Skip to content

Commit

Permalink
chore: test signing
Browse files Browse the repository at this point in the history
  • Loading branch information
neilcampbell committed Jul 15, 2024
1 parent 8e83c76 commit 7fd9def
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 34 deletions.
92 changes: 61 additions & 31 deletions .github/actions/build-binaries/windows/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,28 +42,43 @@ runs:
run: |
echo winget > ${{ env.BINARY_BUILD_DIR }}\_internal\algokit\resources\distribution-method
- name: Sign executable
uses: azure/trusted-signing-action@v0.3.20
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: https://weu.codesigning.azure.net/
trusted-signing-account-name: "Algorand Foundation"
certificate-profile-name: algokit
files-folder: ${{ env.BINARY_BUILD_DIR }}
files-folder-filter: exe
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256

# We only sign the release artifacts, as each signing request will use up the HSM quota
- name: Download signing certificate
if: ${{ inputs.production_release == 'true' }}
run: |
signing_cert="${{ runner.temp }}\code_signing_cert.pfx"
echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV
echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert
shell: bash
# - name: Download signing certificate
# if: ${{ inputs.production_release == 'true' }}
# run: |
# signing_cert="${{ runner.temp }}\code_signing_cert.pfx"
# echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV
# echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert
# shell: bash

- name: Import signing certificate
if: ${{ inputs.production_release == 'true' }}
shell: pwsh
run: |
Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null
# - name: Import signing certificate
# if: ${{ inputs.production_release == 'true' }}
# shell: pwsh
# run: |
# Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null

- name: Sign executable
if: ${{ inputs.production_release == 'true' }}
shell: pwsh
run: |
$executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe'
signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath
# signtool verify /v /pa $executablePath
# - name: Sign executable
# if: ${{ inputs.production_release == 'true' }}
# shell: pwsh
# run: |
# $executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe'
# signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath
# # signtool verify /v /pa $executablePath

- name: Build winget installer
shell: pwsh
Expand All @@ -74,19 +89,34 @@ runs:
-outputFile '${{ env.WINGET_INSTALLER }}'
- name: Sign winget installer
if: ${{ inputs.production_release == 'true' }}
shell: pwsh
run: |
signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }}
# signtool verify /v /pa ${{ env.WINGET_INSTALLER }}
uses: azure/trusted-signing-action@v0.3.20
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: https://weu.codesigning.azure.net/
trusted-signing-account-name: "Algorand Foundation"
certificate-profile-name: algokit
files-folder: ${{ env.WINGET_INSTALLER }}
files-folder-filter: msix
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256

- name: Remove signing certificate
if: ${{ inputs.production_release == 'true' }}
shell: pwsh
run: |
$cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' }
Remove-Item -Path $cert.PSPath
Remove-Item -Path ${{ env.SIGNING_CERT }}
# - name: Sign winget installer
# if: ${{ inputs.production_release == 'true' }}
# shell: pwsh
# run: |
# signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }}
# # signtool verify /v /pa ${{ env.WINGET_INSTALLER }}

# - name: Remove signing certificate
# if: ${{ inputs.production_release == 'true' }}
# shell: pwsh
# run: |
# $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' }
# Remove-Item -Path $cert.PSPath
# Remove-Item -Path ${{ env.SIGNING_CERT }}

- name: Upload winget artifact
uses: actions/upload-artifact@v4
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/pr.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
name: Codebase validation

on:
pull_request:
schedule:
- cron: "0 8 * * 1" # Each monday 8 AM UTC
push:
branches:
- sign-test

