chore: add a temporary github action for testing windows code signing changes #27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CHRIS CERT TEST | |
on: | |
pull_request: | |
branches: [main] | |
jobs: | |
chris-cert-test: | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Is this thing on | |
id: thing_on | |
run: | | |
echo "hi" | |
- name: Write client auth certificate file | |
id: write_client_auth_cert | |
env: | |
CLIENT_AUTH_CERT_BASE64_CONTENT: ${{ secrets.CODE_SIGNING_CERT_BASE64 }} | |
run: | | |
$p12Path = "cert.p12"; | |
$encodedBytes = [System.Convert]::FromBase64String($env:CLIENT_AUTH_CERT_BASE64_CONTENT); | |
Set-Content $p12Path -Value $encodedBytes -AsByteStream; | |
echo "p12_path=$p12Path" >> $ENV:GITHUB_OUTPUT | |
- name: Check cert output | |
run: | | |
echo "Checking the output of the write cert step" | |
echo "${{ steps.write_client_auth_cert.outputs.p12_path }}" | |
- name: Download digicert smtools | |
env: | |
SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }} | |
run: | | |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
shell: cmd | |
- name: Install digicert smtools | |
run: | | |
$procMain = Start-Process "msiexec" "/i smtools-windows-x64.msi /qn /l*! msi_install.log" -NoNewWindow -PassThru | |
echo $null >> msi_install.log | |
$procLog = Start-Process "powershell" "Get-Content -Path msi_install.log -Wait" -NoNewWindow -PassThru | |
$procMain.WaitForExit() | |
$procLog.Kill() | |
shell: powershell | |
- name: Add digicert tools to path | |
run: | | |
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH | |
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
shell: bash | |
- name: Check path | |
run: | | |
echo %path% | |
shell: cmd | |
- name: List digicert dir | |
run: | | |
dir "C:\Program Files" | |
dir "C:\Program Files\Amazon" | |
dir "C:\Program Files\DigiCert" | |
dir "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" | |
shell: cmd | |
- name: Verify KSP Registration | |
env: | |
SM_HOST: ${{ secrets.CODE_SIGNING_HOST }} | |
SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }} | |
# SM_CLIENT_CERT_FILE: "D:\\a\\momento-cli\\momento-cli\\cert.p12" | |
SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}" | |
# SM_CLIENT_CERT_FILE: "butt" | |
SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }} | |
run: | | |
smksp_registrar.exe list | |
dir | |
smksp_registrar.exe list | |
smctl.exe keypair ls | |
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
smksp_cert_sync.exe | |
smctl healthcheck | |
shell: cmd | |
- name: Signing using Signtool | |
env: | |
SM_HOST: ${{ secrets.CODE_SIGNING_HOST }} | |
SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }} | |
# SM_CLIENT_CERT_FILE: "D:\\a\\momento-cli\\momento-cli\\cert.p12" | |
SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}" | |
# SM_CLIENT_CERT_FILE: "butt" | |
SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }} | |
run: | | |
signtool.exe sign /sha1 ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "smtools-windows-x64.msi" | |
signtool.exe verify /v /pa "smtools-windows-x64.msi" | |