Skip to content

Commit 54c20cd

Browse files
JohnLBergqvistJohnLBergqvist
authored
Merge pull request #8364 from diffblue/update-expired-signing-key-for-msi-installer
Replace expired key for signing the MSI Installer
2 parents 582aa69 + 7460da8 commit 54c20cd

File tree

1 file changed

+11
-11
lines changed

1 file changed

+11
-11
lines changed

.github/workflows/release-packages.yaml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -200,8 +200,8 @@ jobs:
200200
echo "c:\tools\clcache\clcache-4.1.0" >> $env:GITHUB_PATH
201201
- name: Setup code sign environment
202202
run: |
203+
dotnet tool install --global AzureSignTool --version 5.0.0
203204
echo "$(Split-Path -Path $(Get-ChildItem -Path "${env:ProgramFiles(x86)}\Windows Kits\10\App Certification Kit\signtool.exe"))" >> $env:GITHUB_PATH
204-
echo "pfxcert=$([string](Get-Location)+'\CodeSignCertificate.pfx')" >> $env:GITHUB_ENV
205205
- name: Prepare ccache
206206
uses: actions/cache@v4
207207
with:
@@ -232,28 +232,28 @@ jobs:
232232
$msi_name = Get-ChildItem -Filter *.msi -Name
233233
echo "msi_installer=build/$msi_name" >> $env:GITHUB_OUTPUT
234234
echo "msi_name=$msi_name" >> $env:GITHUB_OUTPUT
235-
- name: Decode signing certificate
236-
id: decode_certificate
237-
run: |
238-
$pfx_bytes=[System.Convert]::FromBase64String("${{ secrets.CODESIGNCERTPFX }}")
239-
[IO.File]::WriteAllBytes($env:pfxcert, $pfx_bytes)
240235
- name: Sign the installer
241236
id: code_sign
242237
run: |
243238
$servers = @('http://ts.ssl.com', 'http://timestamp.digicert.com', 'http://timestamp.sectigo.com')
244239
foreach($ts_server in $servers)
245240
{
246-
& signtool.exe sign /f $env:pfxcert /p "${{ secrets.CODESIGNCERTPASSWORD }}" /tr $ts_server /td SHA256 /fd SHA256 ${{ steps.create_packages.outputs.msi_installer }}
241+
& AzureSignTool sign `
242+
--azure-key-vault-url "${{ secrets.AZURE_KEYVAULT_URL }}" `
243+
--azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" `
244+
--azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" `
245+
--azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" `
246+
--azure-key-vault-certificate "${{ secrets.AZURE_CERTIFICATE_NAME }}" `
247+
--timestamp-rfc3161 $ts_server `
248+
--timestamp-digest sha256 `
249+
--file-digest sha256 `
250+
--verbose ${{ steps.create_packages.outputs.msi_installer }}
247251
if ($LastExitCode -eq "0")
248252
{
249253
# Stop if code-signing the binary using this server was successful.
250254
break
251255
}
252256
}
253-
- name: Remove signing certificate
254-
id: remove_certificate
255-
run: |
256-
Remove-Item $env:pfxcert
257257
- name: Verify installer signature
258258
id: verify_codesign
259259
run: |

0 commit comments

Comments
 (0)