Skip to content

Commit

Permalink
release: add signing step for .deb package
Browse files Browse the repository at this point in the history
- sign using Azure-stored certificates & client
- sign on Windows agent via python script
- job skipped if credentials for accessing certificate aren't present
  • Loading branch information
vdye committed Jul 19, 2023
1 parent f507846 commit e4f0257
Showing 1 changed file with 46 additions and 2 deletions.
48 changes: 46 additions & 2 deletions .github/workflows/build-git-installers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ jobs:
outputs:
tag_name: ${{ steps.tag.outputs.name }} # The full name of the tag, e.g. v2.32.0.vfs.0.0
tag_version: ${{ steps.tag.outputs.version }} # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0
deb_signable: ${{ steps.deb.outputs.signable }} # Whether the credentials needed to sign the .deb package are available
steps:
- name: Validate tag
run: |
Expand All @@ -28,6 +29,9 @@ jobs:
echo "name=${GITHUB_REF#refs/tags/}" >>$GITHUB_OUTPUT
echo "version=${GITHUB_REF#refs/tags/v}" >>$GITHUB_OUTPUT
id: tag
- name: Determine whether signing certificates are present
run: echo "signable=$([[ $AZ_SUB != '' && $AZ_CREDS != '' ]] && echo 'true' || echo 'false')" >>$GITHUB_OUTPUT
id: deb
- name: Clone git
uses: actions/checkout@v3
- name: Validate the tag identified with trigger
Expand Down Expand Up @@ -566,7 +570,7 @@ jobs:
path: git/.github/macos-installer/*.dmg
# End build and sign Mac OSX installers

# Build unsigned Ubuntu package
# Build & sign Ubuntu package
ubuntu_build:
runs-on: ubuntu-20.04
needs: prereqs
Expand Down Expand Up @@ -642,4 +646,44 @@ jobs:
with:
name: deb-package-unsigned
path: artifacts/
# End build unsigned Ubuntu package
ubuntu_sign-artifacts:
runs-on: windows-latest # Must be run on Windows due to ESRP executable OS compatibility
needs: [ubuntu_build, prereqs]
if: needs.prereqs.outputs.deb_signable == 'true'
env:
ARTIFACTS_DIR: artifacts
steps:
- name: Clone repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Download unsigned packages
uses: actions/download-artifact@v3
with:
name: deb-package-unsigned
path: unsigned
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Set up ESRP client
shell: pwsh
env:
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
run: |
git\.github\scripts\set-up-esrp.ps1
- name: Sign package
shell: pwsh
env:
AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
LINUX_KEY_CODE: ${{ secrets.LINUX_KEY_CODE }}
LINUX_OP_CODE: ${{ secrets.LINUX_OPERATION_CODE }}
run: |
python git\.github\scripts\run-esrp-signing.py unsigned $env:LINUX_KEY_CODE $env:LINUX_OP_CODE
- name: Upload signed artifact
uses: actions/upload-artifact@v3
with:
name: deb-package-signed
path: signed
# End build & sign Ubuntu package

0 comments on commit e4f0257

Please sign in to comment.