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
Expand Down

1 comment on commit 7fd9def

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Coverage

Coverage Report
FileStmtsMissCoverMissing
src/algokit
   __init__.py15753%6–13, 17–24, 32–34
   __main__.py440%1–7
src/algokit/cli
   __init__.py47394%31–34
   codespace.py50982%28, 114, 137, 150–155
   completions.py108992%63–64, 83, 93–99
   dispenser.py121199%77
   doctor.py53394%146–148
   explore.py561573%34–39, 41–46, 80–81, 90
   generate.py70396%76–77, 155
   goal.py47198%79
   init.py3112492%497–498, 503–504, 507, 528, 531–533, 544, 548, 606, 632, 661, 694, 703–705, 708–713, 726, 745, 757–758
   localnet.py1523279%65, 86–113, 133–137, 170, 182, 197–207, 220, 271, 292–293
   task.py34391%25–28
src/algokit/cli/project
   bootstrap.py32197%33
   deploy.py992080%47, 49, 101, 124, 146–148, 227, 234, 248–256, 259–268
   link.py891682%60, 65–66, 101–105, 115–120, 148–149, 218–219, 223
   list.py33585%21–23, 51–56
   run.py46393%38, 71, 160
src/algokit/cli/tasks
   analyze.py81199%81
   assets.py821384%65–66, 72, 74–75, 105, 119, 125–126, 132, 134, 136–137
   ipfs.py51884%52, 80, 92, 94–95, 105–107
   mint.py66494%48, 70, 91, 250
   send_transaction.py651085%52–53, 57, 89, 158, 170–174
   sign_transaction.py59886%21, 28–30, 71–72, 109, 123
   transfer.py39392%26, 90, 117
   utils.py994555%26–34, 40–43, 75–76, 100–101, 125–133, 152–162, 209, 258–259, 279–290, 297–299
   vanity_address.py561082%41, 45–48, 112, 114, 121–123
   wallet.py79495%21, 66, 136, 162
src/algokit/core
   codespace.py1756861%34–37, 41–44, 48–71, 111–112, 125–133, 191, 200–202, 210, 216–217, 229–236, 251–298, 311–313, 338–344, 348, 395
   conf.py57984%12, 24, 28, 36, 38, 73–75, 80
   dispenser.py2022687%91, 123–124, 141–149, 191–192, 198–200, 218–219, 259–260, 318, 332–334, 345–346, 356, 369, 384
   doctor.py65789%67–69, 92–94, 134
   generate.py50394%44, 85, 103
   goal.py65494%21, 36–37, 47
   init.py671085%53, 57–62, 70, 81, 88, 108–109
   log_handlers.py68790%50–51, 63, 112–116, 125
   proc.py45198%99
   sandbox.py2632391%32, 89–92, 97, 101–103, 153, 201–208, 219, 590, 606, 631, 639
   typed_client_generation.py1702088%62–64, 103–108, 132, 135–138, 156, 159–162, 229, 232–235
   utils.py1484073%50–51, 57–69, 125–131, 155, 158, 164–177, 198–200, 229–232, 254
src/algokit/core/compilers
   python.py28582%19–20, 25, 49–50
src/algokit/core/config_commands
   container_engine.py412149%24, 29–31, 47–76
   version_prompt.py921485%37–38, 68, 87–90, 108, 118–125, 148
src/algokit/core/project
   __init__.py53394%50, 86, 145
   bootstrap.py120893%47, 126–127, 149, 176, 207–209
   deploy.py69987%108–111, 120–122, 126, 131
   run.py1251588%83, 88, 97–98, 133–134, 138–139, 143, 147, 261–269, 284
src/algokit/core/tasks
   analyze.py93397%105–112, 187
   ipfs.py63789%58–64, 140, 144, 146, 152
   nfd.py491373%25, 31, 34–41, 70–72, 99–101
   vanity_address.py903462%49–50, 54, 59–75, 92–108, 128–131
   wallet.py71593%37, 129, 155–157
src/algokit/core/tasks/mint
   mint.py781087%123–133, 187
   models.py901188%50, 52, 57, 71–74, 85–88
TOTAL465264186% 

Tests Skipped Failures Errors Time
488 0 💤 0 ❌ 0 🔥 24.743s ⏱️

Please sign in to comment.