-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathaction.yml
483 lines (434 loc) · 23.3 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
name: 'Trusted Signing'
description: 'Sign your files with Trusted Signing.'
inputs:
azure-tenant-id:
description: The Azure Active Directory tenant (directory) ID.
required: false
azure-client-id:
description: The client (application) ID of an App Registration in the tenant.
required: false
azure-client-secret:
description: A client secret that was generated for the App Registration.
required: false
azure-client-certificate-path:
description: A path to certificate and private key pair in PEM or PFX format, which can authenticate
the App Registration.
required: false
azure-client-send-certificate-chain:
description: Specifies whether an authentication request will include an x5c header to support subject
name / issuer based authentication. When set to `true` or `1`, authentication requests
include the x5c header.
required: false
azure-username:
description: The username, also known as upn, of an Azure Active Directory user account.
required: false
azure-password:
description: The password of the Azure Active Directory user account. Note this does not support
accounts with MFA enabled.
required: false
endpoint:
description: The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the
region your Trusted Signing Account and Certificate Profile you are specifying were created
in during the setup of these resources.
required: true
code-signing-account-name:
description: The Code Signing Account name.
required: false
trusted-signing-account-name:
description: The Trusted Signing Account name.
required: false
certificate-profile-name:
description: The Certificate Profile name.
required: true
files:
description: A comma or newline separated list of absolute paths to the files being signed. Can be combined
with the files-folder and file-catalog inputs.
required: false
files-folder:
description: The folder containing files to be signed. Can be combined with the files and file-catalog inputs.
required: false
files-folder-filter:
description: A comma separated list of file extensions that determines which types of files will
be signed in the folder specified by the files-folder input. E.g., 'dll,exe,msix'.
Any file type not included in this list will not be signed. If this input is not used,
all files in the folder will be signed. Supports wildcards for matching multiple file
names with a pattern.
required: false
files-folder-recurse:
description: A boolean value (true/false) that indicates if the folder specified by the files-folder
input should be searched recursively. The default value is false.
required: false
files-folder-depth:
description: An integer value that indicates the depth of the recursive search toggled by the
files-folder-recursive input.
required: false
files-catalog:
description: A file containing a list of relative paths to the files being signed. The paths
should be relative to the location of the catalog file. Each file path should be on
a separate line. Can be combined with the files and files-folder inputs.
required: false
file-digest:
description: The name of the digest algorithm used for hashing the files being signed. The supported
values are SHA256, SHA384, and SHA512.
required: false
default: 'SHA256'
timestamp-rfc3161:
description: A URL to an RFC3161 compliant timestamping service.
required: false
default: 'http://timestamp.acs.microsoft.com'
timestamp-digest:
description: The name of the digest algorithm used for timestamping. The supported values are SHA256,
SHA384, and SHA512.
required: false
default: 'SHA256'
append-signature:
description: A boolean value (true/false) that indicates if the signature should be appended. If
no primary signature is present, this signature is made the primary signature instead.
required: false
description:
description: A description of the signed content.
required: false
description-url:
description: A Uniform Resource Locator (URL) for the expanded description of the signed content.
required: false
generate-digest-path:
description: Generates the digest to be signed and the unsigned PKCS7 files at this path. The output
digest and PKCS7 files will be path\FileName.dig and path\FileName.p7u. To output an additional
XML file, see `generate-digest-xml`.
required: false
generate-digest-xml:
description: A boolean value (true/false) that indicates if an XML file is produced when the
`generate-digest-path` input is used. The output file will be Path\FileName.dig.xml.
required: false
ingest-digest-path:
description: Creates the signature by ingesting the signed digest to the unsigned PKCS7 file at this
path. The input signed digest and unsigned PKCS7 files should be path\FileName.dig.signed
and path\FileName.p7u.
required: false
sign-digest:
description: A boolean value (true/false) that indicates if only the digest should be signed. The
input file should be the digest generated by the `generate-digest-path` input. The output
file will be File.signed.
required: false
generate-page-hashes:
description: A boolean value (true/false) that indicates if page hashes should be generated for
executable files.
