Merge pull request #1021 from mackerelio/code-signing-with-azure

Use Azure Trusted Signing for Windows installer code signing
mackerelio · Jul 8, 2024 · 8739d8a · 8739d8a
2 parents a70b369 + abfd0e8
commit 8739d8a
Showing 1 changed file with 23 additions and 6 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -167,12 +167,29 @@ jobs:
           MSI_SUFFIX: ${{ matrix.MSI_SUFFIX }}
 
       - name: Signing Installer
-        run: |
-          mkdir $env:RUNNER_TEMP/sign/
-          [IO.File]::WriteAllBytes("$env:RUNNER_TEMP/sign/cert.p12", [Convert]::FromBase64String("${{ secrets.WINDOWS_CERT_PFX_BASE64 }}"))
-          $SIGNTOOL = "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe";
-          & "$SIGNTOOL" sign /fd sha256 /t "http://timestamp.sectigo.com" /f "$env:RUNNER_TEMP/sign/cert.p12" /p "${{ secrets.WINDOWS_CERT_PFX_PASS }}" /v "build/mackerel-agent${{ matrix.MSI_SUFFIX }}.msi"
-          & "$SIGNTOOL" sign /fd sha256 /t "http://timestamp.sectigo.com" /f "$env:RUNNER_TEMP/sign/cert.p12" /p "${{ secrets.WINDOWS_CERT_PFX_PASS }}" /v "build/mackerel-agent-k${{ matrix.MSI_SUFFIX }}.msi"
+        uses: azure/[email protected]
+        with:
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+          endpoint: ${{ secrets.AZURE_ENDPOINT }}
+          trusted-signing-account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_NAME }}
+          certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
+          files-folder: ${{ github.workspace }}/build
+          files-folder-filter: msi
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: false
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: true
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
 
       - name: Upload build artifacts
         uses: actions/upload-artifact@v4