Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: added code-signing-workflow #718

Merged
merged 4 commits into from
Feb 9, 2024
Merged

chore: added code-signing-workflow #718

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4ceb352
chore: added code-signing-workflow
tiwarishubham635 Feb 7, 2024
14252e9
chore: removed unused step from deploy
tiwarishubham635 Feb 7, 2024
de45f15
chore: removed cat statement
tiwarishubham635 Feb 7, 2024
0f1268a
Merge branch 'main' into code_signing_workflow
tiwarishubham635 Feb 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 65 additions & 31 deletions .github/workflows/test-and-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,41 +51,17 @@ jobs:
# dotnet tool install --global dotnet-sonarscanner
# make cover

import-certificate:
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
- run: make install
- name: import-certificate
run: |
New-Item -ItemType directory -Path certificate
Set-Content -Path certificate\certificate.txt -Value '${{ secrets.CODE_SIGNING_CERTIFICATE }}'
certutil -decode certificate\certificate.txt certificate\certificate.pfx

- name: Upload Artifact
uses: actions/upload-artifact@v3
with:
name: certificate.pfx
path: certificate\certificate.pfx
retention-days: 1


deploy:
name: Deploy
if: success() && github.ref_type == 'tag'
needs: [ test, import-certificate ]
needs: [ test ]
runs-on: ubuntu-latest
steps:
- name: Checkout twilio-csharp
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Download code signing certificate
uses: actions/download-artifact@v3
with:
name: certificate.pfx

- name: Setup .NET Core SDK
uses: actions/setup-dotnet@v3
with:
Expand All @@ -111,16 +87,74 @@ jobs:
- name: Build and Push image
run: make docker-build docker-push

- name: Publish package to NuGet
run: |
make release
dotnet nuget sign **/*.nupkg --certificate-path certificate.pfx --certificate-password ${{ secrets.CERTIFICATE_PASSWORD }} --timestamper http://timestamp.digicert.com
dotnet nuget push **/*.nupkg -k ${{ secrets.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json

- name: Submit metric to Datadog
uses: sendgrid/dx-automator/actions/datadog-release-metric@main
env:
DD_API_KEY: ${{ secrets.DATADOG_API_KEY }}

code-signing:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I understand is; we dont need a separate step to import the certificate now, where are we storing the certificate then?

runs-on: windows-latest
needs: [ deploy ]
steps:
- name: Checkout sendgrid-csharp
uses: actions/checkout@v2

- name: Setup .NET Core SDK
uses: actions/setup-dotnet@v3
with:
dotnet-version: '3.1.x'

- name: Set up certificate
run: |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
shell: bash

- name: Set variables
id: variables
run: |
dir
echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
echo "::set-output name=KEYPAIR_NAME::gt-standard-keypair"
echo "::set-output name=CERTIFICATE_NAME::gt-certificate"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this print "****" in the logs? If yes, why do we need to print it? If no, lets not print it at all. :)

Copy link
Contributor Author

@tiwarishubham635 tiwarishubham635 Feb 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These lines will just set env variables and won't print anything, you can check the run here

echo "BUILD_TOOLS_VERSION=31.0.0" >> "$GITHUB_ENV"
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
shell: bash

- name: Code signing with Software Trust Manager
id: SSMClientToolSetup
uses: digicert/ssm-code-signing@v0.0.2
env:
SM_API_KEY: ${{ env.SM_API_KEY }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than setting the API_Key in env var , can we use it from Github secrets? I see from line 127 that its originally retrieved from secrets.
Also, please make sure that you add details and values of these secrets in 1pass vault.

Copy link
Contributor Author

@tiwarishubham635 tiwarishubham635 Feb 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I tried using SM_API_KEY from secrets but here it reads env variables only, so for that we need to set the env variable. See "x-api-key:%SM_API_KEY%"

SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }}
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}

- run: echo “The config file path ${{ steps.SSMClientToolSetup.outputs.PKCS11_CONFIG }}”

- name: Setup Keylocker KSP on windows
run: |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
msiexec /i Keylockertools-windows-x64.msi /quiet /qn
smksp_registrar.exe list
smctl.exe keypair ls
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
shell: cmd

- name: Certificates Sync
run: |
smctl windows certsync
shell: cmd

- name: Signing using Nuget
run: |
dotnet pack -c Release
nuget sign **/*.nupkg -Timestamper http://timestamp.digicert.com -outputdirectory .\NugetSigned -CertificateFingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am confused with the deploy step above (line#90) it has the same pack+sign+push step with secrets.CERTIFICATE_PASSWORD. How does that work in sync with this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, that step needs to be removed now. I will do it right away

nuget push **/*.nupkg -k ${{ secrets.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json

notify-on-failure:
name: Slack notify on failure
Expand Down
Loading