From 91c17c7697ff4bebc2137b3c50db077f99f6ea6a Mon Sep 17 00:00:00 2001 From: Shubham Tiwari Date: Wed, 7 Feb 2024 17:55:53 +0530 Subject: [PATCH 1/3] chore: added code-signing-workflow --- .github/workflows/test-and-deploy.yml | 96 ++++++++++++++++++--------- 1 file changed, 66 insertions(+), 30 deletions(-) diff --git a/.github/workflows/test-and-deploy.yml b/.github/workflows/test-and-deploy.yml index b9a9ea0d8..c461bcc2e 100644 --- a/.github/workflows/test-and-deploy.yml +++ b/.github/workflows/test-and-deploy.yml @@ -40,38 +40,15 @@ jobs: run: make test-docker release - run: bash <(curl -s https://codecov.io/bash) - import-certificate: - runs-on: windows-latest - steps: - - uses: actions/checkout@v2 - - run: make install - - name: import-certificate - run: | - New-Item -ItemType directory -Path certificate - Set-Content -Path certificate\certificate.txt -Value '${{ secrets.CODE_SIGNING_CERTIFICATE }}' - certutil -decode certificate\certificate.txt certificate\certificate.pfx - - - name: Upload Artifact - uses: actions/upload-artifact@v3 - with: - name: certificate.pfx - path: certificate\certificate.pfx - retention-days: 1 - deploy: name: Deploy if: success() && github.ref_type == 'tag' - needs: [ test, import-certificate ] + needs: [ test, code-signing ] runs-on: ubuntu-latest steps: - name: Checkout sendgrid-csharp uses: actions/checkout@v2 - - name: Download code signing certificate - uses: actions/download-artifact@v3 - with: - name: certificate.pfx - - name: Setup .NET Core SDK uses: actions/setup-dotnet@v3 with: @@ -84,16 +61,75 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Publish package to NuGet - run: | - make release - dotnet nuget sign **/*.nupkg --certificate-path certificate.pfx --certificate-password ${{ secrets.CERTIFICATE_PASSWORD }} --timestamper http://timestamp.digicert.com - dotnet nuget push **/*.nupkg -k ${{ secrets.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json --skip-duplicate - - name: Submit metric to Datadog uses: sendgrid/dx-automator/actions/datadog-release-metric@main env: DD_API_KEY: ${{ secrets.DATADOG_API_KEY }} + + code-signing: + runs-on: windows-latest + needs: [ deploy ] + steps: + - name: Checkout sendgrid-csharp + uses: actions/checkout@v2 + + - name: Setup .NET Core SDK + uses: actions/setup-dotnet@v3 + with: + dotnet-version: '3.1.x' + + - name: Set up certificate + run: | + echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 + cat /d/Certificate_pkcs12.p12 + shell: bash + + - name: Set variables + id: variables + run: | + dir + echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" + echo "::set-output name=KEYPAIR_NAME::gt-standard-keypair" + echo "::set-output name=CERTIFICATE_NAME::gt-certificate" + echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "BUILD_TOOLS_VERSION=31.0.0" >> "$GITHUB_ENV" + echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH + echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH + echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH + shell: bash + + - name: Code signing with Software Trust Manager + id: SSMClientToolSetup + uses: digicert/ssm-code-signing@v0.0.2 + env: + SM_API_KEY: ${{ env.SM_API_KEY }} + SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }} + SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} + + - run: echo “The config file path ${{ steps.SSMClientToolSetup.outputs.PKCS11_CONFIG }}” + + - name: Setup Keylocker KSP on windows + run: | + curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi + msiexec /i Keylockertools-windows-x64.msi /quiet /qn + smksp_registrar.exe list + smctl.exe keypair ls + C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + shell: cmd + + - name: Certificates Sync + run: | + smctl windows certsync + shell: cmd + + - name: Signing using Nuget + run: | + dotnet pack -c Release + nuget sign **/*.nupkg -Timestamper http://timestamp.digicert.com -outputdirectory .\NugetSigned -CertificateFingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} -HashAlgorithm SHA256 -Verbosity detailed -Overwrite + nuget push **/*.nupkg -k ${{ secrets.NUGET_API_KEY }} -s https://api.nuget.org/v3/index.json --skip-duplicate notify-on-failure: name: Slack notify on failure From f6123115d9cbf5d18d581d2d0b31e84f20e1820d Mon Sep 17 00:00:00 2001 From: Shubham Tiwari Date: Wed, 7 Feb 2024 17:57:16 +0530 Subject: [PATCH 2/3] chore: removed cyclic job dependency --- .github/workflows/test-and-deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-and-deploy.yml b/.github/workflows/test-and-deploy.yml index c461bcc2e..455d89eeb 100644 --- a/.github/workflows/test-and-deploy.yml +++ b/.github/workflows/test-and-deploy.yml @@ -43,7 +43,7 @@ jobs: deploy: name: Deploy if: success() && github.ref_type == 'tag' - needs: [ test, code-signing ] + needs: [ test ] runs-on: ubuntu-latest steps: - name: Checkout sendgrid-csharp From 1637fdfe1a36aad0d884c739634ca9a7f6477eef Mon Sep 17 00:00:00 2001 From: Shubham Tiwari Date: Wed, 7 Feb 2024 22:47:13 +0530 Subject: [PATCH 3/3] chore: removed cat statement --- .github/workflows/test-and-deploy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test-and-deploy.yml b/.github/workflows/test-and-deploy.yml index 455d89eeb..b30af17b7 100644 --- a/.github/workflows/test-and-deploy.yml +++ b/.github/workflows/test-and-deploy.yml @@ -81,7 +81,6 @@ jobs: - name: Set up certificate run: | echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 - cat /d/Certificate_pkcs12.p12 shell: bash - name: Set variables