Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to Trusted Signing module 0.4.1 #38

Merged
merged 6 commits into from
Jul 17, 2024
Merged

Update to Trusted Signing module 0.4.1 #38

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b5ba85d
Add files input and improve file input docs
japarson Jun 20, 2024
d327c3e
Update to ps module 0.4.1
japarson Jun 20, 2024
3150ce1
Add documentation for files input
japarson Jun 20, 2024
a694130
Update docs
japarson Jun 20, 2024
eb897c9
Update action.yml
japarson Jul 9, 2024
98b7ef3
Update README.md
japarson Jul 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 50 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,15 +34,15 @@ jobs:
run: dotnet build --configuration Release --no-restore WpfApp

- name: Sign files with Trusted Signing
uses: azure/trusted-signing-action@v0.3.20
uses: azure/trusted-signing-action@v0.4.1
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: https://eus.codesigning.azure.net/
trusted-signing-account-name: vscx-codesigning
certificate-profile-name: vscx-certificate-profile
files-folder: ${{ github.workspace }}\App\App\bin\Release\net6.0-windows
files-folder: ${{ github.workspace }}\App\App\bin\Release\net8.0-windows
files-folder-filter: exe,dll
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
Expand Down Expand Up @@ -126,14 +126,22 @@ certificate-profile-name: my-profile-name
```

### File Specification
#### Files List
This strategy allows you to specify a comma separated list of files to be signed.

```yaml
# A comma separated list of absolute paths to the files being signed. Can be combined with the files-folder and file-catalog inputs.
files: ${{ github.workspace }}\files\app.dll,${{ github.workspace }}\files\app.exe
japarson marked this conversation as resolved.
Show resolved Hide resolved
```

#### Files Folder
This strategy allows you to specify a folder that contains all the files you want signed. There are options available for narrowing the focus as well. For example, you can use the `files-folder-filter` input to specify that you only want `exe` files to be signed.

```yaml
# The folder containing files to be signed. Can be combined with the file-catalog input.
files-folder: ${{ github.workspace }}\App\App\bin\Release\net6.0-windows

# A comma separated list of file extensions that determines which types of files will be signed in the folder specified by the files-folder input. Any file type not included in this list will not be signed. If this input is not used, all files in the folder will be signed.
# A comma separated list of file extensions that determines which types of files will be signed in the folder specified by the files-folder input. Any file type not included in this list will not be signed. If this input is not used, all files in the folder will be signed. Supports wildcards for matching multiple file names with a pattern.
japarson marked this conversation as resolved.
Show resolved Hide resolved
japarson marked this conversation as resolved.
Show resolved Hide resolved
files-folder-filter: dll,exe,msix

# A boolean value (true/false) that indicates if the folder specified by the files-folder input should be searched recursively. The default value is false.
Expand All @@ -143,6 +151,25 @@ files-folder-recurse: true
files-folder-depth: 2
```

Given the following directory structure:
```txt
C:.
└───files
System.dll
Foo.Bar.Core.dll
Foo.Bar.Utilities.dll
Foo.Bar.exe
LICENSE.md
```

Here is an example of inputs that can be used to specify that only the `Foo.Bar.*` files are signed:
```yaml
files-folder: ${{ github.workspace }}\files
files-folder-filter: Foo.Bar.*.dll,*.exe
files-folder-recurse: false
files-folder-depth: 1
```

#### Files Catalog
This strategy allows you to specify a precise list of files to be signed.

Expand All @@ -151,6 +178,26 @@ This strategy allows you to specify a precise list of files to be signed.
files-catalog: ${{ github.workspace }}\catalog.txt
```

Given the following directory structure:
```txt
C:.
│ catalog.txt
└───files
System.dll
Foo.Bar.Core.dll
Foo.Bar.Utilities.dll
Foo.Bar.exe
LICENSE.md
```

Here is an example of a `catalog.txt` file that can be used to specify that only the `Foo.Bar.*` files are signed:
```txt
./files/Foo.Bar.Core.dll
./files/Foo.Bar.Utilities.dll
./files/Foo.Bar.exe
```

### Digest Algorithm
```yaml
# The name of the digest algorithm used for hashing the file being signed. The supported values are SHA256, SHA384, and SHA512. The default value is SHA256.
Expand Down
18 changes: 14 additions & 4 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,19 @@ inputs:
certificate-profile-name:
description: The Certificate Profile name.
required: true
files:
description: A comma separated list of absolute paths to the files being signed. Can be combined with
the files-folder and file-catalog inputs.
required: false
files-folder:
description: The folder containing files to be signed. Can be combined with the file-catalog input.
description: The folder containing files to be signed. Can be combined with the files and file-catalog inputs.
required: false
files-folder-filter:
description: A comma separated list of file extensions that determines which types of files will
be signed in the folder specified by the files-folder input. E.g., 'dll,exe,msix'.
Any file type not included in this list will not be signed. If this input is not used,
all files in the folder will be signed.
all files in the folder will be signed. Supports wildcards for matching multiple file
names with a pattern.
japarson marked this conversation as resolved.
Show resolved Hide resolved
required: false
files-folder-recurse:
description: A boolean value (true/false) that indicates if the folder specified by the files-folder
Expand All @@ -60,7 +65,7 @@ inputs:
files-catalog:
description: A file containing a list of relative paths to the files being signed. The paths
should be relative to the location of the catalog file. Each file path should be on
a separate line. Can be combined with the files-folder input.
a separate line. Can be combined with the files and files-folder inputs.
required: false
file-digest:
description: The name of the digest algorithm used for hashing the files being signed. The supported
Expand Down Expand Up @@ -197,7 +202,7 @@ runs:
$defaultPath = $env:PSModulePath -split ';' | Select-Object -First 1
"PSMODULEPATH=$defaultPath" | Out-File -FilePath $env:GITHUB_OUTPUT -Append

"TRUSTED_SIGNING_MODULE_VERSION=0.3.18" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
"TRUSTED_SIGNING_MODULE_VERSION=0.4.1" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
"BUILD_TOOLS_NUGET_VERSION=10.0.22621.3233" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
"TRUSTED_SIGNING_NUGET_VERSION=1.0.53" | Out-File -FilePath $env:GITHUB_OUTPUT -Append

Expand Down Expand Up @@ -270,6 +275,11 @@ runs:
$params["CertificateProfileName"] = $certificateProfileName
}

$files = "${{ inputs.files }}"
if (-Not [string]::IsNullOrWhiteSpace($files)) {
$params["Files"] = $files
}

$filesFolder = "${{ inputs.files-folder }}"
if (-Not [string]::IsNullOrWhiteSpace($filesFolder)) {
$params["FilesFolder"] = $filesFolder
Expand Down