ExternalVendorCode/balena-cli
1
0
Fork 0
mirror of https://github.com/balena-io/balena-cli.git synced 2024-12-19 21:57:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix windows signing

Browse Source 
Change-type: patch
This commit is contained in:
Otavio Jacobi 2024-03-06 08:06:27 -03:00
parent 9e4dd3fce2
commit 2e061845ae
3 changed files with 395 additions and 273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
.github/actions/publish/action.yml vendored
View File

@ -69,18 +69,11 @@ runs:
if: runner.os == 'Windows' if: runner.os == 'Windows'
shell: powershell shell: powershell
run: | run: |
Set-Content -Path ${{ runner.temp }}/certificate.base64 -Value $env:WINDOWS_CERTIFICATE Set-Content -Path ${{ runner.temp }}/certificate.base64 -Value $env:SM_CLIENT_CERT_FILE_B64
certutil -decode ${{ runner.temp }}/certificate.base64 ${{ runner.temp }}/certificate.pfx certutil -decode ${{ runner.temp }}/certificate.base64 ${{ runner.temp }}/Certificate_pkcs12.p12
Remove-Item -path ${{ runner.temp }} -include certificate.base64 Remove-Item -path ${{ runner.temp }} -include certificate.base64
Import-PfxCertificate `
-FilePath ${{ runner.temp }}/certificate.pfx `
-CertStoreLocation Cert:\CurrentUser\My `
-Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)
env: env:
WINDOWS_CERTIFICATE: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING }} SM_CLIENT_CERT_FILE_B64: ${{ fromJSON(inputs.secrets).SM_CLIENT_CERT_FILE_B64 }}
WINDOWS_CERTIFICATE_PASSWORD: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING_PASSWORD }}
# https://github.com/product-os/scripts/tree/master/shared # https://github.com/product-os/scripts/tree/master/shared
# https://github.com/product-os/balena-concourse/blob/master/pipelines/github-events/template.yml # https://github.com/product-os/balena-concourse/blob/master/pipelines/github-events/template.yml
@ -100,8 +93,21 @@ runs:
CSC_LINK=${{ fromJSON(inputs.secrets).APPLE_SIGNING }} CSC_LINK=${{ fromJSON(inputs.secrets).APPLE_SIGNING }}
elif [[ $runner_os =~ windows|win ]]; then elif [[ $runner_os =~ windows|win ]]; then
CSC_KEY_PASSWORD=${{ fromJSON(inputs.secrets).WINDOWS_SIGNING_PASSWORD }} SM_HOST=${{ fromJSON(inputs.secrets).SM_HOST }}
CSC_LINK='${{ runner.temp }}\certificate.pfx' SM_API_KEY=${{ fromJSON(inputs.secrets).SM_API_KEY }}
SM_CLIENT_CERT_FILE='${{ runner.temp }}\Certificate_pkcs12.p12'
SM_CLIENT_CERT_PASSWORD=${{ fromJSON(inputs.secrets).SM_CLIENT_CERT_PASSWORD }}
SM_CODE_SIGNING_CERT_SHA1_HASH=${{ fromJSON(inputs.secrets).SM_CODE_SIGNING_CERT_SHA1_HASH }}
curl --silent --retry 3 --fail https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download \
-H "x-api-key:$SM_API_KEY" \
-o smtools-windows-x64.msi
msiexec -i smtools-windows-x64.msi -qn
PATH="/c/Program Files/DigiCert/DigiCert One Signing Manager Tools:${PATH}"
smksp_registrar.exe list
smctl.exe keypair ls
/c/Windows/System32/certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
smksp_cert_sync.exe
# patches/all/oclif.patch # patches/all/oclif.patch
MSYSSHELLPATH="$(which bash)" MSYSSHELLPATH="$(which bash)"
@ -119,8 +125,8 @@ runs:
# https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks # https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks
# https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks # https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks
CSC_FOR_PULL_REQUEST: true CSC_FOR_PULL_REQUEST: true
# https://sectigo.com/resource-library/time-stamping-server # https://docs.digicert.com/es/software-trust-manager/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html
TIMESTAMP_SERVER: http://timestamp.sectigo.com TIMESTAMP_SERVER: http://timestamp.digicert.com
# Apple notarization (automation/build-bin.ts) # Apple notarization (automation/build-bin.ts)
XCODE_APP_LOADER_EMAIL: ${{ inputs.XCODE_APP_LOADER_EMAIL }} XCODE_APP_LOADER_EMAIL: ${{ inputs.XCODE_APP_LOADER_EMAIL }}
XCODE_APP_LOADER_PASSWORD: ${{ fromJSON(inputs.secrets).XCODE_APP_LOADER_PASSWORD }} XCODE_APP_LOADER_PASSWORD: ${{ fromJSON(inputs.secrets).XCODE_APP_LOADER_PASSWORD }}

14
automation/build-bin.ts
View File

@ -435,18 +435,20 @@ async function renameInstallerFiles() {
* https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe * https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe
*/ */
async function signWindowsInstaller() { async function signWindowsInstaller() {
if (process.env.CSC_LINK && process.env.CSC_KEY_PASSWORD) { if (process.env.SM_CODE_SIGNING_CERT_SHA1_HASH) {
const exeName = renamedOclifInstallers[process.platform]; const exeName = renamedOclifInstallers[process.platform];
console.log(`Signing installer "${exeName}"`); console.log(`Signing installer "${exeName}"`);
// trust ... // trust ...
await execFileAsync('signtool.exe', [ await execFileAsync('signtool.exe', [
'sign', 'sign',
'-t', '-sha1',
process.env.SM_CODE_SIGNING_CERT_SHA1_HASH,
'-tr',
process.env.TIMESTAMP_SERVER || 'http://timestamp.comodoca.com', process.env.TIMESTAMP_SERVER || 'http://timestamp.comodoca.com',
'-f', '-td',
process.env.CSC_LINK, 'SHA256',
'-p', '-fd',
process.env.CSC_KEY_PASSWORD, 'SHA256',
'-d', '-d',
`balena-cli ${version}`, `balena-cli ${version}`,
exeName, exeName,

620
npm-shrinkwrap.json generated
View File

File diff suppressed because it is too large Load Diff