From 7fd9def73e31180c851b591d25c668264dc65e66 Mon Sep 17 00:00:00 2001 From: Neil Campbell Date: Mon, 15 Jul 2024 22:45:45 +0800 Subject: [PATCH] chore: test signing --- .../build-binaries/windows/action.yaml | 92 ++++++++++++------- .github/workflows/pr.yaml | 6 +- 2 files changed, 64 insertions(+), 34 deletions(-) diff --git a/.github/actions/build-binaries/windows/action.yaml b/.github/actions/build-binaries/windows/action.yaml index 51a9d27e..7af57a38 100644 --- a/.github/actions/build-binaries/windows/action.yaml +++ b/.github/actions/build-binaries/windows/action.yaml @@ -42,28 +42,43 @@ runs: run: | echo winget > ${{ env.BINARY_BUILD_DIR }}\_internal\algokit\resources\distribution-method + - name: Sign executable + uses: azure/trusted-signing-action@v0.3.20 + with: + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + endpoint: https://weu.codesigning.azure.net/ + trusted-signing-account-name: "Algorand Foundation" + certificate-profile-name: algokit + files-folder: ${{ env.BINARY_BUILD_DIR }} + files-folder-filter: exe + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + # We only sign the release artifacts, as each signing request will use up the HSM quota - - name: Download signing certificate - if: ${{ inputs.production_release == 'true' }} - run: | - signing_cert="${{ runner.temp }}\code_signing_cert.pfx" - echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV - echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert - shell: bash + # - name: Download signing certificate + # if: ${{ inputs.production_release == 'true' }} + # run: | + # signing_cert="${{ runner.temp }}\code_signing_cert.pfx" + # echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV + # echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert + # shell: bash - - name: Import signing certificate - if: ${{ inputs.production_release == 'true' }} - shell: pwsh - run: | - Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null + # - name: Import signing certificate + # if: ${{ inputs.production_release == 'true' }} + # shell: pwsh + # run: | + # Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null - - name: Sign executable - if: ${{ inputs.production_release == 'true' }} - shell: pwsh - run: | - $executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe' - signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath - # signtool verify /v /pa $executablePath + # - name: Sign executable + # if: ${{ inputs.production_release == 'true' }} + # shell: pwsh + # run: | + # $executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe' + # signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath + # # signtool verify /v /pa $executablePath - name: Build winget installer shell: pwsh @@ -74,19 +89,34 @@ runs: -outputFile '${{ env.WINGET_INSTALLER }}' - name: Sign winget installer - if: ${{ inputs.production_release == 'true' }} - shell: pwsh - run: | - signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }} - # signtool verify /v /pa ${{ env.WINGET_INSTALLER }} + uses: azure/trusted-signing-action@v0.3.20 + with: + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + endpoint: https://weu.codesigning.azure.net/ + trusted-signing-account-name: "Algorand Foundation" + certificate-profile-name: algokit + files-folder: ${{ env.WINGET_INSTALLER }} + files-folder-filter: msix + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 - - name: Remove signing certificate - if: ${{ inputs.production_release == 'true' }} - shell: pwsh - run: | - $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' } - Remove-Item -Path $cert.PSPath - Remove-Item -Path ${{ env.SIGNING_CERT }} + # - name: Sign winget installer + # if: ${{ inputs.production_release == 'true' }} + # shell: pwsh + # run: | + # signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }} + # # signtool verify /v /pa ${{ env.WINGET_INSTALLER }} + + # - name: Remove signing certificate + # if: ${{ inputs.production_release == 'true' }} + # shell: pwsh + # run: | + # $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' } + # Remove-Item -Path $cert.PSPath + # Remove-Item -Path ${{ env.SIGNING_CERT }} - name: Upload winget artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 43391b3f..1c5725d4 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -1,9 +1,9 @@ name: Codebase validation on: - pull_request: - schedule: - - cron: "0 8 * * 1" # Each monday 8 AM UTC + push: + branches: + - sign-test concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}