required: false
suppress-page-hashes:
description: A boolean value (true/false) that indicates if page hashes should be suppressed for
executable files. The default is determined by the SIGNTOOL_PAGE_HASHES environment
variable and by the wintrust.dll version. This input is ignored for non-PE files.
required: false
generate-pkcs7:
description: A boolean value (true/false) that indicates if a Public Key Cryptography Standards
(PKCS) \#7 file is produced for each specified content file. PKCS \#7 files are named
path\filename.p7.
required: false
pkcs7-options:
description: Options for the signed PKCS \#7 content. Set value to "Embedded" to embed the signed
content in the PKCS \#7 file, or to "DetachedSignedData" to produce the signed data
portion of a detached PKCS \#7 file. If this input is not used, the signed content is
embedded by default.
required: false
pkcs7-oid:
description: The object identifier (OID) that identifies the signed PKCS \#7 content.
required: false
enhanced-key-usage:
description: The enhanced key usage (EKU) that must be present in the signing certificate. The usage
value can be specified by OID or string. The default usage is "Code Signing" (1.3.6.1.5.5.7.3.3).
required: false
exclude-environment-credential:
description: Exclude the "EnvironmentCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-workload-identity-credential:
description: Exclude the "WorkloadIdentityCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-managed-identity-credential:
description: Exclude the "ManagedIdentity" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-shared-token-cache-credential:
description: Exclude the "SharedTokenCacheCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-visual-studio-credential:
description: Exclude the "VisualStudioCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-visual-studio-code-credential:
description: Exclude the "VisualStudioCodeCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-azure-cli-credential:
description: Exclude the "AzureCliCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-azure-powershell-credential:
description: Exclude the "AzurePowerShellCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-azure-developer-cli-credential:
description: Exclude the "AzureDeveloperCliCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
exclude-interactive-browser-credential:
description: Exclude the "InteractiveBrowserCredential" type from being considered when authenticating with "DefaultAzureCredential".
required: false
default: 'true'
timeout:
description: The number of seconds that the Trusted Signing service will wait for all files
to be signed before it exits. The default value is 300 seconds.
required: false
batch-size:
description: The summed length of file paths that can be signed with each signtool call. This parameter
should only be relevant if you are signing a large number of files. Increasing the value
may result in performance gains at the risk of potentially hitting your system's maximum
command length limit. The minimum value is 0 and the maximum value is 30000. A value of
0 means that every file will be signed with an individual call to signtool.
required: false
cache-dependencies:
description: A boolean value (true/false) that indicates if the dependencies for this action should be cached
by GitHub or not. The default value is true. When using self-hosted runners, caches from workflow
runs are stored on GitHub-owned cloud storage. A customer-owned storage solution is only available
with GitHub Enterprise Server. When enabled, this option can reduce the duration of the action by
at least 1 minute.
required: false
default: 'true'
trace:
description: A boolean value (true/false) that controls trace logging. The default value is false.
required: false
default: 'false'
clickonce-application-name:
description: The application name for any ClickOnce files being signed.
required: false
clickonce-publisher-name:
description: The publisher name for any ClickOnce files being signed.
