Skip to content

CM-23216 - Sign Windows CLI executable #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Aug 21, 2023
Merged

CM-23216 - Sign Windows CLI executable #158

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
8598648
CM-23216 - Sign Windows CLI executable
MarshalX Aug 21, 2023
9a69ca7
return back cimon
MarshalX Aug 21, 2023
08082d2
simplify workflow
MarshalX Aug 21, 2023
f2529bc
fix cert fingerprint
MarshalX Aug 21, 2023
f924b92
fix cert fingerprint 2
MarshalX Aug 21, 2023
9ba7a42
fix signing
MarshalX Aug 21, 2023
9da51aa
workflow refactoring
MarshalX Aug 21, 2023
e53883c
fix poetry installation
MarshalX Aug 21, 2023
10a5ca1
fix slashes
MarshalX Aug 21, 2023
3e1a85b
attempt to simplify workflow more
MarshalX Aug 21, 2023
856639b
attempt to simplify workflow more 2
MarshalX Aug 21, 2023
ecffec3
return back all OS
MarshalX Aug 21, 2023
5bbcdc2
remove test branch from triggers
MarshalX Aug 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/black.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ jobs:
- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
with:
version: 1.5.1

- name: Add Poetry to PATH
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
Expand Down
45 changes: 44 additions & 1 deletion .github/workflows/build_executable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ jobs:
- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
with:
version: 1.5.1

- name: Add Poetry to PATH
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
Expand Down Expand Up @@ -108,10 +110,51 @@ jobs:
# we can't staple the app because it's executable. we should only staple app bundles like .dmg
# xcrun stapler staple dist/cycode

- name: Test signed executable
- name: Test macOS signed executable
if: ${{ startsWith(matrix.os, 'macos') }}
run: ./dist/cycode version

- name: Import cert for Windows and setup envs
if: ${{ startsWith(matrix.os, 'windows') }}
env:
SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
run: |
# import certificate
echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"

# add required soft to the path
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH

- name: Sign Windows executable
if: ${{ startsWith(matrix.os, 'windows') }}
shell: cmd
env:
SM_HOST: ${{ secrets.SM_HOST }}
SM_API_KEY: ${{ secrets.SM_API_KEY }}
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
run: |
:: setup SSM KSP
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
msiexec /i smtools-windows-x64.msi /quiet /qn
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
smksp_cert_sync.exe

:: sign executable
signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode.exe"

- name: Test Windows signed executable
if: ${{ startsWith(matrix.os, 'windows') }}
shell: cmd
run: |
:: call executable and expect correct output
.\dist\cycode.exe version

:: verify signature
signtool.exe verify /v /pa ".\dist\cycode.exe"

- uses: actions/upload-artifact@v3
with:
name: cycode-cli-${{ matrix.os }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/pre_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ jobs:
- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
with:
version: 1.5.1

- name: Add Poetry to PATH
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ jobs:
- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
with:
version: 1.5.1

- name: Add Poetry to PATH
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/ruff.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ jobs:
- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
with:
version: 1.5.1

- name: Add Poetry to PATH
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ jobs:
- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
with:
version: 1.5.1

- name: Add Poetry to PATH
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tests_full.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ jobs:
- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
with:
version: 1.5.1

- name: Add Poetry to PATH
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
Expand Down