workflows/release: use Azure Code Signing
All new keys for Windows code signing have to be hardware backed as of sometime in 2024. To make this possible for us, let's set up Azure Code Signing. We call each of the separate stages, signing the intermediate objects in between each stage. The Action requires that we specify all of the objects in a single folder with a single extension, so we separate the binaries of Git LFS itself from the installer binary so we can include signed binaries in the installer without re-signing the original binaries.
This commit is contained in:
parent
f17318a6a4
commit
d4f2c3d4bd
37
.github/workflows/release.yml
vendored
37
.github/workflows/release.yml
vendored
@ -40,10 +40,6 @@ jobs:
|
||||
shell: bash
|
||||
- run: mkdir -p bin/releases
|
||||
shell: bash
|
||||
- run: CERT_FILE="$HOME/cert.pfx" env -u TMPDIR make release-write-certificate
|
||||
shell: bash
|
||||
env:
|
||||
CERT_CONTENTS: ${{secrets.WINDOWS_CERT_BASE64}}
|
||||
# We clear the TMPDIR set for Ruby so mktemp and Go use the same
|
||||
# volume for temporary files.
|
||||
- run: PATH="$HOME/go/bin:$PATH" GOARCH=amd64 go generate && env -u TMPDIR make bin/releases/git-lfs-windows-amd64-$(git describe).zip
|
||||
@ -58,11 +54,40 @@ jobs:
|
||||
shell: bash
|
||||
env:
|
||||
FORCE_LOCALIZE: true
|
||||
- run: PATH="$HOME/go/bin:/c/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86:$PATH" CERT_FILE="$HOME/cert.pfx" env -u TMPDIR make release-windows
|
||||
- run: env -u TMPDIR make release-windows-stage-1
|
||||
shell: bash
|
||||
env:
|
||||
CERT_PASS: ${{secrets.WINDOWS_CERT_PASS}}
|
||||
FORCE_LOCALIZE: true
|
||||
- uses: azure/azure-code-signing-action@v0.2.22
|
||||
with:
|
||||
azure-tenant-id: ${{ secrets.SPN_GIT_LFS_SIGNING_TENANT_ID }}
|
||||
azure-client-id: ${{ secrets.SPN_GIT_LFS_SIGNING_CLIENT_ID }}
|
||||
azure-client-secret: ${{ secrets.SPN_GIT_LFS_SIGNING }}
|
||||
endpoint: https://wus.codesigning.azure.net/
|
||||
code-signing-account-name: GitHubInc
|
||||
certificate-profile-name: GitHubInc
|
||||
files-folder: ${{ github.workspace }}/tmp/stage1
|
||||
files-folder-filter: exe
|
||||
file-digest: SHA256
|
||||
timestamp-rfc3161: http://timestamp.acs.microsoft.com
|
||||
timestamp-digest: SHA256
|
||||
- run: env -u TMPDIR make release-windows-stage-2
|
||||
shell: bash
|
||||
- uses: azure/azure-code-signing-action@v0.2.22
|
||||
with:
|
||||
azure-tenant-id: ${{ secrets.SPN_GIT_LFS_SIGNING_TENANT_ID }}
|
||||
azure-client-id: ${{ secrets.SPN_GIT_LFS_SIGNING_CLIENT_ID }}
|
||||
azure-client-secret: ${{ secrets.SPN_GIT_LFS_SIGNING }}
|
||||
endpoint: https://wus.codesigning.azure.net/
|
||||
code-signing-account-name: GitHubInc
|
||||
certificate-profile-name: GitHubInc
|
||||
files-folder: ${{ github.workspace }}/tmp/stage2
|
||||
files-folder-filter: exe
|
||||
file-digest: SHA256
|
||||
timestamp-rfc3161: http://timestamp.acs.microsoft.com
|
||||
timestamp-digest: SHA256
|
||||
- run: env -u TMPDIR make release-windows-stage-3
|
||||
shell: bash
|
||||
- run: env -u TMPDIR make release-windows-rebuild
|
||||
shell: bash
|
||||
- uses: actions/upload-artifact@v4
|
||||
|
Loading…
Reference in New Issue
Block a user