required: false
runs:
using: 'composite'
steps:
- name: Set variables
id: set-variables
shell: 'pwsh'
run: |
$defaultPath = $env:PSModulePath -split ';' | Select-Object -First 1
"PSMODULEPATH=$defaultPath" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
"TRUSTED_SIGNING_MODULE_VERSION=0.5.3" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
"BUILD_TOOLS_NUGET_VERSION=10.0.22621.3233" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
"TRUSTED_SIGNING_NUGET_VERSION=1.0.53" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
"DOTNET_SIGNCLI_NUGET_VERSION=0.9.1-beta.24469.1" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- name: Cache TrustedSigning PowerShell module
id: cache-module
uses: actions/cache@v4
env:
cache-name: cache-module
with:
path: ${{ steps.set-variables.outputs.PSMODULEPATH }}\TrustedSigning\${{ steps.set-variables.outputs.TRUSTED_SIGNING_MODULE_VERSION }}
key: TrustedSigning-${{ steps.set-variables.outputs.TRUSTED_SIGNING_MODULE_VERSION }}
if: ${{ inputs.cache-dependencies == 'true' }}
- name: Cache Microsoft.Windows.SDK.BuildTools NuGet package
id: cache-buildtools
uses: actions/cache@v4
env:
cache-name: cache-buildtools
with:
path: ~\AppData\Local\TrustedSigning\Microsoft.Windows.SDK.BuildTools\Microsoft.Windows.SDK.BuildTools.${{ steps.set-variables.outputs.BUILD_TOOLS_NUGET_VERSION }}
key: Microsoft.Windows.SDK.BuildTools-${{ steps.set-variables.outputs.BUILD_TOOLS_NUGET_VERSION }}
if: ${{ inputs.cache-dependencies == 'true' }}
- name: Cache Microsoft.Trusted.Signing.Client NuGet package
id: cache-tsclient
uses: actions/cache@v4
env:
cache-name: cache-tsclient
with:
path: ~\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.${{ steps.set-variables.outputs.TRUSTED_SIGNING_NUGET_VERSION }}
key: Microsoft.Trusted.Signing.Client-${{ steps.set-variables.outputs.TRUSTED_SIGNING_NUGET_VERSION }}
if: ${{ inputs.cache-dependencies == 'true' }}
- name: Cache SignCli NuGet package
id: cache-signcli
uses: actions/cache@v4
env:
cache-name: cache-signcli
with:
path: ~\AppData\Local\TrustedSigning\sign\sign.${{ steps.set-variables.outputs.DOTNET_SIGNCLI_NUGET_VERSION }}
key: SignCli-${{ steps.set-variables.outputs.DOTNET_SIGNCLI_NUGET_VERSION }}
if: ${{ inputs.cache-dependencies == 'true' }}
- name: Install Trusted Signing module
shell: 'pwsh'
run: |
Install-Module -Name TrustedSigning -RequiredVersion ${{ steps.set-variables.outputs.TRUSTED_SIGNING_MODULE_VERSION }} -Force -Repository PSGallery
if: ${{ inputs.cache-dependencies != 'true' || steps.cache-module.outputs.cache-hit != 'true' }}
- name: Invoke signing
env:
AZURE_TENANT_ID: ${{ inputs.azure-tenant-id }}
AZURE_CLIENT_ID: ${{ inputs.azure-client-id }}
AZURE_CLIENT_SECRET: ${{ inputs.azure-client-secret }}
AZURE_CLIENT_CERTIFICATE_PATH: ${{ inputs.azure-client-certificate-path }}
AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: ${{ inputs.azure-client-send-certificate-chain }}
AZURE_USERNAME: ${{ inputs.azure-username }}
AZURE_PASSWORD: ${{ inputs.azure-password }}
run: |
$params = @{}
$endpoint = "${{ inputs.endpoint }}"
if (-Not [string]::IsNullOrWhiteSpace($endpoint)) {
$params["Endpoint"] = $endpoint
}
$trustedSigningAccountName = "${{ inputs.trusted-signing-account-name }}"
if ([string]::IsNullOrWhiteSpace($trustedSigningAccountName)) {
$trustedSigningAccountName = "${{ inputs.code-signing-account-name }}"
if (-Not [string]::IsNullOrWhiteSpace($trustedSigningAccountName)) {
Write-Warning "The 'code-signing-account-name' input is deprecated. Please use 'trusted-signing-account-name' instead."
} else {
throw "The 'trusted-signing-account-name' input is required."
