Thank you to keytos for providing a base for me to create this action.
This action signs files that are supported by signtool.exe
with a code signing certificate that takes in a password.
This action only works on Windows and that means it should run on windows-latest
.
If openssl
is installed on the OS, this action also prints the certificate expiration date to the runner log.
Note
certutil
is not used, since it only prints certificate information in a localized format.
Required The base64 encoded certificate.
to get the base 64 encoded certificate of the PFX file, run the following in powershell:
$fileContentBytes = get-content 'YOURFILEPATH.pfx' -Encoding Byte
[System.Convert]::ToBase64String($fileContentBytes)
Required Certificate Password. Used to add to the machine store.
Required SHA1 hash for the certificate. You can obtain this from Microsoft Management Console after double clicking on your certificate (called Thumbprint). This and/or the certificatename
is required for the signing to be successful.
Required The name of the certificate. This and/or the certificatesha1
is required for the signing to be successful.
Required The folder that contains the libraries to sign.
Optional Recursively search for DLL files.
Optional Description of the signed content (signtool /d flag).
Optional Url of the timestamp server. Default is 'http://timestamp.digicert.com'
runs-on: windows-latest
steps:
uses: skymatic/code-sign-action@v1
with:
certificate: '${{ secrets.CERTIFICATE }}'
password: '${{ secrets.PASSWORD }}'
certificatesha1: '${{ secrets.CERTHASH }}'
certificatename: '${{ secrets.CERTNAME }}'
description: 'My App'
timestampUrl: 'http://timestamp.digicert.com'
folder: 'files'
recursive: true
Windows signtool.exe code sign action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.