[SEC-2913] Update action to fit the new code signing flow

.github/workflows/run-action.yaml

@@ -4,64 +4,63 @@ on:
   push:
     branches:
       - main
-      - 'releases/*'
+      - "releases/*"
 
+# Run this action only once on a single runner. Multiple consecutive runs on the same runner could cause issues.
 jobs:
   run-action:
     runs-on: windows-2022
     steps:
-      - name: Copy libraries
-        shell: cmd
-        run: |
-          dir
-          mkdir files
-          copy C:\Windows\System32\wmp.dll files
-          cd files
-          mkdir subdirectory
-          copy C:\Windows\System32\wmp.dll subdirectory
+      - name: Checkout code
+        uses: actions/checkout@v3
 
       - name: Run the action for a single binary
         env:
-          CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }}
-          CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }}
-        uses: cognitedata/code-sign-action/@v1
+          CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }}
+          CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }}
+          CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}
+          CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }}
+          CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }}
+        uses: cognitedata/code-sign-action/@v2
         with:
-          path-to-binary: 'files\wmp.dll'
+          path-to-binary: 'test\test.dll'
+
+#      - name: Run the action for multiple binaries in a directory
+#        env:
+#          CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }}
+#          CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }}
+#          CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}
+#          CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }}
+#          CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }}
+#        uses: cognitedata/code-sign-action/@v2
+#        with:
+#          path-to-binary: 'test'
 
-      - name: Run the action for all binaries under a folder
-        env:
-          CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }}
-          CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }}
-        uses: cognitedata/code-sign-action/@v1
-        with:
-          path-to-binary: 'files'
-          options: '-Recurse'
 
   run-action-linux:
     runs-on: ubuntu-22.04
     steps:
-      - name: Copy libraries
-        run: |
-          ls
-          mkdir files
-          wget https://github.com/cognitedata/code-sign-action/raw/0dc0e0fff181f5c2147601d4402d6ce8d64e06ca/test.dll -O files/test.dll
-          cd files
-          mkdir subdirectory
-          cp test.dll subdirectory
+      - name: Checkout code
+        uses: actions/checkout@v3
 
       - name: Run the action for a single binary
         env:
-          CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }}
-          CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }}
-        uses: cognitedata/code-sign-action/@v1
+          CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }}
+          CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }}
+          CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}
+          CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }}
+          CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }}
+        uses: cognitedata/code-sign-action/@v2
         with:
-          path-to-binary: 'files/test.dll'
+          path-to-binary: "test/test.dll"
 
-      - name: Run the action for all binaries under a folder
-        env:
-          CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }}
-          CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }}
-        uses: cognitedata/code-sign-action/@v1
-        with:
-          path-to-binary: 'files'
-          options: '-Recurse'
+#      - name: Run the action for multiple binaries in a directory
+#        env:
+#          CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }}
+#          CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }}
+#          CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}
+#          CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }}
+#          CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }}
+#        uses: cognitedata/code-sign-action/@v2
+#        with:
+#          path-to-binary: "test"

README.md

@@ -1,28 +1,26 @@
 # code-sign-action
 
-This Action can be used to sign Windows binaries. It has been tested on `windows-2022` runners.
+This Action integrates with Digicert One and uses SignTool on Windows runners and JSign on Linux runners. It has been tested on `windows-2022`, `ubuntu-20.04` and `ubuntu-22.04` runners.
 
 ------------
 
 ## Usage
 
 ### Environment
 
-- `CERTIFICATE`: Base64-encoded PKCS #12 archive (.pfx file).
-- `CERTIFICATE_PASSWORD`: Pass phrase to decode the .pfx file.
+- `CERTIFICATE_HOST`: https://clientauth.one.digicert.com
+- `CERTIFICATE_HOST_API_KEY`: An API key created for the GitHub Actions service user in Digicert One.
+- `CERTIFICATE_SHA1_HASH`: SHA1 fingerprint of the code signing certificate.
+- `CLIENT_CERTIFICATE`: Client authentication certificate created for the GitHub Actions service user in Digicert One.(.p12 file)
+- `CLIENT_CERTIFICATE_PASSWORD`: Client authentication certificate password created for the GitHub Actions service user in Digicert One.
 
 ### Inputs
 
-- `path-to-binary`: path to the file to be signed.
-
-#### Optional:
-|  Parameter   |                                         Description                                          |      Default       |
-| :----------: | :------------------------------------------------------------------------------------------: | :----------------: |
-|   options    |                   Use "-Recurse" to recursively search for and sign files                    |        null        |
+- `path-to-binary`: takes either a file path or a directory path containing the files to be signed.
 