}
}
$params["CodeSigningAccountName"] = $trustedSigningAccountName
$certificateProfileName = "${{ inputs.certificate-profile-name }}"
if (-Not [string]::IsNullOrWhiteSpace($certificateProfileName)) {
$params["CertificateProfileName"] = $certificateProfileName
}
$files = "${{ inputs.files }}"
if (-Not [string]::IsNullOrWhiteSpace($files)) {
$params["Files"] = $files.replace("`n", ",")
}
$filesFolder = "${{ inputs.files-folder }}"
if (-Not [string]::IsNullOrWhiteSpace($filesFolder)) {
$params["FilesFolder"] = $filesFolder
}
$filesFolderFilter = "${{ inputs.files-folder-filter }}"
if (-Not [string]::IsNullOrWhiteSpace($filesFolderFilter)) {
$params["FilesFolderFilter"] = $filesFolderFilter
}
$filesFolderRecurse = "${{ inputs.files-folder-recurse }}"
if (-Not [string]::IsNullOrWhiteSpace($filesFolderRecurse)) {
$params["FilesFolderRecurse"] = [System.Convert]::ToBoolean($filesFolderRecurse)
}
$filesFolderDepth = "${{ inputs.files-folder-depth }}"
if (-Not [string]::IsNullOrWhiteSpace($filesFolderDepth)) {
$params["FilesFolderDepth"] = [System.Convert]::ToInt32($filesFolderDepth)
}
$filesCatalog = "${{ inputs.files-catalog }}"
if (-Not [string]::IsNullOrWhiteSpace($filesCatalog)) {
$params["FilesCatalog"] = $filesCatalog
}
$fileDigest = "${{ inputs.file-digest }}"
if (-Not [string]::IsNullOrWhiteSpace($fileDigest)) {
$params["FileDigest"] = $fileDigest
}
$timestampRfc3161 = "${{ inputs.timestamp-rfc3161 }}"
if (-Not [string]::IsNullOrWhiteSpace($timestampRfc3161)) {
$params["TimestampRfc3161"] = $timestampRfc3161
}
$timestampDigest = "${{ inputs.timestamp-digest }}"
if (-Not [string]::IsNullOrWhiteSpace($timestampDigest)) {
$params["TimestampDigest"] = $timestampDigest
}
$appendSignature = "${{ inputs.append-signature }}"
if (-Not [string]::IsNullOrWhiteSpace($appendSignature)) {
$params["AppendSignature"] = [System.Convert]::ToBoolean($appendSignature)
}
$description = "${{ inputs.description }}"
if (-Not [string]::IsNullOrWhiteSpace($description)) {
$params["Description"] = $description
}
$descriptionUrl = "${{ inputs.description-url }}"
if (-Not [string]::IsNullOrWhiteSpace($descriptionUrl)) {
$params["DescriptionUrl"] = $descriptionUrl
}
$generateDigestPath = "${{ inputs.generate-digest-path }}"
if (-Not [string]::IsNullOrWhiteSpace($generateDigestPath)) {
$params["GenerateDigestPath"] = $generateDigestPath
}
$generateDigestXml = "${{ inputs.generateDigestXml }}"
if (-Not [string]::IsNullOrWhiteSpace($generateDigestXml)) {
$params["GenerateDigestXml"] = [System.Convert]::ToBoolean($generateDigestXml)
}
$ingestDigestPath = "${{ inputs.ingest-digest-path }}"
if (-Not [string]::IsNullOrWhiteSpace($ingestDigestPath)) {
$params["IngestDigestPath"] = $ingestDigestPath
}
$signDigest = "${{ inputs.sign-digest }}"
if (-Not [string]::IsNullOrWhiteSpace($signDigest)) {
$params["SignDigest"] = [System.Convert]::ToBoolean($signDigest)
}
$generatePageHashes = "${{ inputs.generate-page-hashes }}"
if (-Not [string]::IsNullOrWhiteSpace($generatePageHashes)) {
$params["GeneratePageHashes"] = [System.Convert]::ToBoolean($generatePageHashes)
}
$suppressPageHashes = "${{ inputs.suppress-page-hashes }}"
if (-Not [string]::IsNullOrWhiteSpace($suppressPageHashes)) {
$params["SuppressPageHashes"] = [System.Convert]::ToBoolean($suppressPageHashes)
}
$generatePkcs7 = "${{ inputs.generate-pkcs7 }}"
if (-Not [string]::IsNullOrWhiteSpace($generatePkcs7)) {
$params["GeneratePkcs7"] = [System.Convert]::ToBoolean($generatePkcs7)
}
$pkcs7Options = "${{ inputs.pkcs7-options }}"
if (-Not [string]::IsNullOrWhiteSpace($pkcs7Options)) {
$params["Pkcs7Options"] = $pkcs7Options
}
$pkcs7Oid = "${{ inputs.pkcs7-oid }}"
if (-Not [string]::IsNullOrWhiteSpace($pkcs7Oid)) {
$params["Pkcs7Oid"] = $pkcs7Oid
