Skip to content

chore: more windows signing testing #30

chore: more windows signing testing

chore: more windows signing testing #30

name: CHRIS CERT TEST
on:
pull_request:
branches: [main]
jobs:
chris-cert-test:
runs-on: windows-latest
steps:
- uses: actions/checkout@v3
- name: Write client auth certificate file
id: write_client_auth_cert
env:
CLIENT_AUTH_CERT_BASE64_CONTENT: ${{ secrets.CODE_SIGNING_CERT_BASE64 }}
run: |
$p12Path = "cert.p12";
$encodedBytes = [System.Convert]::FromBase64String($env:CLIENT_AUTH_CERT_BASE64_CONTENT);
Set-Content $p12Path -Value $encodedBytes -AsByteStream;
echo "p12_path=$p12Path" >> $ENV:GITHUB_OUTPUT
# - name: Download digicert smtools
# env:
# SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }}
# run: |
# curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
# shell: cmd
#
# - name: Install digicert smtools
# run: |
# $procMain = Start-Process "msiexec" "/i smtools-windows-x64.msi /qn /l*! msi_install.log" -NoNewWindow -PassThru
# echo $null >> msi_install.log
# $procLog = Start-Process "powershell" "Get-Content -Path msi_install.log -Wait" -NoNewWindow -PassThru
# $procMain.WaitForExit()
# $procLog.Kill()
# shell: powershell
#
# - name: Add digicert tools to path
# run: |
# echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
# echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
# echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
# shell: bash
#
# - name: Check path
# run: |
# echo %path%
# shell: cmd
#
# - name: List digicert dir
# run: |
# dir "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools"
# shell: cmd
#
# - name: Verify KSP Registration
# env:
# SM_HOST: ${{ secrets.CODE_SIGNING_HOST }}
# SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }}
# SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}"
# SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }}
# run: |
# dir
# smksp_registrar.exe list
# smctl.exe keypair ls
# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
# smksp_cert_sync.exe
# smctl healthcheck
# shell: cmd
#
# - name: Signing using Signtool
# env:
# SM_HOST: ${{ secrets.CODE_SIGNING_HOST }}
# SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }}
# SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}"
# SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }}
# run: |
# signtool.exe sign /sha1 ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "smtools-windows-x64.msi"
# signtool.exe verify /v /pa "smtools-windows-x64.msi"
- name: Test and cache signtool path
id: signtool
run: |
$signtool = "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe"
Test-Path -Path $signtool -PathType Leaf
echo "::set-output name=signtool_path::$signtool"
- name: Sign Momento binary
env:
SIGNTOOL_PATH: ${{ steps.signtool.outputs.signtool_path }}
# MOMENTO_BINARY_PATH: ${{ steps.build.outputs.momento_binary_path }}
MOMENTO_BINARY_PATH: "smtools-windows-x64.msi"
SM_HOST: ${{ secrets.CODE_SIGNING_HOST }}
SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }}
SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}"
SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }}
run: |
echo "HERE IS THE SIGNTOOL PATH:"
echo $env:SIGNTOOL_PATH
"$env:SIGNTOOL_PATH" sign /sha1 ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $env:MOMENTO_BINARY_PATH
$env:SIGNTOOL_PATH verify /v /pa $env:MOMENTO_BINARY_PATH