@@ -91,56 +91,31 @@ jobs:
9191 name : azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
9292 path : unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
9393
94- - name : Install osslsigncode & pkcs11 engine
94+ - name : Setup SM_CLIENT_CERT_FILE
95+ shell : bash
9596 run : |
96- sudo apt-get update
97- sudo apt-get install -y osslsigncode libengine-pkcs11-openssl
97+ export SM_CLIENT_CERT_FILE=${RUNNER_TEMP}/Certifiact_pkcs12.p12
98+ echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${SM_CLIENT_CERT_FILE}
99+ echo "SM_CLIENT_CERT_FILE=${SM_CLIENT_CERT_FILE}" >> $GITHUB_ENV
98100
99- name : Install DigiCert Client Tools
101+ name : Setup Software Trust Manager & Sign
100102 id : digicert
101103 uses : digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # ratchet:digicert/code-signing-software-trust-action@v1.2.1
102-
103- - name : Set PKCS#11 Paths
104- id : pkcs11
105- run : |
106- SM_TOOLS_DIR=$(dirname "$(realpath '${{ steps.digicert.outputs.PKCS11_CONFIG }}')")
107- echo "module=${SM_TOOLS_DIR}/smpkcs11.so" >> "$GITHUB_OUTPUT"
108- LIB_PKCS11="$(dpkg -L libengine-pkcs11-openssl | grep "libpkcs11.so")"
109- echo "engine=$LIB_PKCS11" >> "$GITHUB_OUTPUT"
110-
111- name : Sign Artifacts via DigiCert Signing Manager
104+ with :
105+ simple-signing-mode : true
106+ input : unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
107+ keypair-alias : ${{ secrets.SM_KEYPAIR_ALIAS }}
112108 env :
113109 SM_HOST : ${{ secrets.SM_HOST }}
114110 SM_API_KEY : ${{ secrets.SM_API_KEY }}
115- SM_CLIENT_CERT_FILE_B64 : ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
111+ SM_CLIENT_CERT_FILE : ${{ env.SM_CLIENT_CERT_FILE }}
116112 SM_CLIENT_CERT_PASSWORD : ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
117- shell : bash
118- run : |
119- export SM_CLIENT_CERT_FILE=$(mktemp)
120- printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
121- trap 'rm $SM_CLIENT_CERT_FILE' EXIT
122113
123- mkdir signed
124- artifact=unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
125- smctl sign --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --input "$artifact" --openssl-pkcs11-engine "${{ steps.pkcs11.outputs.engine }}" --pkcs11-module "${{ steps.pkcs11.outputs.module }}" --tool osslsigncode --verbose
126- mv "$artifact" "signed/azurehound.exe"
127-
128- name : Verify Signed Artifacts
129- env :
130- SM_HOST : ${{ secrets.SM_HOST }}
131- SM_API_KEY : ${{ secrets.SM_API_KEY }}
132- SM_CLIENT_CERT_FILE_B64 : ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
133- SM_CLIENT_CERT_PASSWORD : ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
114+ - name : Move Signed Artifacts
134115 shell : bash
135116 run : |
136- export SM_CLIENT_CERT_FILE=$(mktemp)
137- printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
138- smctl certificate download --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --format pem --chain --name cert-chain.pem
139- trap 'rm $SM_CLIENT_CERT_FILE cert-chain.pem' EXIT
140-
141- for artifact in signed/*; do
142- osslsigncode verify -CAfile cert-chain.pem "$artifact"
143- done
117+ mkdir signed
118+ mv unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe signed/azurehound.exe
144119
145120name : Zip Signed Executables
146121 run : |
0 commit comments