code.vegaprotocol.io/vega@v0.79.0/.github/actions/sign-windows-binary/action.yml (about) 1 --- 2 name: 'Sign windows binary' 3 description: 'Sign binary using EV certificate' 4 5 inputs: 6 current-working-directory: 7 description: 'The working directory, where the binary is located in' 8 required: true 9 default: './' 10 binary-file: 11 description: 'Binary file to sign' 12 required: true 13 default: '' 14 gcp-credentials: 15 description: 'GCP credentials' 16 required: true 17 default: '' 18 ev-cert-pem: 19 description: 'EV certificate PEM' 20 required: true 21 default: '' 22 23 runs: 24 using: "composite" 25 steps: 26 - name: "Import signing certificate" 27 shell: bash 28 run: | 29 cd "${{ inputs.current-working-directory }}" && \ 30 echo "${{ inputs.ev-cert-pem }}" > certificate_chain.pem 31 32 - name: "Download Java v17" 33 uses: oracle-actions/setup-java@v1 34 with: 35 website: oracle.com 36 release: 17 37 38 - name: "Setup python" 39 uses: actions/setup-python@v4 40 with: 41 python-version: "3.9" 42 43 - name: "Authenticate to the Google Cloud" 44 uses: "google-github-actions/auth@v1" 45 with: 46 credentials_json: "${{ inputs.gcp-credentials }}" 47 48 - name: "Set up Cloud SDK" 49 uses: "google-github-actions/setup-gcloud@v1" 50 env: 51 CLOUDSDK_PYTHON: "python3" 52 53 - name: "Check the Google Cloud CLI" 54 shell: bash 55 run: "gcloud info" 56 57 - name: "Download signing tool and verify sha265 checksum" 58 shell: bash 59 run: | 60 cd "${{ inputs.current-working-directory }}" && \ 61 curl -L -o jsign.jar "https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar" && \ 62 echo '290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar' | sha256sum -c 63 64 # We sign binaries with the EV Certificate. You MUST NOT have a key in a file to sign binary. 65 # The only options to store keys are: 66 # - HSM architecture(e.g., AWS or Google) 67 # - Physical USB stick with hardware stored key 68 # We are using the first option to be able to sign the binaries within the CI servers without 69 # physical access to them. However, this signing method requires the signing tool supporting the HSM key. 70 # 71 # The high-level signing procedure looks like below: 72 # 1. Calculate the SHA256 Hash for the app 73 # 2. Send a request to sign the hash to the Google Cloud 74 # 3. Google signs our signature with a physically stored key on Google's HSM server and returns the signature over the network 75 # 4. Add our certificate and the signature received from the Google HSM to the EXE file 76 # 5. Our signature hash is again signed with the timestamp authority's private key, and the final hash is added to our binary. 77 # 6. Final executable with all necessary signing information included is produced 78 - name: "Sign binary" 79 shell: bash 80 run: | 81 cd "${{ inputs.current-working-directory }}" && \ 82 java -jar jsign.jar \ 83 --storetype GOOGLECLOUD \ 84 --storepass "$(gcloud auth print-access-token)" \ 85 --keystore "projects/vegaprotocol/locations/europe-west2/keyRings/windows-sign-apps" \ 86 --alias "digicert-ev-signing-key-ecc-256" \ 87 --certfile "./certificate_chain.pem" \ 88 --tsmode RFC3161 \ 89 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \ 90 "${{ inputs.binary-file }}" 91 92 - name: "Clean up" 93 shell: bash 94 run: | 95 cd "${{ inputs.current-working-directory }}" && \ 96 rm -f certificate_chain.pem && \ 97 rm -f jsign.jar