}
$enhancedKeyUsage = "${{ inputs.enhanced-key-usage }}"
if (-Not [string]::IsNullOrWhiteSpace($enhancedKeyUsage)) {
$params["EnhancedKeyUsage"] = $enhancedKeyUsage
}
$excludeEnvironmentCredential = "${{ inputs.exclude-environment-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeEnvironmentCredential)) {
$params["ExcludeEnvironmentCredential"] = [System.Convert]::ToBoolean($excludeEnvironmentCredential)
}
$excludeWorkloadIdentityCredential = "${{ inputs.exclude-workload-identity-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeWorkloadIdentityCredential)) {
$params["ExcludeWorkloadIdentityCredential"] = [System.Convert]::ToBoolean($excludeWorkloadIdentityCredential)
}
$excludeManagedIdentityCredential = "${{ inputs.exclude-managed-identity-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeManagedIdentityCredential)) {
$params["ExcludeManagedIdentityCredential"] = [System.Convert]::ToBoolean($excludeManagedIdentityCredential)
}
$excludeSharedTokenCacheCredential = "${{ inputs.exclude-shared-token-cache-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeSharedTokenCacheCredential)) {
$params["ExcludeSharedTokenCacheCredential"] = [System.Convert]::ToBoolean($excludeSharedTokenCacheCredential)
}
$excludeVisualStudioCredential = "${{ inputs.exclude-visual-studio-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeVisualStudioCredential)) {
$params["ExcludeVisualStudioCredential"] = [System.Convert]::ToBoolean($excludeVisualStudioCredential)
}
$excludeVisualStudioCodeCredential = "${{ inputs.exclude-visual-studio-code-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeVisualStudioCodeCredential)) {
$params["ExcludeVisualStudioCodeCredential"] = [System.Convert]::ToBoolean($excludeVisualStudioCodeCredential)
}
$excludeAzureCliCredential = "${{ inputs.exclude-azure-cli-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeAzureCliCredential)) {
$params["ExcludeAzureCliCredential"] = [System.Convert]::ToBoolean($excludeAzureCliCredential)
}
$excludeAzurePowerShellCredential = "${{ inputs.exclude-azure-powershell-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeAzurePowerShellCredential)) {
$params["ExcludeAzurePowerShellCredential"] = [System.Convert]::ToBoolean($excludeAzurePowerShellCredential)
}
$excludeAzureDeveloperCliCredential = "${{ inputs.exclude-azure-developer-cli-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeAzureDeveloperCliCredential)) {
$params["ExcludeAzureDeveloperCliCredential"] = [System.Convert]::ToBoolean($excludeAzureDeveloperCliCredential)
}
$excludeInteractiveBrowserCredential = "${{ inputs.exclude-interactive-browser-credential }}"
if (-Not [string]::IsNullOrWhiteSpace($excludeInteractiveBrowserCredential)) {
$params["ExcludeInteractiveBrowserCredential"] = [System.Convert]::ToBoolean($excludeInteractiveBrowserCredential)
}
$timeout = "${{ inputs.timeout }}"
if (-Not [string]::IsNullOrWhiteSpace($timeout)) {
$params["Timeout"] = [System.Convert]::ToInt32($timeout)
}
$batchSize = "${{ inputs.batch-size }}"
if (-Not [string]::IsNullOrWhiteSpace($batchSize)) {
$params["BatchSize"] = [System.Convert]::ToInt32($batchSize)
}
$trace = "${{ inputs.trace }}"
if (-Not [string]::IsNullOrWhiteSpace($trace)) {
if ([System.Convert]::ToBoolean($trace)) {
Set-PSDebug -Trace 2
}
}
$clickOnceApplicationName = "${{ inputs.clickonce-application-name }}"
if (-Not [string]::IsNullOrWhiteSpace($clickOnceApplicationName)) {
$params["ClickOnceApplicationName"] = $clickOnceApplicationName
}
$clickOncePublisherName = "${{ inputs.clickonce-publisher-name }}"
if (-Not [string]::IsNullOrWhiteSpace($clickOncePublisherName)) {
$params["ClickOncePublisherName"] = $clickOncePublisherName
}
Invoke-TrustedSigning @params
shell: pwsh