From 7a97935f6078fab2ad2ee90147c9a58d13e9bf57 Mon Sep 17 00:00:00 2001 From: Alec Reynolds Date: Thu, 2 May 2024 14:35:23 -0700 Subject: [PATCH] Test the keylocker signing in our pr-tests. --- .github/workflows/pr-tests.yml | 15 ++++++++---- KEYLOCKER_SETUP.md | 45 ++++++++++++++++++++++++++++++++++ action.yml | 3 +-- 3 files changed, 56 insertions(+), 7 deletions(-) create mode 100644 KEYLOCKER_SETUP.md diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index 4932547..99650f2 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -18,13 +18,14 @@ jobs: file: dist/@lando/code-sign-action certificate-data: APPLE_CERT_DATA certificate-password: APPLE_CERT_PASSWORD - apple-team-id: FY8GAUX282 - os: ubuntu-22.04 file: dist/@lando/code-sign-action + certificate-data: KEYLOCKER_CLIENT_CERT + certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD - os: windows-2022 file: dist/@lando/code-sign-action.exe - certificate-data: WINDOZE_CERT_DATA - certificate-password: WINDOZE_CERT_PASSWORD + certificate-data: KEYLOCKER_CLIENT_CERT + certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD steps: - name: Checkout code uses: actions/checkout@v3 @@ -48,8 +49,12 @@ jobs: file: ${{ matrix.file }} certificate-data: ${{ secrets[matrix.certificate-data] }} certificate-password: ${{ secrets[matrix.certificate-password] }} - apple-team-id: ${{ matrix.apple-team-id }} - - name: Test outputs + apple-team-id: FY8GAUX282 + keylocker-host: https://clientauth.one.digicert.com + keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }} + keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }} + keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }} + - name: Test outputs + execute file shell: bash env: FILE: ${{ steps.code-sign-action.outputs.file }} diff --git a/KEYLOCKER_SETUP.md b/KEYLOCKER_SETUP.md new file mode 100644 index 0000000..f41cbca --- /dev/null +++ b/KEYLOCKER_SETUP.md @@ -0,0 +1,45 @@ +# Setting Up KeyLocker Values + +To use `lando/code-sign-action` with your KeyLocker-distributed cert, you'll want to save sensitive values as GitHub Secrets, which then can be provided as inputs to `lando/code-sign-action` when you implement it in your GitHub Actions Workflow. + + +1. Add KEYLOCKER_CLIENT_CERT + +- Cert is generated by an authorized signer user in the DigiCert One interface: https://one.digicert.com/account/access/administrators +- Cert is only downloadable (and its password shown) once on creation. +- Certs can't be uploaded into Keychain on MacOS due to incompatibilities with openssl versions: https://discussions.apple.com/thread/254518218 +- Use openssl to open the cert: `openssl x509 -in your_cert.p12 -text -noout` +- Base64 encode the cert: `base64 -i your_cert.p12 -o encoded_cert.b64` +- Save the base64 encoded cert as a GitHub Secret (KEYLOCKER_CLIENT_CERT) + +1. Add KEYLOCKER_CLIENT_CERT_PASSWORD + +- Add the password you stored from Step 1 as a GitHub Secret (KEYLOCKER_CLIENT_CERT_PASSWORD) + +3. Add KEYLOCKER_API_KEY + +- API key is generated under your signer user in https://one.digicert.com/account/access/administrators + +4. Add KEYLOCKER_CERT_SHA1_HASH + +- This is the "fingerprint" value of the actual code signing cert found in your cert "order" in https://one.digicert.com/signingmanager/certificates-keylocker/ +- Simply copy the `Fingerprint/thumbprint` value shown under "Certificate details" and save it as a GitHub Secret (KEYLOCKER_CERT_SHA1_HASH) + +5. Add KEYLOCKER_KEYPAIR_ALIAS + +- This is the `Keypair alias` value found under the "Keypair details" section in your "order" in https://one.digicert.com/signingmanager/certificates-keylocker/ +- Copy that value (should start with `key_`) and save it as a GitHub Secret (KEYLOCKER_KEYPAIR_ALIAS) + +6. Hardcode keylocker-host value + +As of this writting, all Keylocker instances use the host value `https://clientauth.one.digicert.com`. Provide that value directly to `lando/code-sign-action` for the `keylocker-host` input. + +For further reference... + + +- [DigiCert KeyLocker Setup Instructions](https://docs.digicert.com/en/digicert-keylocker/get-started.html) +- [KeyLocker Secrets Setup](https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html#configure-github-secrets-488715) +- [DigiCert SSM GitHub Action](https://github.com/digicert/ssm-code-signing): this is what we use underneath the hood. +- [Another 3rd Party KeyLocker Action](https://github.com/cognitedata/code-sign-action): we +- [GitHub Actions Docs]() +- [GitHub Secrets Docs]() \ No newline at end of file diff --git a/action.yml b/action.yml index 4871cf9..edda2b6 100644 --- a/action.yml +++ b/action.yml @@ -9,7 +9,7 @@ inputs: description: "The file to sign" required: true certificate-data: - description: "A base64 encoded string of your p12 or pfx cert contents" + description: "A `base64` encoded string of your `p12` or `pfx` cert contents. Note: if you use KeyLocker, this will be the base64 encoded client certificate (`SM_CLIENT_CERT_FILE`)" required: true certificate-password: description: "The password to unlock the certificate-data" @@ -199,7 +199,6 @@ runs: sudo dpkg --install jsign_3.1_all.deb file_path="${{ inputs.file }}" for f in $(find $file_path -type f); do - echo $f smctl sign -v --keypair-alias="${{ inputs.keylocker-keypair-alias }}" --config-file="/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64/pkcs11properties.cfg" --fingerprint "${{ env.SM_CODE_SIGNING_CERT_SHA1_HASH }}" --input "$f" smctl sign verify --input $f.FullName done