Skip to content

Commit

Permalink
ci: update certificate for signing MSI (#6000)
Browse files Browse the repository at this point in the history
update certificate for signing MS
ypoplavs authored Oct 30, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent efd7175 commit 7510bab
Showing 2 changed files with 34 additions and 30 deletions.
32 changes: 17 additions & 15 deletions .github/workflows/release-dev.yaml
Original file line number Diff line number Diff line change
@@ -255,14 +255,6 @@ jobs:
name: testkube_windows
path: windows

- name: Get MSFT Cert
id: write_file
uses: timheuer/base64-to-file@v1.2
with:
fileName: "kubeshop_msft.p12"
fileDir: "./temp/"
encodedString: ${{ secrets.CERT_MSFT_KUBESHOP_P12_B64 }}

- name: Create and Sign MSI
run: |
Copy-Item 'windows\testkube_windows_386\kubectl-testkube.exe' '.\kubectl-testkube.exe'
@@ -271,10 +263,17 @@ jobs:
Copy-Item 'build\installer\windows\testkube.bat' '.\testkube.bat'
& "$env:WIX\bin\candle.exe" *.wxs
& "$env:WIX\bin\light.exe" *.wixobj
& "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" sign /f "$env:P12_CERT" /p "$env:P12_PASSWORD" /d "Kubetest by Kubeshop" /tr http://timestamp.digicert.com testkube.msi
env:
P12_CERT: ${{ steps.write_file.outputs.filePath }}
P12_PASSWORD: ${{ secrets.CERT_MSFT_KUBESHOP_P12_PASSWORD }}
- name: Sign Artifact with CodeSignTool
uses: sslcom/esigner-codesign@develop
with:
command: sign
username: ${{ secrets.ES_USERNAME }}
password: ${{ secrets.ES_PASSWORD }}
totp_secret: ${{ secrets.ES_TOTP_SECRET }}
file_path: testkube.msi
output_path: ${GITHUB_WORKSPACE}\artifacts
malware_block: false

- name: Get tag
id: tag
@@ -293,26 +292,29 @@ jobs:
id: checksum
run: |
$installer_name = $env:MSI_NAME
$hash=Get-FileHash testkube.msi
$installer_path = $env:MSI_PATH
$hash=Get-FileHash $installer_path
$hash.Hash + " " + $installer_name + ".msi" >> msi_checksum.txt
echo "::set-output name=INSTALLER_NAME::${installer_name}"
echo "::set-output name=INSTALLER_PATH::${installer_path}"
#export MSI hash to environment
$hashsum = $hash.Hash
echo "::set-output name=CHECKSUM::${hashsum}"
#copy MSI to choco directory to build a nuget package
Copy-Item -Path "testkube.msi" -Destination ".\choco\tools\$env:MSI_NAME.msi"
Copy-Item -Path "$installer_path" -Destination ".\choco\tools\$env:MSI_NAME.msi"
env:
MSI_NAME: testkube_${{steps.tag.outputs.tag}}_Windows_i386
MSI_PATH: D:\a\testkube\testkube\artifacts\testkube.msi

- name: Upload release binary
uses: actions/upload-release-asset@v1.0.2
env:
GITHUB_TOKEN: ${{ github.token }}
with:
upload_url: ${{ steps.get_release.outputs.upload_url }}
asset_path: testkube.msi
asset_path: ${{steps.checksum.outputs.INSTALLER_PATH}}
asset_name: ${{steps.checksum.outputs.INSTALLER_NAME}}.msi
asset_content_type: application/octet-stream

32 changes: 17 additions & 15 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -247,14 +247,6 @@ jobs:
name: testkube_windows
path: windows

- name: Get MSFT Cert
id: write_file
uses: timheuer/base64-to-file@v1.2
with:
fileName: "kubeshop_msft.p12"
fileDir: "./temp/"
encodedString: ${{ secrets.CERT_MSFT_KUBESHOP_P12_B64 }}

- name: Create and Sign MSI
run: |
Copy-Item 'windows\testkube_windows_386\kubectl-testkube.exe' '.\kubectl-testkube.exe'
@@ -263,10 +255,17 @@ jobs:
Copy-Item 'build\installer\windows\testkube.bat' '.\testkube.bat'
& "$env:WIX\bin\candle.exe" *.wxs
& "$env:WIX\bin\light.exe" *.wixobj
& "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" sign /f "$env:P12_CERT" /p "$env:P12_PASSWORD" /d "Kubetest by Kubeshop" /tr http://timestamp.digicert.com testkube.msi
env:
P12_CERT: ${{ steps.write_file.outputs.filePath }}
P12_PASSWORD: ${{ secrets.CERT_MSFT_KUBESHOP_P12_PASSWORD }}
- name: Sign Artifact with CodeSignTool
uses: sslcom/esigner-codesign@develop
with:
command: sign
username: ${{ secrets.ES_USERNAME }}
password: ${{ secrets.ES_PASSWORD }}
totp_secret: ${{ secrets.ES_TOTP_SECRET }}
file_path: testkube.msi
output_path: ${GITHUB_WORKSPACE}\artifacts
malware_block: false

- name: Get tag
id: tag
@@ -285,26 +284,29 @@ jobs:
id: checksum
run: |
$installer_name = $env:MSI_NAME
$hash=Get-FileHash testkube.msi
$installer_path = $env:MSI_PATH
$hash=Get-FileHash $installer_path
$hash.Hash + " " + $installer_name + ".msi" >> msi_checksum.txt
echo "::set-output name=INSTALLER_NAME::${installer_name}"
echo "::set-output name=INSTALLER_PATH::${installer_path}"
#export MSI hash to environment
$hashsum = $hash.Hash
echo "::set-output name=CHECKSUM::${hashsum}"
#copy MSI to choco directory to build a nuget package
Copy-Item -Path "testkube.msi" -Destination ".\choco\tools\$env:MSI_NAME.msi"
Copy-Item -Path "$installer_path" -Destination ".\choco\tools\$env:MSI_NAME.msi"
env:
MSI_NAME: testkube_${{steps.tag.outputs.tag}}_Windows_i386
MSI_PATH: D:\a\testkube\testkube\artifacts\testkube.msi

- name: Upload release binary
uses: actions/upload-release-asset@v1.0.2
env:
GITHUB_TOKEN: ${{ github.token }}
with:
upload_url: ${{ steps.get_release.outputs.upload_url }}
asset_path: testkube.msi
asset_path: ${{steps.checksum.outputs.INSTALLER_PATH}}
asset_name: ${{steps.checksum.outputs.INSTALLER_NAME}}.msi
asset_content_type: application/octet-stream

0 comments on commit 7510bab

Please sign in to comment.