Skip to content

lando/code-sign-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits

.github

.github

 
 

bin

bin

 
 

.gitignore

.gitignore

 
 

CHANGELOG.md

CHANGELOG.md

 
 

KEYLOCKER_SETUP.md

KEYLOCKER_SETUP.md

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

entitlements.xml

entitlements.xml

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

Repository files navigation

Code Sign Action

This is a GitHub action that allows you to code sign files. It was developed specifically to code sign binaries built using @lando/pkg-action so it may not be appropriate for all use cases. It also can do basic mac OS notarization.

Caveats

  • Does not currently code sign on Linux
  • Does not staple the notarized file
  • You may need to set options: --options runtime --entitlements entitlements.xml for notarization to work correctly

Required Inputs

These keys must be set correctly for the action to work.

Name Description Example Value
file The file to sign. bin/test
certificate-data A base64 encoded string of your p12 or pfx cert contents. Note: if you use KeyLocker, this will be the base64 encoded client certificate (SM_CLIENT_CERT_FILE) ${{ secrets.APPLE_CERT_DATA }}
certificate-password The password to unlock the certificate-data. ${{ secrets.APPLE_CERT_PASSWORD }}

Optional Inputs

These keys are set to sane defaults but can be modified as needed.

Name Description Default Example
apple-notary-user (Required) for macOS notarization. Does nothing on linux and win. The Apple Developer account email to use in notarization. null ${{ secrets.APPLE_NOTARY_USER }}
apple-notary-password (Required) for macOS notarization. Does nothing on linux and win. The Apple Developer account password to use in notarization. null ${{ secrets.APPLE_NOTARY_PASSWORD }}
apple-notary-tool The xcrun tool to use for notarization. Does nothing on linux and win. notarytool altool
apple-product-id (Required) for macOS notarization. Does nothing on linux and win. The Apple Developer Product ID to use in notarization. null dev.lando.code-sign-action
apple-team-id (Required) for macOS. Does nothing on linux and win. The Apple Developer Program Team ID. null FY8GAUX287
keylocker-host The host of the KeyLocker host (DigiCert One). Adding this value is required to sign win with DigiCert KeyLocker. Adding this value will disable signing win via SignTool. null https://clientauth.one.digicert.com
keylocker-api-key API key for the KeyLocker host. null ${{ secrets.KEYLOCKER_API_KEY }}
keylocker-cert-sha1-hash SHA1 hash for the KeyLocker host. null ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}
options Additional options to pass to the signing tool. null --options runtime --entitlements entitlements.xml

Outputs

outputs:
  file:
    description: "The path to the signed and/or notarized file."
    value: ${{ steps.code-sign-action.outputs.file }}

Usage

Basic Usage

macOS

jobs:
  package:
    runs-on: macos-11
  steps:
    name: Sign binary
    uses: lando/code-sign-action@v2
    with:
      file: path/to/binary
      certificate-data: ${{ secrets.APPLE_CERT_DATA }}
      certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
      apple-team-id: ${{ secrets.APPLE_TEAM_ID }}

macOS with notarization

jobs:
  package:
    runs-on: macos-11
  steps:
    name: Sign binary
    uses: lando/code-sign-action@v2
    with:
      file: path/to/binary
      certificate-data: ${{ secrets.APPLE_CERT_DATA }}
      certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
      apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
      apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
      apple-notary-tool: altool
      apple-team-id: FY8GAUX282
      apple-product-id: dev.lando.code-sign-action
      options: --options runtime --entitlements entitlements.xml

Windows

jobs:
  package:
    runs-on: windows-2022
  steps:
    name: Sign binary
    uses: lando/code-sign-action@v2
    with:
      file: path/to/binary
      certificate-data: ${{ secrets.WINDOZE_CERT_DATA }}
      certificate-password: ${{ secrets.WINDOZE_CERT_PASSWORD }}

** Windows with DigiCert KeyLocker**

jobs:
  package:
    runs-on: windows-2022
  steps:
    name: Sign binary
    uses: lando/code-sign-action@v2
    with:
      file: path/to/binary
      certificate-data: ${{ secrets.WINDOZE_CERT_DATA }}
      certificate-password: ${{ secrets.WINDOZE_CERT_PASSWORD }}
      keylocker-host: ${{ secrets.KEYLOCKER_HOST }}
      keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }}
      keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}

Changelog

We try to log all changes big and small in both THE CHANGELOG and the release notes.

Releasing

Create a release and publish to GitHub Actions Marketplace. Note that the release tag must be a semantic version.

Maintainers

Contributors

Made with contrib.rocks.

Other Resources

About

A GitHub action to code sign files

Topics

devops actions lando github-actions

Resources

Readme
Activity
Custom properties

Stars

11 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases 4

v2.2.0 Latest
May 3, 2024
+ 3 releases

Sponsor this project

  •  
  •  
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages