Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 63a48c5

Browse files
authored
use eToken for signing (#2599)
* use eToken for signing * update workflow, we have a certificate and no longer a container for win * remove double quotes, they cause errors with new version of openssl: `Could not read certificate from <stdin>`
1 parent 8b78c05 commit 63a48c5

File tree

3 files changed

+56
-35
lines changed

3 files changed

+56
-35
lines changed

‎.github/workflows/check-certificates.yml‎

Lines changed: 42 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -36,9 +36,11 @@ jobs:
3636
- identifier: macOS signing certificate # Text used to identify certificate in notifications.
3737
certificate-secret: INSTALLER_CERT_MAC_P12 # Name of the secret that contains the certificate.
3838
password-secret: INSTALLER_CERT_MAC_PASSWORD # Name of the secret that contains the certificate password.
39+
type: pkcs12
3940
- identifier: Windows signing certificate
40-
certificate-secret: INSTALLER_CERT_WINDOWS_PFX
41-
password-secret: INSTALLER_CERT_WINDOWS_PASSWORD
41+
certificate-secret: INSTALLER_CERT_WINDOWS_CER
42+
# The password for the Windows certificate is not needed, because its not a container, but a single certificate.
43+
type: x509
4244

4345
steps:
4446
- name: Set certificate path environment variable
@@ -57,7 +59,7 @@ jobs:
5759
CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }}
5860
run: |
5961
(
60-
openssl pkcs12 \
62+
openssl ${{ matrix.certificate.type }} \
6163
-in "${{ env.CERTIFICATE_PATH }}" \
6264
-legacy \
6365
-noout \
@@ -84,26 +86,43 @@ jobs:
8486
CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }}
8587
id: get-days-before-expiration
8688
run: |
87-
EXPIRATION_DATE="$(
88-
(
89-
openssl pkcs12 \
90-
-in "${{ env.CERTIFICATE_PATH }}" \
91-
-clcerts \
92-
-legacy \
93-
-nodes \
94-
-passin env:CERTIFICATE_PASSWORD
95-
) | (
96-
openssl x509 \
97-
-noout \
98-
-enddate
99-
) | (
100-
grep \
101-
--max-count=1 \
102-
--only-matching \
103-
--perl-regexp \
104-
'notAfter=(\K.*)'
105-
)
106-
)"
89+
if [[ ${{ matrix.certificate.type }} == "pkcs12" ]]; then
90+
EXPIRATION_DATE="$(
91+
(
92+
openssl pkcs12 \
93+
-in ${{ env.CERTIFICATE_PATH }} \
94+
-clcerts \
95+
-legacy \
96+
-nodes \
97+
-passin env:CERTIFICATE_PASSWORD
98+
) | (
99+
openssl x509 \
100+
-noout \
101+
-enddate
102+
) | (
103+
grep \
104+
--max-count=1 \
105+
--only-matching \
106+
--perl-regexp \
107+
'notAfter=(\K.*)'
108+
)
109+
)"
110+
elif [[ ${{ matrix.certificate.type }} == "x509" ]]; then
111+
EXPIRATION_DATE="$(
112+
(
113+
openssl x509 \
114+
-in ${{ env.CERTIFICATE_PATH }} \
115+
-noout \
116+
-enddate
117+
) | (
118+
grep \
119+
--max-count=1 \
120+
--only-matching \
121+
--perl-regexp \
122+
'notAfter=(\K.*)'
123+
)
124+
)"
125+
fi
107126
108127
DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))"
109128

‎.github/workflows/publish-go-nightly-task.yml‎

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -174,19 +174,18 @@ jobs:
174174
path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
175175

176176
create-windows-installer:
177-
runs-on: windows-latest
177+
runs-on: windows-sign-pc
178178
needs: create-nightly-artifacts
179179

