From 7510babc99e7bd310ee4f81d90dc593f70321ec3 Mon Sep 17 00:00:00 2001 From: ypoplavs <45286051+ypoplavs@users.noreply.github.com> Date: Wed, 30 Oct 2024 21:14:26 +0200 Subject: [PATCH] ci: update certificate for signing MSI (#6000) update certificate for signing MS --- .github/workflows/release-dev.yaml | 32 ++++++++++++++++-------------- .github/workflows/release.yaml | 32 ++++++++++++++++-------------- 2 files changed, 34 insertions(+), 30 deletions(-) diff --git a/.github/workflows/release-dev.yaml b/.github/workflows/release-dev.yaml index b7f0e15489..f8f4a5cceb 100644 --- a/.github/workflows/release-dev.yaml +++ b/.github/workflows/release-dev.yaml @@ -255,14 +255,6 @@ jobs: name: testkube_windows path: windows - - name: Get MSFT Cert - id: write_file - uses: timheuer/base64-to-file@v1.2 - with: - fileName: "kubeshop_msft.p12" - fileDir: "./temp/" - encodedString: ${{ secrets.CERT_MSFT_KUBESHOP_P12_B64 }} - - name: Create and Sign MSI run: | Copy-Item 'windows\testkube_windows_386\kubectl-testkube.exe' '.\kubectl-testkube.exe' @@ -271,10 +263,17 @@ jobs: Copy-Item 'build\installer\windows\testkube.bat' '.\testkube.bat' & "$env:WIX\bin\candle.exe" *.wxs & "$env:WIX\bin\light.exe" *.wixobj - & "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" sign /f "$env:P12_CERT" /p "$env:P12_PASSWORD" /d "Kubetest by Kubeshop" /tr http://timestamp.digicert.com testkube.msi - env: - P12_CERT: ${{ steps.write_file.outputs.filePath }} - P12_PASSWORD: ${{ secrets.CERT_MSFT_KUBESHOP_P12_PASSWORD }} + + - name: Sign Artifact with CodeSignTool + uses: sslcom/esigner-codesign@develop + with: + command: sign + username: ${{ secrets.ES_USERNAME }} + password: ${{ secrets.ES_PASSWORD }} + totp_secret: ${{ secrets.ES_TOTP_SECRET }} + file_path: testkube.msi + output_path: ${GITHUB_WORKSPACE}\artifacts + malware_block: false - name: Get tag id: tag @@ -293,18 +292,21 @@ jobs: id: checksum run: | $installer_name = $env:MSI_NAME - $hash=Get-FileHash testkube.msi + $installer_path = $env:MSI_PATH + $hash=Get-FileHash $installer_path $hash.Hash + " " + $installer_name + ".msi" >> msi_checksum.txt echo "::set-output name=INSTALLER_NAME::${installer_name}" + echo "::set-output name=INSTALLER_PATH::${installer_path}" #export MSI hash to environment $hashsum = $hash.Hash echo "::set-output name=CHECKSUM::${hashsum}" #copy MSI to choco directory to build a nuget package - Copy-Item -Path "testkube.msi" -Destination ".\choco\tools\$env:MSI_NAME.msi" + Copy-Item -Path "$installer_path" -Destination ".\choco\tools\$env:MSI_NAME.msi" env: MSI_NAME: testkube_${{steps.tag.outputs.tag}}_Windows_i386 + MSI_PATH: D:\a\testkube\testkube\artifacts\testkube.msi - name: Upload release binary uses: actions/upload-release-asset@v1.0.2 @@ -312,7 +314,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} with: upload_url: ${{ steps.get_release.outputs.upload_url }} - asset_path: testkube.msi + asset_path: ${{steps.checksum.outputs.INSTALLER_PATH}} asset_name: ${{steps.checksum.outputs.INSTALLER_NAME}}.msi asset_content_type: application/octet-stream diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 75e8a20c78..c51d99a560 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -247,14 +247,6 @@ jobs: name: testkube_windows path: windows - - name: Get MSFT Cert - id: write_file - uses: timheuer/base64-to-file@v1.2 - with: - fileName: "kubeshop_msft.p12" - fileDir: "./temp/" - encodedString: ${{ secrets.CERT_MSFT_KUBESHOP_P12_B64 }} - - name: Create and Sign MSI run: | Copy-Item 'windows\testkube_windows_386\kubectl-testkube.exe' '.\kubectl-testkube.exe' @@ -263,10 +255,17 @@ jobs: Copy-Item 'build\installer\windows\testkube.bat' '.\testkube.bat' & "$env:WIX\bin\candle.exe" *.wxs & "$env:WIX\bin\light.exe" *.wixobj - & "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" sign /f "$env:P12_CERT" /p "$env:P12_PASSWORD" /d "Kubetest by Kubeshop" /tr http://timestamp.digicert.com testkube.msi - env: - P12_CERT: ${{ steps.write_file.outputs.filePath }} - P12_PASSWORD: ${{ secrets.CERT_MSFT_KUBESHOP_P12_PASSWORD }} + + - name: Sign Artifact with CodeSignTool + uses: sslcom/esigner-codesign@develop + with: + command: sign + username: ${{ secrets.ES_USERNAME }} + password: ${{ secrets.ES_PASSWORD }} + totp_secret: ${{ secrets.ES_TOTP_SECRET }} + file_path: testkube.msi + output_path: ${GITHUB_WORKSPACE}\artifacts + malware_block: false - name: Get tag id: tag @@ -285,18 +284,21 @@ jobs: id: checksum run: | $installer_name = $env:MSI_NAME - $hash=Get-FileHash testkube.msi + $installer_path = $env:MSI_PATH + $hash=Get-FileHash $installer_path $hash.Hash + " " + $installer_name + ".msi" >> msi_checksum.txt echo "::set-output name=INSTALLER_NAME::${installer_name}" + echo "::set-output name=INSTALLER_PATH::${installer_path}" #export MSI hash to environment $hashsum = $hash.Hash echo "::set-output name=CHECKSUM::${hashsum}" #copy MSI to choco directory to build a nuget package - Copy-Item -Path "testkube.msi" -Destination ".\choco\tools\$env:MSI_NAME.msi" + Copy-Item -Path "$installer_path" -Destination ".\choco\tools\$env:MSI_NAME.msi" env: MSI_NAME: testkube_${{steps.tag.outputs.tag}}_Windows_i386 + MSI_PATH: D:\a\testkube\testkube\artifacts\testkube.msi - name: Upload release binary uses: actions/upload-release-asset@v1.0.2 @@ -304,7 +306,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} with: upload_url: ${{ steps.get_release.outputs.upload_url }} - asset_path: testkube.msi + asset_path: ${{steps.checksum.outputs.INSTALLER_PATH}} asset_name: ${{steps.checksum.outputs.INSTALLER_NAME}}.msi asset_content_type: application/octet-stream