-
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Test the keylocker signing in our pr-tests.
- Loading branch information
1 parent
04ba359
commit 7a97935
Showing
3 changed files
with
56 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# Setting Up KeyLocker Values | ||
|
||
To use `lando/code-sign-action` with your KeyLocker-distributed cert, you'll want to save sensitive values as GitHub Secrets, which then can be provided as inputs to `lando/code-sign-action` when you implement it in your GitHub Actions Workflow. | ||
|
||
|
||
1. Add KEYLOCKER_CLIENT_CERT | ||
|
||
- Cert is generated by an authorized signer user in the DigiCert One interface: https://one.digicert.com/account/access/administrators | ||
- Cert is only downloadable (and its password shown) once on creation. | ||
- Certs can't be uploaded into Keychain on MacOS due to incompatibilities with openssl versions: https://discussions.apple.com/thread/254518218 | ||
- Use openssl to open the cert: `openssl x509 -in your_cert.p12 -text -noout` | ||
- Base64 encode the cert: `base64 -i your_cert.p12 -o encoded_cert.b64` | ||
- Save the base64 encoded cert as a GitHub Secret (KEYLOCKER_CLIENT_CERT) | ||
|
||
1. Add KEYLOCKER_CLIENT_CERT_PASSWORD | ||
|
||
- Add the password you stored from Step 1 as a GitHub Secret (KEYLOCKER_CLIENT_CERT_PASSWORD) | ||
|
||
3. Add KEYLOCKER_API_KEY | ||
|
||
- API key is generated under your signer user in https://one.digicert.com/account/access/administrators | ||
|
||
4. Add KEYLOCKER_CERT_SHA1_HASH | ||
|
||
- This is the "fingerprint" value of the actual code signing cert found in your cert "order" in https://one.digicert.com/signingmanager/certificates-keylocker/ | ||
- Simply copy the `Fingerprint/thumbprint` value shown under "Certificate details" and save it as a GitHub Secret (KEYLOCKER_CERT_SHA1_HASH) | ||
|
||
5. Add KEYLOCKER_KEYPAIR_ALIAS | ||
|
||
- This is the `Keypair alias` value found under the "Keypair details" section in your "order" in https://one.digicert.com/signingmanager/certificates-keylocker/ | ||
- Copy that value (should start with `key_`) and save it as a GitHub Secret (KEYLOCKER_KEYPAIR_ALIAS) | ||
|
||
6. Hardcode keylocker-host value | ||
|
||
As of this writting, all Keylocker instances use the host value `https://clientauth.one.digicert.com`. Provide that value directly to `lando/code-sign-action` for the `keylocker-host` input. | ||
|
||
For further reference... | ||
|
||
|
||
- [DigiCert KeyLocker Setup Instructions](https://docs.digicert.com/en/digicert-keylocker/get-started.html) | ||
- [KeyLocker Secrets Setup](https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html#configure-github-secrets-488715) | ||
- [DigiCert SSM GitHub Action](https://github.com/digicert/ssm-code-signing): this is what we use underneath the hood. | ||
- [Another 3rd Party KeyLocker Action](https://github.com/cognitedata/code-sign-action): we | ||
- [GitHub Actions Docs]() | ||
- [GitHub Secrets Docs]() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters