forked from cognitedata/code-sign-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yaml
163 lines (150 loc) · 6.98 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: "Sign file"
description: "Sign a file using a DigiCert code signing certificate."
branding:
icon: lock
color: green
inputs:
certificate-host:
description: "The host of the certificate."
default: https://clientauth.one.digicert.com
certificate:
description: "The certificate to use for signing. Must be in base64."
required: true
api-key:
description: "The API key to use for signing."
required: true
certificate-password:
description: "The password for the certificate."
required: true
keypair-alias:
description: "The alias of the keypair to use for signing."
required: true
certificate-fingerprint:
description: "The fingerprint of the certificate to use for signing."
required: true
path:
description: "A path to a file or a folder that contains the files to sign."
runs:
using: "composite"
steps:
- name: Setup Certificate on Windows
if: runner.os == 'Windows' && (!contains(env.DIGICERT_DEPS_INSTALLED, 'TRUE'))
shell: bash
run: |
echo "${{ inputs.certificate }}" | base64 --decode > /d/code_signing_github_actions.p12
echo "SM_CLIENT_CERT_FILE=D:\\code_signing_github_actions.p12" >> "$GITHUB_ENV"
- name: Setup Certificate on Linux
if: runner.os == 'Linux' && (!contains(env.DIGICERT_DEPS_INSTALLED, 'TRUE'))
shell: bash
run: |
echo "${{ inputs.certificate }}" | base64 --decode | sudo install -D /dev/stdin /d/code_signing_github_actions.p12
echo "SM_CLIENT_CERT_FILE=/d/code_signing_github_actions.p12" >> "$GITHUB_ENV"
- name: Check that all required inputs are given
shell: bash
run: |
[[ "${{ inputs.api-key }}" ]] || { echo "input 'api-key' is empty"; exit 1; }
[[ "${{ inputs.certificate-password }}" ]] || { echo "input 'certificate-password' is empty"; exit 1; }
[[ "${{ inputs.keypair-alias }}" ]] || { echo "input 'keypair-alias' is empty"; exit 1; }
[[ "${{ inputs.certificate-fingerprint }}" ]] || { echo "input 'certificate-fingerprint' is empty"; exit 1; }
[[ -s /d/code_signing_github_actions.p12 ]] || { echo "input 'certificate' is empty"; exit 1; }
[[ -e "${{ inputs.path }}" ]] || { echo "input 'path' contains a non-existing file or folder: $p"; exit 1; }
- name: Inputs
shell: bash
run: |
echo "certificate-host: ${{ inputs.certificate-host }}"
echo "api-key: ${{ inputs.api-key }}"
echo "certificate-password: ${{ inputs.certificate-password }}"
echo "keypair-alias: ${{ inputs.keypair-alias }}"
echo "certificate-fingerprint: ${{ inputs.certificate-fingerprint }}"
echo "path: ${{ inputs.path }}"
- name: Install smtools for Windows
if: runner.os == 'Windows' && (!contains(env.DIGICERT_DEPS_INSTALLED, 'TRUE'))
shell: cmd
env:
SM_HOST: ${{ inputs.certificate-host }}
SM_API_KEY: ${{ inputs.api-key }}
SM_CLIENT_CERT_PASSWORD: ${{ inputs.certificate-password }}
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
run: |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
msiexec /i smtools-windows-x64.msi /quiet /qn
- name: Set variables for Windows
if: runner.os == 'Windows' && (!contains(env.DIGICERT_DEPS_INSTALLED, 'TRUE'))
shell: bash
run: |
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
- name: Sign with smctl on Windows
if: runner.os == 'Windows'
shell: powershell
env:
GITHUB_WORKSPACE: ${{ github.workspace }}
SM_HOST: ${{ inputs.certificate-host }}
SM_API_KEY: ${{ inputs.api-key }}
SM_CLIENT_CERT_PASSWORD: ${{ inputs.certificate-password }}
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
run: |
smctl windows certsync --keypair-alias="${{ inputs.keypair-alias }}"
$file_path = "${{ env.GITHUB_WORKSPACE }}\${{ inputs.path }}"
$files_to_sign = @()
if (Test-Path -Path $file_path -PathType Leaf) {
$files_to_sign = @([PSCustomObject]@{FullName = $file_path})
}
else {
Get-ChildItem -Path $file_path -File -Recurse
$files_to_sign = @(Get-ChildItem -Path $file_path -File -Recurse)
}
foreach ( $f in $files_to_sign )
{
smctl sign --fingerprint ${{ inputs.certificate-fingerprint }} --input $f.FullName
smctl sign verify --input $f.FullName
}
- name: Install smtools for Linux
if: runner.os == 'Linux' && (!contains(env.DIGICERT_DEPS_INSTALLED, 'TRUE'))
shell: bash
env:
SM_HOST: ${{ inputs.certificate-host }}
SM_API_KEY: ${{ inputs.api-key }}
SM_CLIENT_CERT_PASSWORD: ${{ inputs.certificate-password }}
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
run: |
# Make a temporary directory to store the smtools
INSTALL_DIR=$(mktemp -d -t smtools-XXXXX)
cd $INSTALL_DIR
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-linux-x64.tar.gz/download -H "x-api-key:$SM_API_KEY" -o linux-x64.tar.gz
tar x -zf linux-x64.tar.gz
echo "$PWD/smtools-linux-x64" >> $GITHUB_PATH
# Create pkcs11properties.cfg
echo -e "name=signingmanager\r\nlibrary=$PWD/smtools-linux-x64/smpkcs11.so\r\nslotListIndex=0" >> pkcs11properties.cfg
cat pkcs11properties.cfg
echo "PKCS11_CONFIG=$PWD/pkcs11properties.cfg" >> "$GITHUB_ENV"
- name: Create pkcs11properties.cfg
if: runner.os == 'Linux' && (!contains(env.DIGICERT_DEPS_INSTALLED, 'TRUE'))
shell: bash
run: |
- name: Install Jsign for Linux signing
if: runner.os == 'Linux' && (!contains(env.DIGICERT_DEPS_INSTALLED, 'TRUE'))
shell: bash
run: |
curl -fSslL https://github.com/ebourg/jsign/releases/download/3.1/jsign_3.1_all.deb -o jsign_3.1_all.deb
sudo dpkg --install jsign_3.1_all.deb
- name: Sign with smctl on Linux
if: runner.os == 'Linux'
shell: bash
env:
SM_HOST: ${{ inputs.certificate-host }}
SM_API_KEY: ${{ inputs.api-key }}
SM_CLIENT_CERT_PASSWORD: ${{ inputs.certificate-password }}
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
run: |
file_path="${{ inputs.path }}"
for f in $(find $file_path -type f); do
echo $f
smctl sign -v --keypair-alias="${{ inputs.keypair-alias }}" --config-file="$PKCS11_CONFIG" --fingerprint "${{ inputs.certificate-fingerprint }}" --input "$f"
done
- name: Mark dependencies as installed
if: ${{ !contains(env.DIGICERT_DEPS_INSTALLED, 'TRUE') }}
shell: bash
run: |
echo "DIGICERT_DEPS_INSTALLED=TRUE" >> "$GITHUB_ENV"