diff --git a/.github/actions/build-binaries/windows/action.yaml b/.github/actions/build-binaries/windows/action.yaml index 7af57a38..3eacb1f7 100644 --- a/.github/actions/build-binaries/windows/action.yaml +++ b/.github/actions/build-binaries/windows/action.yaml @@ -12,14 +12,14 @@ inputs: production_release: description: "Flag to determine if this is a production release" required: true - code_signing_cert: - description: "The base64 encoded code signing certificate" + azure_tenant_id: + description: "" required: true - code_signing_cert_sha1_hash: - description: "The SHA1 hash of the code signing certificate" + azure_client_id: + description: "" required: true - code_signing_cert_password: - description: "The password for the code signing certificate" + azure_client_secret: + description: "" required: true runs: @@ -57,29 +57,6 @@ runs: timestamp-rfc3161: http://timestamp.acs.microsoft.com timestamp-digest: SHA256 - # We only sign the release artifacts, as each signing request will use up the HSM quota - # - name: Download signing certificate - # if: ${{ inputs.production_release == 'true' }} - # run: | - # signing_cert="${{ runner.temp }}\code_signing_cert.pfx" - # echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV - # echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert - # shell: bash - - # - name: Import signing certificate - # if: ${{ inputs.production_release == 'true' }} - # shell: pwsh - # run: | - # Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null - - # - name: Sign executable - # if: ${{ inputs.production_release == 'true' }} - # shell: pwsh - # run: | - # $executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe' - # signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath - # # signtool verify /v /pa $executablePath - - name: Build winget installer shell: pwsh run: | @@ -91,9 +68,9 @@ runs: - name: Sign winget installer uses: azure/trusted-signing-action@v0.3.20 with: - azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} - azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} - azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + azure-tenant-id: ${{ inputs.azure_tenant_id }} + azure-client-id: ${{ inputs.azure_client_id }} + azure-client-secret: ${{ inputs.azure_client_secret }} endpoint: https://weu.codesigning.azure.net/ trusted-signing-account-name: "Algorand Foundation" certificate-profile-name: algokit @@ -103,21 +80,6 @@ runs: timestamp-rfc3161: http://timestamp.acs.microsoft.com timestamp-digest: SHA256 - # - name: Sign winget installer - # if: ${{ inputs.production_release == 'true' }} - # shell: pwsh - # run: | - # signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }} - # # signtool verify /v /pa ${{ env.WINGET_INSTALLER }} - - # - name: Remove signing certificate - # if: ${{ inputs.production_release == 'true' }} - # shell: pwsh - # run: | - # $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' } - # Remove-Item -Path $cert.PSPath - # Remove-Item -Path ${{ env.SIGNING_CERT }} - - name: Upload winget artifact uses: actions/upload-artifact@v4 with: diff --git a/.github/workflows/build-binaries.yaml b/.github/workflows/build-binaries.yaml index 57b3d44e..80f7d602 100644 --- a/.github/workflows/build-binaries.yaml +++ b/.github/workflows/build-binaries.yaml @@ -67,9 +67,9 @@ jobs: version: ${{ env.RELEASE_VERSION }} artifacts_dir: ${{ env.ARTIFACTS_DIR }} production_release: ${{ inputs.production_release }} - code_signing_cert: ${{ secrets.SM_CODE_SIGNING_CERT }} - code_signing_cert_sha1_hash: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} - code_signing_cert_password: ${{ secrets.SM_CODE_SIGNING_CERT_PASSWORD }} + azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }} + azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} + azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} - name: Build linux binary if: ${{ runner.os == 'Linux' }}