 ### Examples
 
-#### Sign one file
+#### Sign a single file on Windows
 
 ```yaml
 name: codesign-example-single-file
@@ -38,34 +36,44 @@ jobs:
     steps:
       - name: Run the action for a single binary
         env:
-          CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }}
-          CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }}
-        uses: cognitedata/code-sign-action/@v1
+          CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }}
+          CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }}
+          CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}
+          CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }}
+          CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }}
+        uses: cognitedata/code-sign-action/@v2
         with:
-          path-to-binary: 'files\some_file.exe'
+          path-to-binary: 'test\test.dll'
 ```
 
-#### Sign multiple files
+#### Sign multiple files on Linux
 
 ```yaml
-name: codesign-example-multiple-files
+name: codesign-example-single-file
 on:
+  pull_request:
   push:
     branches:
       - main
-      - 'releases/*'
+      - "releases/*"
 
 jobs:
-  run-action:
-    runs-on: windows-2022
+  run-action-linux:
+    runs-on: ubuntu-22.04
     steps:
-      - name: Run the action for all binaries under a folder
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run the action for a single binary
         env:
-          CERTIFICATE: ${{ secrets.CODE_SIGNING_CERTIFICATE }}
-          CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CERTIFICATE_PASSWORD }}
-        uses: cognitedata/code-sign-action/@v1
+          CERTIFICATE_HOST: ${{ secrets.CODE_SIGNING_CERT_HOST }}
+          CERTIFICATE_HOST_API_KEY: ${{ secrets.CODE_SIGNING_CERT_HOST_API_KEY }}
+          CERTIFICATE_SHA1_HASH: ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }}
+          CLIENT_CERTIFICATE: ${{ secrets.CODE_SIGNING_CLIENT_CERT }}
+          CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.CODE_SIGNING_CLIENT_CERT_PASSWORD }}
+        uses: cognitedata/code-sign-action/@v2
         with:
-          path-to-binary: 'files'
-          options: '-Recurse'
+          path-to-binary: "test"
+
 ```
 

action.yaml

@@ -1,20 +1,80 @@
-name: 'Sign binary'
-description: 'Sign a binary using a code signing certificate'
+name: "Sign binary"
+description: "Sign a binary using a code signing certificate"
 inputs:
   path-to-binary:
-    description: 'The folder that contains the files to sign'
+    description: "The folder that contains the files to sign"
     required: true
-  options:
-    description: 'Use "-Recurse" to recursively search for files'
-    required: false
 runs:
-  using: 'composite'
+  using: "composite"
   steps:
-    - run: ${{ github.action_path }}/sign.ps1 ${{ inputs.path-to-binary }} ${{ inputs.options }}
+    - name: Setup Certificate Windows
+      run: |
+        echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12
       if: runner.os == 'Windows'
-      shell: pwsh
-    - run: |
-        sudo apt install osslsigncode
-        ${{ github.action_path }}/sign.sh ${{ inputs.path-to-binary }} ${{ inputs.options }}
+      shell: bash
+
+    - name: Setup Certificate Linux
+      run: |
+        echo "${{env.CLIENT_CERTIFICATE }}" | base64 --decode | sudo install -D /dev/stdin /d/cognite_code_signing_github_actions.p12
+      if: runner.os == 'Linux'
+      shell: bash
+
+    - name: Set variables
+      id: variables
+      run: |
+        echo "SM_HOST=${{ env.CERTIFICATE_HOST }}" >> "$GITHUB_ENV"
+        echo "SM_API_KEY=${{ env.CERTIFICATE_HOST_API_KEY }}" >> "$GITHUB_ENV"
+        echo "SM_CLIENT_CERT_PASSWORD=${{ env.CLIENT_CERTIFICATE_PASSWORD }}" >> "$GITHUB_ENV"
+        echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ env.CERTIFICATE_SHA1_HASH }}" >> "$GITHUB_ENV"
+        if [ "${{ runner.os }}" == "Windows" ]
+        then
+          echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV"
+        elif [ "${{ runner.os }}" == "Linux" ]
+        then
+          echo "SM_CLIENT_CERT_FILE=/d/cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV"
+          echo "PKCS11_CONFIG=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" >> "$GITHUB_ENV"
+          echo "/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> $GITHUB_PATH
+        fi
+      shell: bash
+
+    - name: Code signing with Secure Software Manager
+      uses: digicert/[email protected]
+      env:
+        SM_API_KEY: ${{ env.SM_API_KEY }}
+        SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }}
+        SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
+
+    - name: Sign with smctl Windows
+      env:
+        GITHUB_WORKSPACE: ${{ github.workspace }}
+      run: |
+        smctl windows certsync --keypair-alias="key_464138416"
+        $file_path = "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path-to-binary }}"
+        $files_to_sign = @()
+        if (Test-Path -Path $file_path -PathType Leaf) {
+          $files_to_sign = @([PSCustomObject]@{FullName = $file_path})
+        }
+        else {
+          Get-ChildItem -Path $file_path -File -Recurse
+          $files_to_sign = @(Get-ChildItem -Path $file_path -File -Recurse)
+        }        
+        foreach ( $f in $files_to_sign )
+        {
+          smctl sign --fingerprint ${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input $f.FullName
+          smctl sign verify --input $f.FullName
+        }
+      if: runner.os == 'Windows'
+      shell: powershell
+
+
+    - name: Sign with smctl Linux
+      run: |
+        curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb
+        sudo dpkg --install jsign_3.1_all.deb
+        file_path="${{ inputs.path-to-binary }}"
+        for f in $(find $file_path -type f); do
+          echo $f
+          smctl sign -v --keypair-alias="key_464138416" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "$f"
+        done
       if: runner.os == 'Linux'
       shell: bash