Merge pull request #300 from momentohq/fix-windows-signing-key2

chore: fix windows signing key to use new cert
momentohq · Mar 26, 2024 · 491f57b · 491f57b
2 parents b12bc43 + aaaf8ef
commit 491f57b
Showing 1 changed file with 63 additions and 12 deletions.
diff --git a/.github/workflows/execute-release.yml b/.github/workflows/execute-release.yml
@@ -286,15 +286,63 @@ jobs:
           $distributableFile64Prefix = "momento-cli-$env:VERSION.windows_x64"
           echo "::set-output name=distributable_file_prefix::$distributableFile64Prefix"
 
-      - name: Write PFX certificate file
-        id: write_pfx
+      - name: Write client auth certificate file
+        id: write_client_auth_cert
         env:
-          PFX_CONTENT: ${{ secrets.CODE_SIGNING_CERT_BASE64 }}
+          CLIENT_AUTH_CERT_BASE64_CONTENT: ${{ secrets.CODE_SIGNING_CERT_BASE64 }}
         run: |
-          $pfxPath = "cert.pfx";
-          $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT);
-          Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
-          echo "::set-output name=pfx_path::$pfxPath";
+          $p12Path = "cert.p12";
+          $encodedBytes = [System.Convert]::FromBase64String($env:CLIENT_AUTH_CERT_BASE64_CONTENT);
+          Set-Content $p12Path -Value $encodedBytes -AsByteStream;
+          echo "p12_path=$p12Path" >> $ENV:GITHUB_OUTPUT
+
+      - name: Download digicert smtools
+        env:
+          SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }}
+        run: |
+          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
+        shell: cmd
+
+      - name: Install digicert smtools
+        run: |
+          $procMain = Start-Process "msiexec" "/i smtools-windows-x64.msi /qn /l*! msi_install.log" -NoNewWindow -PassThru
+          echo $null >> msi_install.log
+          $procLog = Start-Process "powershell" "Get-Content -Path msi_install.log -Wait" -NoNewWindow -PassThru
+          $procMain.WaitForExit()
+          $procLog.Kill()
+        shell: powershell
+
+      - name: Add digicert tools to path
+        run: |
+          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
+          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
+          echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
+        shell: bash
+
+      - name: Check path
+        run: |
+          echo %path%
+        shell: cmd
+
+      - name: List digicert dir
+        run: |
+          dir "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools"
+        shell: cmd
+
+      - name: Verify KSP Registration
+        env:
+          SM_HOST: ${{ secrets.CODE_SIGNING_HOST }}
+          SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }}
+          SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}"
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }}
+        run: |
+          dir
+          smksp_registrar.exe list
+          smctl.exe keypair ls
+          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+          smksp_cert_sync.exe
+          smctl healthcheck
+        shell: cmd
 
       - name: Test and cache signtool path
         id: signtool
@@ -306,11 +354,14 @@ jobs:
       - name: Sign Momento binary
         env:
           SIGNTOOL_PATH: ${{ steps.signtool.outputs.signtool_path }}
-          CERT_PATH: ${{ steps.write_pfx.outputs.pfx_path }}
-          CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }}
           MOMENTO_BINARY_PATH: ${{ steps.build.outputs.momento_binary_path }}
+          SM_HOST: ${{ secrets.CODE_SIGNING_HOST }}
+          SM_API_KEY: ${{ secrets.CODE_SIGNING_API_KEY }}
+          SM_CLIENT_CERT_FILE: "${{ steps.write_client_auth_cert.outputs.p12_path }}"
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }}
         run: |
-          & $env:SIGNTOOL_PATH sign /fd SHA256 /a /f $env:CERT_PATH /p $env:CERT_PASSWORD /tr http://timestamp.digicert.com /td SHA256 $env:MOMENTO_BINARY_PATH
+          $env:SIGNTOOL_PATH sign /sha1 ${{ secrets.CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $env:MOMENTO_BINARY_PATH
+          $env:SIGNTOOL_PATH verify /v /pa $env:MOMENTO_BINARY_PATH
 
       - name: Create zip
         id: create_zip
@@ -343,7 +394,7 @@ jobs:
           $msiPath = ".\windows\installer\bin\Release\$msiFilename"
           echo "::set-output name=asset_path::$msiPath"
           echo "::set-output name=asset_name::$msiFilename"
-          
+
       - name: Sign installer
         env:
           SIGNTOOL_PATH: ${{ steps.signtool.outputs.signtool_path }}
@@ -455,7 +506,7 @@ jobs:
           VERSION: ${{ needs.release.outputs.version }}
           GITHUB_TOKEN: ${{ secrets.MOMENTO_MACHINE_USER_GITHUB_TOKEN }}
         run: .\wingetcreate.exe update momento.cli -s -v $env:VERSION -u $env:INSTALLER_URL -t $env:GITHUB_TOKEN
-          
+
   update-homebrew-formula:
     runs-on: ubuntu-latest
     needs: [ release, publish-linux-assets, publish-mac-assets ]