Failures with a password?

[nh-exa]

I've been trying to use this action and its failing with whats looks like parsing or command line assembly issue:

Shell Cmd: /bin/bash
Exec Cmd : /home/runner/work/redacted/codesign/CodeSignTool-v1.3.0/CodeSignTool.sh
CodeSigner Command: /bin/bash /home/runner/work/redacted/codesign/CodeSignTool-v1.3.0/CodeSignTool.sh batch_sign -username="***" -***" -credential_id="***" -totp_secret="***" -input_dir_path="/home/runner/work/redacted/dist" -output_dir_path="/home/runner/work/redacted/dist-signed"
Malware scan is: disabled
/bin/bash /home/runner/work/personal-edition/personal-edition/codesign/CodeSignTool-v1.3.0/CodeSignTool.sh batch_sign -username=*** -***;r/<}4#Mf:;6 -credential_id=*** -totp_secret=*** -input_dir_path=/home/runner/work/redacted/dist -output_dir_path=/home/runner/work/redacted/dist-signed
Missing required option: '-input_dir_path=<inputDirPath>'
Usage: CodeSignTool batch_sign [-hV] [-credential_id=<credentialId>]
                               -input_dir_path=<inputDirPath>
                               [-output_dir_path=<outputDirPath>]
                               -***
                               [-program_name=<programName>]
                               [-totp_secret=<totpSecret>] -username=<username>
Batch sign
      -credential_id=<credentialId>
                             Credential ID
  -h, --help                 Show this help message and exit.
      -input_dir_path=<inputDirPath>
                             Input directory path where to pick unsigned files
      -output_dir_path=<outputDirPath>
                             Directory where signed code objects will be written
      -***   RA password
      -program_name=<programName>
                             Program name
      -totp_secret=<totpSecret>
                             TOTP secret
      -username=<username>   RA username
  -V, --version              Print version information and exit.

Error: Something Went Wrong. Please try again.

As you can see it is complaining about a missing parameter which is clearly present. But somehow Githubs workflow logs show me part of our password and not -password=*** as it should.
I assume there is some special character in our password which causes a problem for code which assembles the command line. Or maybe the code which reads the password.

How I invoke the action:

- name: Sign Windows binaries
        uses: sslcom/esigner-codesign@v1.3.1
        with:
          command: batch_sign
          username: ${{ secrets.ESIGN_USERNAME }}
          password: ${{ secrets.ESIGN_PASSWORD }}
          credential_id: ${{ secrets.ESIGN_CREDENTIAL_ID }}
          totp_secret: ${{ secrets.ESIGN_TOTP_SECRET }}
          dir_path: ${{ github.workspace }}/dist
          output_path: ${{ github.workspace }}/dist-signed
          malware_block: false
          environment_name: TEST

[nh-exa]

By the way, I can't change the password easily as I actually do not own it and share it with other people and projects in my company.
But I'm maybe the first which intended to use the Github action while others use the CodeSign tool directly.
It is also possible that password was changed recently and hasn't been used since. Trying to figure that out.

[nh-exa]

If i had to guess, a space and/or quote character is the problem. Or maybe it is the semi colon?

[nh-exa]

Actually, another team here is using the action successfully with the same password. The main difference appears to be that they sign a ".jar" while i'm trying to sign an ".exe"

[akaszynski]

Similar issue. On ubuntu24.04 and windows-2025:

    name: Check SSL credentials
    runs-on: ubuntu-24.04
    steps:
    - name: Test get credentials
      uses: sslcom/esigner-codesign@v1.3.1
      with:
        command: get_credential_ids
        username: esigner_demo
        password: esignerDemo#1

Fails with:

