Try new Windows codes signing cert + KeyLocker process. (#261)

* Try new Windows codes signing cert + KeyLocker process. * Use dev version of windows cert signing. * Small change to test. * Try using a non-hardcoded keypair alias. * Change to test workflow. * Use WINDOZE cert for Linux signing. * Prep dev and formal release workflows to use new lando/code-sign-action with keylocker. * Correct version of the code-sign-action.
lando · May 3, 2024 · ed2590e · ed2590e
1 parent 324564c
commit ed2590e
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 188 deletions.
diff --git a/.github/workflows/dev-release-slim.yml b/.github/workflows/dev-release-slim.yml
@@ -70,14 +70,14 @@ jobs:
           - os: windows-2022
             key: cli-node18-win-x64-${{ github.sha }}
             file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-win-x64-${{ github.ref_name }}-slim.exe
           - os: windows-2022
             key: cli-node18-win-arm64-${{ github.sha }}
             file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-win-arm64-${{ github.ref_name }}-slim.exe
           - os: macos-13
             key: cli-node18-macos-x64-${{ github.sha }}
@@ -104,10 +104,14 @@ jobs:
           - os: ubuntu-22.04
             key: cli-node18-linux-x64-${{ github.sha }}
             file: lando/cli
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-linux-x64-${{ github.ref_name }}-slim
           - os: ubuntu-22.04
             key: cli-node18-linux-arm64-${{ github.sha }}
             file: lando/cli
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-linux-arm64-${{ github.ref_name }}-slim
     steps:
       - name: Checkout code
@@ -128,6 +132,10 @@ jobs:
           apple-notary-password: ${{ secrets[matrix.apple-notary-password] }}
           apple-product-id: ${{ matrix.apple-product-id }}
           apple-team-id: ${{ matrix.apple-team-id }}
+          keylocker-host: https://clientauth.one.digicert.com
+          keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }}
+          keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}
+          keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}
           options: ${{ matrix.options }}
       - name: Rename as needed
         shell: bash

diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml
@@ -74,14 +74,14 @@ jobs:
           - os: windows-2022
             key: cli-node18-win-x64-${{ github.sha }}
             file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-win-x64-${{ github.ref_name }}.exe
           - os: windows-2022
             key: cli-node18-win-arm64-${{ github.sha }}
             file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-win-arm64-${{ github.ref_name }}.exe
           - os: macos-13
             key: cli-node18-macos-x64-${{ github.sha }}
@@ -108,10 +108,14 @@ jobs:
           - os: ubuntu-22.04
             key: cli-node18-linux-x64-${{ github.sha }}
             file: lando/cli
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-linux-x64-${{ github.ref_name }}
           - os: ubuntu-22.04
             key: cli-node18-linux-arm64-${{ github.sha }}
             file: lando/cli
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-linux-arm64-${{ github.ref_name }}
     steps:
       - name: Checkout code
@@ -132,6 +136,10 @@ jobs:
           apple-notary-password: ${{ secrets[matrix.apple-notary-password] }}
           apple-product-id: ${{ matrix.apple-product-id }}
           apple-team-id: ${{ matrix.apple-team-id }}
+          keylocker-host: https://clientauth.one.digicert.com
+          keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }}
+          keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}
+          keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}
           options: ${{ matrix.options }}
       - name: Rename as needed
         shell: bash

diff --git a/.github/workflows/pr-release-tests-slim.yml b/.github/workflows/pr-release-tests-slim.yml
@@ -54,89 +54,3 @@ jobs:
       - name: Ensure ipv4first
         if: matrix.os == 'linux' && runner.os == 'Linux' && runner.arch == 'X64'
         run: ./dist/@lando/cli config --path cli.args | grep dns-result-order=ipv4first
-
-  sign-n-deploy:
-    runs-on: ${{ matrix.os }}
-    needs:
-      - package
-    env:
-      TERM: xterm
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: windows-2022
-            key: cli-node18-win-x64-${{ github.sha }}
-            file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
-            result: lando-win-x64-snapshot-${{ github.sha }}-slim.exe
-          - os: windows-2022
-            key: cli-node18-win-arm64-${{ github.sha }}
-            file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
-            result: lando-win-arm64-snapshot-${{ github.sha }}-slim.exe
-          - os: macos-13
-            key: cli-node18-macos-x64-${{ github.sha }}
-            file: lando/cli
-            certificate-data: APPLE_CERT_DATA
-            certificate-password: APPLE_CERT_PASSWORD
-            apple-product-id: dev.lando.cli
-            apple-team-id: FY8GAUX282
-            apple-notary-user: APPLE_NOTARY_USER
-            apple-notary-password: APPLE_NOTARY_PASSWORD
-            options: --options runtime --entitlements entitlements.xml
-            result: lando-macos-x64-snapshot-${{ github.sha }}-slim
-          - os: macos-13
-            key: cli-node18-macos-arm64-${{ github.sha }}
-            file: lando/cli
-            certificate-data: APPLE_CERT_DATA
-            certificate-password: APPLE_CERT_PASSWORD
-            apple-product-id: dev.lando.cli
-            apple-team-id: FY8GAUX282
-            apple-notary-user: APPLE_NOTARY_USER
-            apple-notary-password: APPLE_NOTARY_PASSWORD
-            options: --options runtime --entitlements entitlements.xml
-            result: lando-macos-arm64-snapshot-${{ github.sha }}-slim
-          - os: ubuntu-22.04
-            key: cli-node18-linux-x64-${{ github.sha }}
-            file: lando/cli
-            result: lando-linux-x64-snapshot-${{ github.sha }}-slim
-          - os: ubuntu-22.04
-            key: cli-node18-linux-arm64-${{ github.sha }}
-            file: lando/cli
-            result: lando-linux-arm64-snapshot-${{ github.sha }}-slim
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Download ${{ matrix.key }}
-        uses: actions/download-artifact@v3
-        with:
-          name: ${{ matrix.key }}
-          path: lando
-      - name: Sign and Notarize
-        uses: lando/code-sign-action@v2
-        id: code-sign-action
-        with:
-          file: ${{ matrix.file }}
-          certificate-data: ${{ secrets[matrix.certificate-data] }}
-          certificate-password: ${{ secrets[matrix.certificate-password] }}
-          apple-notary-user: ${{ secrets[matrix.apple-notary-user] }}
-          apple-notary-password: ${{ secrets[matrix.apple-notary-password] }}
-          apple-product-id: ${{ matrix.apple-product-id }}
-          apple-team-id: ${{ matrix.apple-team-id }}
-          options: ${{ matrix.options }}
-      - name: Rename as needed
-        shell: bash
-        run: |
-          chmod +x ${{ steps.code-sign-action.outputs.file }}
-          mv ${{ steps.code-sign-action.outputs.file }} ${{ matrix.result }}
-      - name: Upload snapshot release ${{ matrix.result }}
-        uses: actions/upload-artifact@v3
-        with:
-          name: ${{ matrix.result }}
-          path: ${{ matrix.result }}
-          if-no-files-found: error
-          retention-days: 1
diff --git a/.github/workflows/pr-release-tests.yml b/.github/workflows/pr-release-tests.yml
@@ -57,88 +57,3 @@ jobs:
         if: matrix.os == 'linux' && runner.os == 'Linux' && runner.arch == 'X64'
         run: ./dist/@lando/cli config --path cli.args | grep dns-result-order=ipv4first
 
