Test the keylocker signing in our pr-tests.

lando · May 2, 2024 · 7a97935 · 7a97935
1 parent 04ba359
commit 7a97935
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 7 deletions.
diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml
@@ -18,13 +18,14 @@ jobs:
             file: dist/@lando/code-sign-action
             certificate-data: APPLE_CERT_DATA
             certificate-password: APPLE_CERT_PASSWORD
-            apple-team-id: FY8GAUX282
           - os: ubuntu-22.04
             file: dist/@lando/code-sign-action
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
           - os: windows-2022
             file: dist/@lando/code-sign-action.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -48,8 +49,12 @@ jobs:
           file: ${{ matrix.file }}
           certificate-data: ${{ secrets[matrix.certificate-data] }}
           certificate-password: ${{ secrets[matrix.certificate-password] }}
-          apple-team-id: ${{ matrix.apple-team-id }}
-      - name: Test outputs
+          apple-team-id: FY8GAUX282
+          keylocker-host: https://clientauth.one.digicert.com
+          keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }}
+          keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}
+          keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}
+      - name: Test outputs + execute file
         shell: bash
         env:
           FILE: ${{ steps.code-sign-action.outputs.file }}

diff --git a/KEYLOCKER_SETUP.md b/KEYLOCKER_SETUP.md
@@ -0,0 +1,45 @@
+# Setting Up KeyLocker Values
+
+To use `lando/code-sign-action` with your KeyLocker-distributed cert, you'll want to save sensitive values as GitHub Secrets, which then can be provided as inputs to `lando/code-sign-action` when you implement it in your GitHub Actions Workflow.
+
+
+1. Add KEYLOCKER_CLIENT_CERT
+
+- Cert is generated by an authorized signer user in the DigiCert One interface: https://one.digicert.com/account/access/administrators
+- Cert is only downloadable (and its password shown) once on creation.
+- Certs can't be uploaded into Keychain on MacOS due to incompatibilities with openssl versions: https://discussions.apple.com/thread/254518218
+- Use openssl to open the cert: `openssl x509 -in your_cert.p12 -text -noout`
+- Base64 encode the cert: `base64 -i your_cert.p12 -o encoded_cert.b64`
+- Save the base64 encoded cert as a GitHub Secret (KEYLOCKER_CLIENT_CERT)
+
+1. Add KEYLOCKER_CLIENT_CERT_PASSWORD
+
+- Add the password you stored from Step 1 as a GitHub Secret (KEYLOCKER_CLIENT_CERT_PASSWORD)
+
+3. Add KEYLOCKER_API_KEY
+
+- API key is generated under your signer user in https://one.digicert.com/account/access/administrators
+
+4. Add KEYLOCKER_CERT_SHA1_HASH
+
+- This is the "fingerprint" value of the actual code signing cert found in your cert "order" in https://one.digicert.com/signingmanager/certificates-keylocker/
+- Simply copy the `Fingerprint/thumbprint` value shown under "Certificate details" and save it as a GitHub Secret (KEYLOCKER_CERT_SHA1_HASH)
+
+5. Add KEYLOCKER_KEYPAIR_ALIAS
+
+- This is the `Keypair alias` value found under the "Keypair details" section in your "order" in https://one.digicert.com/signingmanager/certificates-keylocker/
+- Copy that value (should start with `key_`) and save it as a GitHub Secret (KEYLOCKER_KEYPAIR_ALIAS)
+
+6. Hardcode keylocker-host value
+
+As of this writting, all Keylocker instances use the host value `https://clientauth.one.digicert.com`. Provide that value directly to `lando/code-sign-action` for the `keylocker-host` input.
+
+For further reference...
+
+
+- [DigiCert KeyLocker Setup Instructions](https://docs.digicert.com/en/digicert-keylocker/get-started.html)
+- [KeyLocker Secrets Setup](https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html#configure-github-secrets-488715)
+- [DigiCert SSM GitHub Action](https://github.com/digicert/ssm-code-signing): this is what we use underneath the hood.
+- [Another 3rd Party KeyLocker Action](https://github.com/cognitedata/code-sign-action): we
+- [GitHub Actions Docs]()
+- [GitHub Secrets Docs]()
diff --git a/action.yml b/action.yml
@@ -9,7 +9,7 @@ inputs:
     description: "The file to sign"
     required: true
   certificate-data:
-    description: "A base64 encoded string of your p12 or pfx cert contents"
+    description: "A `base64` encoded string of your `p12` or `pfx` cert contents. Note: if you use KeyLocker, this will be the base64 encoded client certificate (`SM_CLIENT_CERT_FILE`)"
     required: true
   certificate-password:
     description: "The password to unlock the certificate-data"
@@ -199,7 +199,6 @@ runs:
         sudo dpkg --install jsign_3.1_all.deb
         file_path="${{ inputs.file }}"
         for f in $(find $file_path -type f); do
-          echo $f
           smctl sign -v --keypair-alias="${{ inputs.keylocker-keypair-alias }}" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "$f"
           smctl sign verify --input $f.FullName
         done