binary env: CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} From f1bd29cb867700610a5bd653f02cfd2ce10cf224 Mon Sep 17 00:00:00 2001 From: Bisera Milosheska Date: Mon, 7 Aug 2023 14:56:53 +0200 Subject: [PATCH 165/165] Change documentation to reflect the use of the new version of the action. --- README.md | 58 +++++++++++++++++++++++++++++++------------------------ 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index cc65766f..7c24de98 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # code-sign-action -This Action can be used to sign Windows binaries. It has been tested on `windows-2022` runners. +This Action integrates with Digicert One and uses SignTool on Windows runners and JSign on Linux runners. It has been tested on `windows-2022`, `ubuntu-20.04` and `ubuntu-22.04` runners. ------------ @@ -8,21 +8,19 @@ This Action can be used to sign Windows binaries. It has been tested on `windows ### Environment -- `CERTIFICATE`: Base64-encoded PKCS #12 archive (.pfx file). -- `CERTIFICATE_PASSWORD`: Pass phrase to decode the .pfx file. +- `CERTIFICATE_HOST`: https://clientauth.one.digicert.com +- `CERTIFICATE_HOST_API_KEY`: An API key created for the GitHub Actions service user in Digicert One. +- `CERTIFICATE_SHA1_HASH`: SHA1 fingerprint of the code signing certificate. +- `CLIENT_CERTIFICATE`: Client authentication certificate created for the GitHub Actions service user in Digicert One.(.p12 file) +- `CLIENT_CERTIFICATE_PASSWORD`: Client authentication certificate password created for the GitHub Actions service user in Digicert One. ### Inputs -- `path-to-binary`: path to the file to be signed. - -#### Optional: -| Parameter | Description | Default | -| :----------: | :------------------------------------------------------------------------------------------: | :----------------: | -| options | Use "-Recurse" to recursively search for and sign files | null | +- `path-to-binary`: takes either a file path or a directory path containing the files to be signed. ### Examples -#### Sign one file +#### Sign a single file on Windows ```yaml name: codesign-example-single-file @@ -38,34 +36,44 @@ jobs: steps: - name: Run the action for a single binary env: - CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} - CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1 + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v2 with: - path-to-binary: 'files\some_file.exe' + path-to-binary: 'test\test.dll' ``` -#### Sign multiple files +#### Sign multiple files on Linux ```yaml -name: codesign-example-multiple-files +name: codesign-example-single-file on: + pull_request: push: branches: - main - - 'releases/*' + - "releases/*" jobs: - run-action: - runs-on: windows-2022 + run-action-linux: + runs-on: ubuntu-22.04 steps: - - name: Run the action for all binaries under a folder + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run the action for a single binary env: - CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }} - CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }} - uses: cognitedata/code-sign-action/@v1 + CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }} + CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }} + CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} + CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }} + uses: cognitedata/code-sign-action/@v2 with: - path-to-binary: 'files' - options: '-Recurse' + path-to-binary: "test" + ```