From ae5000dd1aa911f0ec92a99adbed3ee745a455bb Mon Sep 17 00:00:00 2001 From: derrod Date: Mon, 29 Jan 2024 01:24:17 +0100 Subject: [PATCH] CI: Switch to production codesigning cert --- .github/actions/bouf/action.yaml | 10 +++++----- .github/actions/bouf/config.toml | 6 +++--- .github/actions/bouf/prod.crt | 26 ++++++++++++++++++++++++++ .github/workflows/push.yaml | 2 +- 4 files changed, 35 insertions(+), 9 deletions(-) create mode 100644 .github/actions/bouf/prod.crt diff --git a/.github/actions/bouf/action.yaml b/.github/actions/bouf/action.yaml index 4d0722684..6e4c3d855 100644 --- a/.github/actions/bouf/action.yaml +++ b/.github/actions/bouf/action.yaml @@ -30,9 +30,9 @@ runs: - name: Setup bouf shell: pwsh env: - BOUF_TAG: 'v0.6.1' - BOUF_HASH: '7292e43186ecc6210079fa5702254455797c7652dc6b08b5b61ac2d721766d86' - BOUF_NSIS_HASH: '2f5ecff05a002913c10aafa838febc1b0ae6e779f5ca67efa545ed787ae485a0' + BOUF_TAG: 'v0.6.2' + BOUF_HASH: '40ca34457a8ac60b9710a41b4cde2a0fc36d8740ab21b01d702069be2e1c5fb9' + BOUF_NSIS_HASH: '88958a9e4e0f3cb6f78e8359fdfa3343d050d5c2158e3ee77cb2cc4a8785ac61' GH_TOKEN: ${{ github.token }} run: | # Download bouf release @@ -76,8 +76,8 @@ runs: - name: Install pandoc and rclone shell: pwsh run: | - choco install rclone --version 1.64.2 -y --no-progress - choco install pandoc --version 3.1.9 -y --no-progress + choco install rclone --version=1.64.2 -y --no-progress + choco install pandoc --version=3.1.9 -y --no-progress - name: Prepare Release Notes shell: pwsh diff --git a/.github/actions/bouf/config.toml b/.github/actions/bouf/config.toml index 39541c82b..80da49a99 100644 --- a/.github/actions/bouf/config.toml +++ b/.github/actions/bouf/config.toml @@ -19,9 +19,9 @@ never_copy = [ ] [prepare.codesign] -sign_cert_file = "repo/.github/actions/bouf/test.crt" -sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/testing/cryptoKeys/signing-hsm/cryptoKeyVersions/1" -sign_digest = "sha256" +sign_cert_file = "repo/.github/actions/bouf/prod.crt" +sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1" +sign_digest = "sha384" sign_ts_serv = "http://timestamp.digicert.com" sign_exts = ['exe', 'dll', 'pyd'] diff --git a/.github/actions/bouf/prod.crt b/.github/actions/bouf/prod.crt new file mode 100644 index 000000000..a7630e8af --- /dev/null +++ b/.github/actions/bouf/prod.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEYzCCA+mgAwIBAgIQDUFqBoO4wZHe6N7uxU2rNzAKBggqhkjOPQQDAzBkMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPDA6BgNVBAMTM0Rp +Z2lDZXJ0IEdsb2JhbCBHMyBDb2RlIFNpZ25pbmcgRUNDIFNIQTM4NCAyMDIxIENB +MTAeFw0yNDAxMjgwMDAwMDBaFw0yNzAxMjcyMzU5NTlaMIHPMRMwEQYLKwYBBAGC +NzwCAQMTAlVTMRgwFgYLKwYBBAGCNzwCAQITB1d5b21pbmcxHTAbBgNVBA8MFFBy +aXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4yMDIzLTAwMTI3MjI1MjELMAkG +A1UEBhMCVVMxEDAOBgNVBAgTB1d5b21pbmcxETAPBgNVBAcTCFNoZXJpZGFuMRkw +FwYDVQQKExBPQlMgUHJvamVjdCwgTExDMRkwFwYDVQQDExBPQlMgUHJvamVjdCwg +TExDMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEqTLCTWIc06ek5TtAQC3l910Ifnuk +cd3EnGuBuPTpQ41oscNjcBGCOphtUEdgivn2Vbn2XReD+u5bNpf5gdaEmvOuJoIj +/NN/yVqZsEQMkF8iQwNAPyQkPF/NrgO6VTR5o4IB8jCCAe4wHwYDVR0jBBgwFoAU +m1+wNrqdBq4ZJ73AoCLAi4s4d+0wHQYDVR0OBBYEFPPrwCDxNi6AiZftFVF3ep6b +W1jbMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3 +dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggr +BgEFBQcDAzCBqwYDVR0fBIGjMIGgME6gTKBKhkhodHRwOi8vY3JsMy5kaWdpY2Vy +dC5jb20vRGlnaUNlcnRHbG9iYWxHM0NvZGVTaWduaW5nRUNDU0hBMzg0MjAyMUNB +MS5jcmwwTqBMoEqGSGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds +b2JhbEczQ29kZVNpZ25pbmdFQ0NTSEEzODQyMDIxQ0ExLmNybDCBjgYIKwYBBQUH +AQEEgYEwfzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFcG +CCsGAQUFBzAChktodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRH +bG9iYWxHM0NvZGVTaWduaW5nRUNDU0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIw +ADAKBggqhkjOPQQDAwNoADBlAjEAwcabTk6TwhmuhWtqdmx5UZvO4RdU/IBxcQ1i +ZSA9NfQqK4fs48refxEB/rz7bR+2AjBhgW5WdpPv8xv2gqO2D1XVSynuMVQi62Ii +O/MY6qCzjzXtCKUoufNIezML/5OX1so= +-----END CERTIFICATE----- diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 14f15703d..7d7ed3135 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -217,7 +217,7 @@ jobs: - name: Set Up Environment 🔧 id: setup env: - BOUF_ACTION_HASH: '4b421d1fa51cbf35f9c68f80795be3468dc480d47989c0bf713c39a7d62dec9e' + BOUF_ACTION_HASH: 'e91375eb41c3c9d97df14dc3c2775ce254e50f92dad782341e8cd2a1f9faf7de' run: | $channel = if ($env:GITHUB_REF_NAME -match "(beta|rc)") { "beta" } else { "stable" } $shortHash = $env:GITHUB_SHA.Substring(0,9)