Unify Windows sign process on signtool

- converts the process from using script/sign.bat to script/sign.ps1 for supportability and capability - resolves signtool on runner in order to run rather than hardcoded path
2023-12-13 10:19:36 -05:00 · 2023-12-13 10:19:36 -05:00 · e01809c075
commit e01809c075
parent a2ec7ab43f
2 changed files with 15 additions and 16 deletions
--- a/.github/workflows/deployment-hsm-testing.yml
+++ b/.github/workflows/deployment-hsm-testing.yml
@ -1,4 +1,4 @@
-name: Deployment
+name: Deployment HSM Testing
 run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }}

 concurrency:
@ -42,10 +42,11 @@ jobs:
          CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
        run: |
+          # Download Azure Code Signing client containing the DLL needed for signtool in script/sign
          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose
          Expand-Archive $Env:ACS_ZIP -Destination $Env:ACS_DIR -Force -Verbose

-          # Generate metadata file for signtool
+          # Generate metadata file for signtool, used in signing box .exe and .msi
          @{
            CertificateProfileName = "GitHubInc"
            CodeSigningAccountName = "GitHubInc"
@ -100,19 +101,17 @@ jobs:
            "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
          done
      - name: Sign .msi release binaries
-        uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601
-        with:
-            azure-tenant-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
-            azure-client-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
-            azure-client-secret: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
-            endpoint: https://wus.codesigning.azure.net/
-            code-signing-account-name: GitHubInc
-            certificate-profile-name: GitHubInc
-            files-folder: ${{ github.workspace }}/dist
-            files-folder-filter: msi
-            file-digest: SHA256
-            timestamp-rfc3161: http://timestamp.acs.microsoft.com
-            timestamp-digest: SHA256
+        shell: pwsh
+        env:
+          AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
+          AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
+          DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
+          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
+        run: |
+          Get-ChildItem "$Env:GITHUB_WORKSPACE/dist" -Filter *.msi | Foreach-Object {
+            .\script\sign.ps1 $_.FullName
+          }
      - uses: actions/upload-artifact@v3
        with:
          name: windows
--- a/.goreleaser-hsm.yml
+++ b/.goreleaser-hsm.yml
@ -41,7 +41,7 @@ builds:
    hooks:
      post:
        - cmd: >-
-            {{ if eq .Runtime.Goos "windows" }}.\script\sign-hsm{{ else }}./script/sign{{ end }} '{{ .Path }}'
+            {{ if eq .Runtime.Goos "windows" }}.\script\sign.ps1{{ else }}./script/sign{{ end }} '{{ .Path }}'
          output: true
    binary: bin/gh
    main: ./cmd/gh