-  sign-n-deploy:
-    runs-on: ${{ matrix.os }}
-    needs:
-      - package
-    env:
-      TERM: xterm
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: windows-2022
-            key: cli-node18-win-x64-${{ github.sha }}
-            file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
-            result: lando-win-x64-snapshot-${{ github.sha }}.exe
-          - os: windows-2022
-            key: cli-node18-win-arm64-${{ github.sha }}
-            file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
-            result: lando-win-arm64-snapshot-${{ github.sha }}.exe
-          - os: macos-13
-            key: cli-node18-macos-x64-${{ github.sha }}
-            file: lando/cli
-            certificate-data: APPLE_CERT_DATA
-            certificate-password: APPLE_CERT_PASSWORD
-            apple-product-id: dev.lando.cli
-            apple-team-id: FY8GAUX282
-            apple-notary-user: APPLE_NOTARY_USER
-            apple-notary-password: APPLE_NOTARY_PASSWORD
-            options: --options runtime --entitlements entitlements.xml
-            result: lando-macos-x64-snapshot-${{ github.sha }}
-          - os: macos-13
-            key: cli-node18-macos-arm64-${{ github.sha }}
-            file: lando/cli
-            certificate-data: APPLE_CERT_DATA
-            certificate-password: APPLE_CERT_PASSWORD
-            apple-product-id: dev.lando.cli
-            apple-team-id: FY8GAUX282
-            apple-notary-user: APPLE_NOTARY_USER
-            apple-notary-password: APPLE_NOTARY_PASSWORD
-            options: --options runtime --entitlements entitlements.xml
-            result: lando-macos-arm64-snapshot-${{ github.sha }}
-          - os: ubuntu-20.04
-            key: cli-node18-linux-x64-${{ github.sha }}
-            file: lando/cli
-            result: lando-linux-x64-snapshot-${{ github.sha }}
-          - os: ubuntu-20.04
-            key: cli-node18-linux-arm64-${{ github.sha }}
-            file: lando/cli
-            result: lando-linux-arm64-snapshot-${{ github.sha }}
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Download ${{ matrix.key }}
-        uses: actions/download-artifact@v3
-        with:
-          name: ${{ matrix.key }}
-          path: lando
-      - name: Sign and Notarize
-        uses: lando/code-sign-action@v2
-        id: code-sign-action
-        with:
-          file: ${{ matrix.file }}
-          certificate-data: ${{ secrets[matrix.certificate-data] }}
-          certificate-password: ${{ secrets[matrix.certificate-password] }}
-          apple-notary-user: ${{ secrets[matrix.apple-notary-user] }}
-          apple-notary-password: ${{ secrets[matrix.apple-notary-password] }}
-          apple-product-id: ${{ matrix.apple-product-id }}
-          apple-team-id: ${{ matrix.apple-team-id }}
-          options: ${{ matrix.options }}
-      - name: Rename as needed
-        shell: bash
-        run: |
-          chmod +x ${{ steps.code-sign-action.outputs.file }}
-          mv ${{ steps.code-sign-action.outputs.file }} ${{ matrix.result }}
-      - name: Upload snapshot release ${{ matrix.result }}
-        uses: actions/upload-artifact@v3
-        with:
-          name: ${{ matrix.result }}
-          path: ${{ matrix.result }}
-          if-no-files-found: error
-          retention-days: 1
diff --git a/.github/workflows/release-slim.yml b/.github/workflows/release-slim.yml
@@ -68,14 +68,14 @@ jobs:
           - os: windows-2022
             key: cli-node18-win-x64-${{ github.sha }}
             file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-win-x64-${{ github.ref_name }}-slim.exe
           - os: windows-2022
             key: cli-node18-win-arm64-${{ github.sha }}
             file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-win-arm64-${{ github.ref_name }}-slim.exe
           - os: macos-13
             key: cli-node18-macos-x64-${{ github.sha }}
@@ -102,10 +102,14 @@ jobs:
           - os: ubuntu-22.04
             key: cli-node18-linux-x64-${{ github.sha }}
             file: lando/cli
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-linux-x64-${{ github.ref_name }}-slim
           - os: ubuntu-22.04
             key: cli-node18-linux-arm64-${{ github.sha }}
             file: lando/cli
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-linux-arm64-${{ github.ref_name }}-slim
 
     steps:
@@ -127,6 +131,10 @@ jobs:
           apple-notary-password: ${{ secrets[matrix.apple-notary-password] }}
           apple-product-id: ${{ matrix.apple-product-id }}
           apple-team-id: ${{ matrix.apple-team-id }}
+          keylocker-host: https://clientauth.one.digicert.com
+          keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }}
+          keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}
+          keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}
           options: ${{ matrix.options }}
       - name: Rename as needed
         shell: bash

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -72,14 +72,14 @@ jobs:
           - os: windows-2022
             key: cli-node18-win-x64-${{ github.sha }}
             file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-win-x64-${{ github.ref_name }}.exe
           - os: windows-2022
             key: cli-node18-win-arm64-${{ github.sha }}
             file: lando/cli.exe
-            certificate-data: WINDOZE_CERT_DATA
-            certificate-password: WINDOZE_CERT_PASSWORD
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-win-arm64-${{ github.ref_name }}.exe
           - os: macos-13
             key: cli-node18-macos-x64-${{ github.sha }}
@@ -106,10 +106,14 @@ jobs:
           - os: ubuntu-22.04
             key: cli-node18-linux-x64-${{ github.sha }}
             file: lando/cli
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-linux-x64-${{ github.ref_name }}
           - os: ubuntu-22.04
             key: cli-node18-linux-arm64-${{ github.sha }}
             file: lando/cli
+            certificate-data: KEYLOCKER_CLIENT_CERT
+            certificate-password: KEYLOCKER_CLIENT_CERT_PASSWORD
             result: lando-linux-arm64-${{ github.ref_name }}
 
     steps:
@@ -131,6 +135,10 @@ jobs:
           apple-notary-password: ${{ secrets[matrix.apple-notary-password] }}
           apple-product-id: ${{ matrix.apple-product-id }}
           apple-team-id: ${{ matrix.apple-team-id }}
+          keylocker-host: https://clientauth.one.digicert.com
+          keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }}
+          keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}
+          keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}
           options: ${{ matrix.options }}
       - name: Rename as needed
         shell: bash

diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ We try to log all changes big and small in both [THE CHANGELOG](https://github.c
 
 ## Releasing
 
-[Create a release on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository) with a [semver](https://semver.org) tag.
+[Create a release on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository) with a [semver](https://semver.org)-appropriate tag.
 
 ## Contributors