2025-10-30T22:14:54.0414241Z Write CodeSignTool config file CLIENT_ID=kaXTRACNijSWsFdRKg_KAfD3fqrBlzMbWs6TwWHwAn8
2025-10-30T22:14:54.0415090Z OAUTH2_ENDPOINT=https://login.ssl.com/oauth2/token
2025-10-30T22:14:54.0416012Z CSC_API_ENDPOINT=https://cs.ssl.com
2025-10-30T22:14:54.0416673Z TSA_URL=http://ts.ssl.com
2025-10-30T22:14:54.0418008Z TSA_LEGACY_URL=http://ts.ssl.com/legacy to /home/runner/work/<REDACTED>/codesign/CodeSignTool-v1.3.0/conf/code_sign_tool.properties
2025-10-30T22:14:54.0419986Z Set CODE_SIGN_TOOL_PATH env variable: /home/runner/work/<REDACTED>/codesign/CodeSignTool-v1.3.0
2025-10-30T22:14:54.0421291Z Exec Cmd Content: if [[ -z "${CODE_SIGN_TOOL_PATH}" ]]; then
2025-10-30T22:14:54.0422186Z  java -Xmx1024M -jar ./jar/code_sign_tool-1.3.0.jar "$@"
2025-10-30T22:14:54.0422874Z else
2025-10-30T22:14:54.0423676Z  java -Xmx1024M -jar ${CODE_SIGN_TOOL_PATH}/jar/code_sign_tool-1.3.0.jar "$@"
2025-10-30T22:14:54.0424540Z fi
2025-10-30T22:14:54.0436500Z Shell Cmd: /bin/bash
2025-10-30T22:14:54.0437230Z Exec Cmd : /home/runner/work/<REDACTED>/codesign/CodeSignTool-v1.3.0/CodeSignTool.sh
2025-10-30T22:14:54.0438561Z CodeSigner Command: /bin/bash /home/runner/work/<REDACTED>/codesign/CodeSignTool-v1.3.0/CodeSignTool.sh get_credential_ids
2025-10-30T22:14:54.0439578Z Malware scan is: disabled
2025-10-30T22:14:54.0440466Z [command]/bin/bash /home/runner/work/<REDACTED>/codesign/CodeSignTool-v1.3.0/CodeSignTool.sh get_credential_ids
2025-10-30T22:14:56.7275421Z Missing required options: '-username=<username>', '-***'
2025-10-30T22:14:56.7693825Z Usage: CodeSignTool get_credential_ids [-hV] -***
2025-10-30T22:14:56.7695174Z                                        -username=<username>
2025-10-30T22:14:56.7714751Z Returns list of credential IDs associated with the user
2025-10-30T22:14:56.7715432Z   -h, --help                 Show this help message and exit.
2025-10-30T22:14:56.7716079Z       -***   RA password
2025-10-30T22:14:56.7716466Z       -username=<username>   RA username
2025-10-30T22:14:56.7716997Z   -V, --version              Print version information and exit.
2025-10-30T22:14:56.7965656Z 

Fails as well with:

        username: "esigner_demo"
        password: "esignerDemo#1"

Command from the logs in Windows is:

2025-10-30T22:18:57.5550355Z [command]C:\Windows\system32\cmd.exe /D /S /C "D:\a\femorph-gui\femorph-gui\codesign\CodeSignTool-v1.3.0\CodeSignTool.bat get_credential_ids"

Looks like username and password aren't being passed.

[akaszynski]

Note that this works just fine:

jobs:
  CheckSSLCredentials:
    name: Check SSL credentials
    runs-on: windows-2025
    steps:
    - name: Copy real exe into workspace
      run: |
        Copy-Item -Path "C:\Windows\System32\notepad.exe" -Destination "${{ github.workspace }}\test.exe" -Force
    - name: Test sign executable
      if: github.event_name != 'push' || !contains(github.ref, 'refs/tags')
      uses: sslcom/esigner-codesign@v1.3.1
      with:
        command: sign
        username: esigner_demo
        password: esignerDemo#1
        totp_secret: RDXYgV9qju+6/7GnMf1vCbKexXVJmUVr+86Wq/8aIGg=
        file_path: ${GITHUB_WORKSPACE}/test.exe
        malware_block: true
        override: true
        environment_name: TEST

[nh-exa]

@bayrakmustafa Any feedback would be nice

[kaklakariada]

This can happen when the password contains a double quote. Workaround: change password and remove the double quote.

[nh-exa]

We've elected to avoid using this github action entirely since it is unmaintained.

[bayrakmustafa]

@nh-exa There's a sample signing process at https://github.com/bayrakmustafa/esigner-sample/blob/main/.github/workflows/test.yml. I didn't encounter any problems. Could you test it with your own user credentials?