From f629e6d53b5329cd7e8105050df042f3873a35ee Mon Sep 17 00:00:00 2001 From: Edwin Joassart Date: Fri, 29 Mar 2024 11:28:15 +0100 Subject: [PATCH] patch: fix win signature process --- .github/actions/publish/action.yml | 36 ++++++++++++++++++++---------- forge.config.ts | 3 +-- 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/.github/actions/publish/action.yml b/.github/actions/publish/action.yml index 6ea87ef0..f49a0663 100644 --- a/.github/actions/publish/action.yml +++ b/.github/actions/publish/action.yml @@ -98,20 +98,14 @@ runs: id: import_win_signing_cert shell: powershell run: | - Set-Content -Path ${{ runner.temp }}/certificate.base64 -Value $env:WINDOWS_CERTIFICATE - certutil -decode ${{ runner.temp }}/certificate.base64 ${{ runner.temp }}/certificate.pfx + Set-Content -Path ${{ runner.temp }}/certificate.base64 -Value $env:SM_CLIENT_CERT_FILE_B64 + certutil -decode ${{ runner.temp }}/certificate.base64 ${{ runner.temp }}/Certificate_pkcs12.p12 Remove-Item -path ${{ runner.temp }} -include certificate.base64 - Import-PfxCertificate ` - -FilePath ${{ runner.temp }}/certificate.pfx ` - -CertStoreLocation Cert:\CurrentUser\My ` - -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText) - - echo "certFilePath=${{ runner.temp }}/certificate.pfx" >> $GITHUB_OUTPUT + echo "certFilePath=${{ runner.temp }}/Certificate_pkcs12.p12" >> $GITHUB_OUTPUT env: - WINDOWS_CERTIFICATE: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING }} - WINDOWS_CERTIFICATE_PASSWORD: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING_PASSWORD }} + SM_CLIENT_CERT_FILE_B64: ${{ fromJSON(inputs.secrets).SM_CLIENT_CERT_FILE_B64 }} - name: Package release shell: bash @@ -137,6 +131,20 @@ runs: PLATFORM=Windows SHA256SUM_BIN=sha256sum + # Install DigiCert Signing Manager Tools + curl --silent --retry 3 --fail https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download \ + -H "x-api-key:$SM_API_KEY" \ + -o smtools-windows-x64.msi + msiexec -i smtools-windows-x64.msi -qn + PATH="/c/Program Files/DigiCert/DigiCert One Signing Manager Tools:${PATH}" + smksp_registrar.exe list + smctl.exe keypair ls + /c/Windows/System32/certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + smksp_cert_sync.exe + + # (signtool.exe) https://github.com/actions/runner-images/blob/main/images/win/Windows2019-Readme.md#installed-windows-sdks + PATH="/c/Program Files (x86)/Windows Kits/10/bin/${runner_arch}:${PATH}" + else echo "ERROR: unexpected runner OS: ${RUNNER_OS}" exit 1 @@ -174,8 +182,12 @@ runs: XCODE_APP_LOADER_PASSWORD: ${{ fromJSON(inputs.secrets).XCODE_APP_LOADER_PASSWORD }} XCODE_APP_LOADER_TEAM_ID: ${{ fromJSON(inputs.secrets).XCODE_APP_LOADER_TEAM_ID }} # Windows signing - WINDOWS_SIGNING_CERT_PATH: ${{ steps.import_win_signing_cert.outputs.certFilePath }} - WINDOWS_SIGNING_PASSWORD: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING_PASSWORD }} + SM_CLIENT_CERT_PASSWORD: ${{ fromJSON(inputs.secrets).SM_CLIENT_CERT_PASSWORD }} + SM_CLIENT_CERT_FILE: '${{ runner.temp }}\Certificate_pkcs12.p12' + SM_HOST: ${{ fromJSON(inputs.secrets).SM_HOST }} + SM_API_KEY: ${{ fromJSON(inputs.secrets).SM_API_KEY }} + SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ fromJSON(inputs.secrets).SM_CODE_SIGNING_CERT_SHA1_HASH }} + TIMESTAMP_SERVER: http://timestamp.digicert.com - name: Upload artifacts uses: actions/upload-artifact@v4 diff --git a/forge.config.ts b/forge.config.ts index 28817de7..d8bf89b8 100644 --- a/forge.config.ts +++ b/forge.config.ts @@ -25,8 +25,7 @@ if (process.env.NODE_ENV === 'production') { }; winSigningConfig = { - certificateFile: process.env.WINDOWS_SIGNING_CERT_PATH, - certificatePassword: process.env.WINDOWS_SIGNING_PASSWORD, + signWithParams: `-sha1 ${process.env.SM_CODE_SIGNING_CERT_SHA1_HASH} -tr ${process.env.TIMESTAMP_SERVER} -td sha256 -fd sha256 -d balena-etcher`, }; }