180180
defaults:
181181
run:
182182
shell: bash
183183

184184
env:
185-
INSTALLER_CERT_WINDOWS_PFX: "/tmp/cert.pfx"
185+
INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
186186
# We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
187187
# Keep in mind that this path could change when upgrading to a new runner version
188-
# https://github.com/actions/runner-images/blob/main/images/win/Windows2022-Readme.md#installed-windows-sdks
189-
SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe"
188+
SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
190189

191190
steps:
192191
- name: Checkout repository
@@ -211,14 +210,16 @@ jobs:
211210
MSBuild.exe ./installer/cli.wixproj -p:SourceDir="$SOURCE_DIR" -p:OutputPath="${GITHUB_WORKSPACE}/${{ env.DIST_DIR }}" -p:OutputName="$PACKAGE_FILENAME" -p:ProductVersion="$WIX_VERSION"
212211
213212
- name: Save Win signing certificate to file
214-
run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_PFX }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_PFX}}
213+
run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER}}
215214

216215
- name: Sign MSI
217216
env:
218217
MSI_FILE: ${{ steps.buildmsi.outputs.msi }} # this comes from .installer/cli.wixproj
219218
CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
219+
CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
220+
# https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
220221
run: |
221-
"${{ env.SIGNTOOL_PATH }}" sign -d "Arduino CLI" -f ${{ env.INSTALLER_CERT_WINDOWS_PFX}} -p ${{ env.CERT_PASSWORD }} -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "${{ env.MSI_FILE }}"
222+
"${{ env.SIGNTOOL_PATH }}" sign -d "Arduino CLI" -f ${{ env.INSTALLER_CERT_WINDOWS_CER}} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "${{ env.MSI_FILE }}"
222223
223224
- name: Upload artifacts
224225
uses: actions/upload-artifact@v3

‎.github/workflows/release-go-task.yml‎

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -174,19 +174,18 @@ jobs:
174174
path: ${{ env.DIST_DIR }}/${{ env.PACKAGE_FILENAME }}
175175

176176
create-windows-installer:
177-
runs-on: windows-latest
177+
runs-on: windows-sign-pc
178178
needs: create-release-artifacts
179179

180180
defaults:
181181
run:
182182
shell: bash
183183

184184
env:
185-
INSTALLER_CERT_WINDOWS_PFX: "/tmp/cert.pfx"
185+
INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
186186
# We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
187187
# Keep in mind that this path could change when upgrading to a new runner version
188-
# https://github.com/actions/runner-images/blob/main/images/win/Windows2022-Readme.md#installed-windows-sdks
189-
SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe"
188+
SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
190189

191190
steps:
192191
- name: Checkout repository
@@ -211,14 +210,16 @@ jobs:
211210
MSBuild.exe ./installer/cli.wixproj -p:SourceDir="$SOURCE_DIR" -p:OutputPath="${GITHUB_WORKSPACE}/${{ env.DIST_DIR }}" -p:OutputName="$PACKAGE_FILENAME" -p:ProductVersion="$WIX_TAG"
212211
213212
- name: Save Win signing certificate to file
214-
run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_PFX }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_PFX}}
213+
run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER}}
215214

216215
- name: Sign MSI
217216
env:
218217
MSI_FILE: ${{ steps.buildmsi.outputs.msi }} # this comes from .installer/cli.wixproj
219218
CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
219+
CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
220+
# https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
220221
run: |
221-
"${{ env.SIGNTOOL_PATH }}" sign -d "Arduino CLI" -f ${{ env.INSTALLER_CERT_WINDOWS_PFX}} -p ${{ env.CERT_PASSWORD }} -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "${{ env.MSI_FILE }}"
222+
"${{ env.SIGNTOOL_PATH }}" sign -d "Arduino CLI" -f ${{ env.INSTALLER_CERT_WINDOWS_CER}} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "${{ env.MSI_FILE }}"
222223
223224
- name: Upload artifacts
224225
uses: actions/upload-artifact@v3

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /