Skip to content

Commit 39e5171

Browse files
MarshalXMarshalX
authored
CM-23216 - Sign Windows CLI executable (#158)
1 parent b6d966f commit 39e5171

7 files changed

Lines changed: 56 additions & 1 deletion

File tree

.github/workflows/black.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ jobs:
3636
- name: Setup Poetry
3737
if: steps.cached-poetry.outputs.cache-hit != 'true'
3838
uses: snok/install-poetry@v1
39+
with:
40+
version: 1.5.1
3941

4042
- name: Add Poetry to PATH
4143
run: echo "$HOME/.local/bin" >> $GITHUB_PATH

.github/workflows/build_executable.yml

Lines changed: 44 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,8 @@ jobs:
5151
- name: Setup Poetry
5252
if: steps.cached-poetry.outputs.cache-hit != 'true'
5353
uses: snok/install-poetry@v1
54+
with:
55+
version: 1.5.1
5456

5557
- name: Add Poetry to PATH
5658
run: echo "$HOME/.local/bin" >> $GITHUB_PATH
@@ -108,10 +110,51 @@ jobs:
108110
# we can't staple the app because it's executable. we should only staple app bundles like .dmg
109111
# xcrun stapler staple dist/cycode
110112
111-
- name: Test signed executable
113+
- name: Test macOS signed executable
112114
if: ${{ startsWith(matrix.os, 'macos') }}
113115
run: ./dist/cycode version
114116

117+
- name: Import cert for Windows and setup envs
118+
if: ${{ startsWith(matrix.os, 'windows') }}
119+
env:
120+
SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
121+
run: |
122+
# import certificate
123+
echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > /d/Certificate_pkcs12.p12
124+
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
125+
126+
# add required soft to the path
127+
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
128+
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
129+
130+
- name: Sign Windows executable
131+
if: ${{ startsWith(matrix.os, 'windows') }}
132+
shell: cmd
133+
env:
134+
SM_HOST: ${{ secrets.SM_HOST }}
135+
SM_API_KEY: ${{ secrets.SM_API_KEY }}
136+
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
137+
SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
138+
run: |
139+
:: setup SSM KSP
140+
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
141+
msiexec /i smtools-windows-x64.msi /quiet /qn
142+
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
143+
smksp_cert_sync.exe
144+
145+
:: sign executable
146+
signtool.exe sign /sha1 %SM_CODE_SIGNING_CERT_SHA1_HASH% /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ".\dist\cycode.exe"
147+
148+
- name: Test Windows signed executable
149+
if: ${{ startsWith(matrix.os, 'windows') }}
150+
shell: cmd
151+
run: |
152+
:: call executable and expect correct output
153+
.\dist\cycode.exe version
154+
155+
:: verify signature
156+
signtool.exe verify /v /pa ".\dist\cycode.exe"
157+
115158
- uses: actions/upload-artifact@v3
116159
with:
117160
name: cycode-cli-${{ matrix.os }}

.github/workflows/pre_release.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,8 @@ jobs:
4646
- name: Setup Poetry
4747
if: steps.cached-poetry.outputs.cache-hit != 'true'
4848
uses: snok/install-poetry@v1
49+
with:
50+
version: 1.5.1
4951

5052
- name: Add Poetry to PATH
5153
run: echo "$HOME/.local/bin" >> $GITHUB_PATH

.github/workflows/release.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,8 @@ jobs:
4545
- name: Setup Poetry
4646
if: steps.cached-poetry.outputs.cache-hit != 'true'
4747
uses: snok/install-poetry@v1
48+
with:
49+
version: 1.5.1
4850

4951
- name: Add Poetry to PATH
5052
run: echo "$HOME/.local/bin" >> $GITHUB_PATH

.github/workflows/ruff.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ jobs:
3636
- name: Setup Poetry
3737
if: steps.cached-poetry.outputs.cache-hit != 'true'
3838
uses: snok/install-poetry@v1
39+
with:
40+
version: 1.5.1
3941

4042
- name: Add Poetry to PATH
4143
run: echo "$HOME/.local/bin" >> $GITHUB_PATH

.github/workflows/tests.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,8 @@ jobs:
3939
- name: Setup Poetry
4040
if: steps.cached-poetry.outputs.cache-hit != 'true'
4141
uses: snok/install-poetry@v1
42+
with:
43+
version: 1.5.1
4244

4345
- name: Add Poetry to PATH
4446
run: echo "$HOME/.local/bin" >> $GITHUB_PATH

.github/workflows/tests_full.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,8 @@ jobs:
5252
- name: Setup Poetry
5353
if: steps.cached-poetry.outputs.cache-hit != 'true'
5454
uses: snok/install-poetry@v1
55+
with:
56+
version: 1.5.1
5557

5658
- name: Add Poetry to PATH
5759
run: echo "$HOME/.local/bin" >> $GITHUB_PATH

0 commit comments

Comments
 (0)