sslcom / actions-codesigner Goto Github PK
View Code? Open in Web Editor NEWGitHub Action for CodeSigner by SSL.com
GitHub Action for CodeSigner by SSL.com
example:
- uses: sslcom/actions-codesigner@develop
with:
command: sign
username: ${{secrets.ES_USERNAME}}
password: ${{secrets.ES_PASSWORD}}
credential_id: ${{secrets.ES_CREDENTIAL_ID}}
totp_secret: ${{secrets.ES_TOTP_SECRET}}
file_path: windows-any.msi
program_name: "*** Connect"
output_path: ./out
Expected:
program_name is updated and show during msi installation progress on approve
actual:
no program_name is display, just the msi/exe name.
We've noticed the action will not throw a failure state if an java.io.IOException
is thrown when running the codesign.
So for example, something like the following log:
Run CodeSigner
Running ESigner.com CodeSign Action ====>
java.io.IOException: Source '/github/workspace/artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows/Insomnia.Core-2022.7.0-alpha.0.exe' and destination '/github/workspace/artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows/Insomnia.Core-2022.7.0-alpha.0.exe' are the same
at org.apache.commons.io.FileUtils.copyFile(FileUtils.java:874)
at org.apache.commons.io.FileUtils.copyFile(FileUtils.java:835)
at org.apache.commons.io.FileUtils.copyFile(FileUtils.java:802)
at com.ssl.code.signing.tool.commands.SignCommand.run(SignCommand.java:250)
at picocli.CommandLine.executeUserObject(CommandLine.java:1939)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine.execute(CommandLine.java:2078)
at com.ssl.code.signing.tool.CodeSignTool.main(CodeSignTool.java:35)
Is still picked up as being a successful run on Github, even though the code signing didn't happen. Example of this happening can be found here
Possible workaround fix could be changing this check to also parse for Exception
.
cc @ruby-dev
This github action creates logs as root which introduces a new requirement to clean up these logs as root in our action definition - this wasn't always the behavior of this action - is it possible for the codesign tool to please not to do this?
john@box:~/path/to/workdir$ ls -l logs
-rw-r--r-- 1 root root 3128 Mar 15 19:15 code_signing_tool.log
Running the action on a Windows runner gives the following error
Error: Container action is only supported on Linux
It seems odd not to support Windows as the CodeSignTool tool is advertised as multi-platform
According to the docs, omitting output_path
should make the tool operate inplace. However, when I try this, I get a build that "succeeds" but does not modify the binary:
https://github.com/mne-tools/mne-installers/actions/runs/3161136522/jobs/5146607163
Looking at the EV-code sign installer (Windows)
step you'll see:
Run CodeSigner
Running ESigner.com CodeSign Action ====>
java.util.NoSuchElementException: No line found
at java.base/java.util.Scanner.nextLine(Scanner.java:1651)
at com.ssl.code.signing.tool.commands.SignCommand.run(SignCommand.java:143)
at picocli.CommandLine.executeUserObject(CommandLine.java:1939)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine.execute(CommandLine.java:2078)
at com.ssl.code.signing.tool.CodeSignTool.main(CodeSignTool.java:35)
Warn: '-output_directory' parameter is not set. The output signed file will replace the original file. Do you still want to continue [y/n]?
which looks suspiciously like a stdin
failure, but I could be wrong. And then in the next step I compare the hashes before and after and they are equal:
Old hash:
a81816db62c56d297217f863d7de9b164756e1efd110a625c7b38191b0b93b41 *MNE-Python-1.1.1_0-Windows.exe
New hash:
a81816db62c56d297217f863d7de9b164756e1efd110a625c7b38191b0b93b41 MNE-Python-1.1.1_0-Windows.exe
When I change the action to have a non-empty output_path
, the output is reasonable:
https://github.com/mne-tools/mne-installers/actions/runs/3161464651/jobs/5147286622
Running ESigner.com CodeSign Action ====>
Code signed successfully: /github/workspace/signed/MNE-Python-1.1.1_0-Windows.exe
And the hashes do change:
Old hash:
64dd1e617805c0feb0ea35f0c2aa3a69a4af76cb6d4135328f3757e1730ec2fe *MNE-Python-1.1.1_0-Windows.exe
New hash:
e6d958683b6686df60b83dbaa5966a55b2e843ded5460cc156634a3f721809a8 MNE-Python-1.1.1_0-Windows.exe
So I think there is a bug with the Java inplace operation. Maybe a new command-line -accept
could be added in Java that avoids this prompt (equivalent to accepting with "yes"), and then this could be passed inside this action when output_path
is empty...?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.