-
Notifications
You must be signed in to change notification settings - Fork 14
71 lines (64 loc) · 3.08 KB
/
sign_powershell.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Sign PowerShell Scripts
on:
workflow_dispatch:
inputs:
skip-publish:
description: 'Skip publishing'
required: false
default: false
type: boolean
push:
branches:
- main
paths:
- '**.ps1'
- '**.psm1'
- '**.psd1'
jobs:
sign_scripts:
name: Sign PowerShell scripts
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Install jSign (Windows Signing Tool) -- Required for public runners
run: |
curl --retry 10 --retry-delay 60 -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
sudo dpkg -i ./jsign_5.0_all.deb
- name: Configure DigiCert Signing Variables
shell: bash
run: |
# CertLocker Authentication Certifiate
CERT_PATH="$(mktemp -t cert.XXX)"
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH}
echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
# CertLocker API Key & Host
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
# DigiCert CertLocker Code Signing Certificate
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV"
- name: Sign powershell script
run: |
jsign --storetype DIGICERTONE --alias "${SM_CERT_ALIAS}" --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" --tsaurl "http://timestamp.digicert.com" install.ps1
jsign --storetype DIGICERTONE --alias "${SM_CERT_ALIAS}" --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" --tsaurl "http://timestamp.digicert.com" download.ps1
jsign --storetype DIGICERTONE --alias "${SM_CERT_ALIAS}" --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" --tsaurl "http://timestamp.digicert.com" powershell/Mondoo.Installer/Mondoo.Installer.psm1
jsign --storetype DIGICERTONE --alias "${SM_CERT_ALIAS}" --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" --tsaurl "http://timestamp.digicert.com" powershell/Mondoo.Installer/Mondoo.Installer.psd1
- name: Commit changes
if: ${{ github.event.inputs.skip-publish != true }}
run: |
# ensure windows line-feed
git config --global core.autocrlf true
# commit changes
git config --global user.email "[email protected]"
git config --global user.name "Mondoo Tools"
git add install.ps1
git add download.ps1
git add powershell/Mondoo.Installer/Mondoo.Installer.psm1
git add powershell/Mondoo.Installer/Mondoo.Installer.psd1
git commit -m "Sign powershell scripts"
git push
- name: Cleanup
run:
rm -f ${CERT_PATH}