chore: more windows signing testing #30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CHRIS CERT TEST | |
on: | |
pull_request: | |
branches: [main] | |
jobs: | |
chris-cert-test: | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Write client auth certificate file | |
id: write_client_auth_cert | |
env: | |
CLIENT_AUTH_CERT_BASE64_CONTENT: ${{ secrets.CODE_SIGNING_CERT_BASE64 }} | |
run: | | |
$p12Path = "cert.p12"; | |
$encodedBytes = [System.Convert]::FromBase64String($env:CLIENT_AUTH_CERT_BASE64_CONTENT); | |
Set-Content $p12Path -Value $encodedBytes -AsByteStream; | |
echo "p12_path=$p12Path" >> $ENV:GITHUB_OUTPUT | |
# - name: Download digicert smtools | |
# env: | |
# SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }} | |
# run: | | |
# curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
# shell: cmd | |
# | |
# - name: Install digicert smtools | |
# run: | | |
# $procMain = Start-Process "msiexec" "/i smtools-windows-x64.msi /qn /l*! msi_install.log" -NoNewWindow -PassThru | |
# echo $null >> msi_install.log | |
# $procLog = Start-Process "powershell" "Get-Content -Path msi_install.log -Wait" -NoNewWindow -PassThru | |
# $procMain.WaitForExit() | |
# $procLog.Kill() | |
# shell: powershell | |
# | |
# - name: Add digicert tools to path | |
# run: | | |
# echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
# echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH | |
# echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
# shell: bash | |
# | |
# - name: Check path | |
# run: | | |
# echo %path% | |
# shell: cmd | |
# | |
# - name: List digicert dir | |
# run: | | |
# dir "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" | |
# shell: cmd | |
# | |
# - name: Verify KSP Registration | |
# env: | |
# SM_HOST: ${{ secrets.CODE_SIGNING_HOST }} | |
# SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }} | |
# SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}" | |
# SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }} | |
# run: | | |
# dir | |
# smksp_registrar.exe list | |
# smctl.exe keypair ls | |
# C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
# smksp_cert_sync.exe | |
# smctl healthcheck | |
# shell: cmd | |
# | |
# - name: Signing using Signtool | |
# env: | |
# SM_HOST: ${{ secrets.CODE_SIGNING_HOST }} | |
# SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }} | |
# SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}" | |
# SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }} | |
# run: | | |
# signtool.exe sign /sha1 ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "smtools-windows-x64.msi" | |
# signtool.exe verify /v /pa "smtools-windows-x64.msi" | |
- name: Test and cache signtool path | |
id: signtool | |
run: | | |
$signtool = "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe" | |
Test-Path -Path $signtool -PathType Leaf | |
echo "::set-output name=signtool_path::$signtool" | |
- name: Sign Momento binary | |
env: | |
SIGNTOOL_PATH: ${{ steps.signtool.outputs.signtool_path }} | |
# MOMENTO_BINARY_PATH: ${{ steps.build.outputs.momento_binary_path }} | |
MOMENTO_BINARY_PATH: "smtools-windows-x64.msi" | |
SM_HOST: ${{ secrets.CODE_SIGNING_HOST }} | |
SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }} | |
SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}" | |
SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }} | |
run: | | |
echo "HERE IS THE SIGNTOOL PATH:" | |
echo $env:SIGNTOOL_PATH | |
"$env:SIGNTOOL_PATH" sign /sha1 ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $env:MOMENTO_BINARY_PATH | |
$env:SIGNTOOL_PATH verify /v /pa $env:MOMENTO_BINARY_PATH | |