Skip to main content

Azure DevOpsクライアントツール拡張

GPG signing with DigiCert​​®​​ Software Trust Manager GitHub action is a streamlined GPG-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux.

This action accelerates the installation and configuration of clients tools to help developers become signing-ready for GitHub action workflows.

GPG signing with DigiCert​​®​​ Software Trust Manager action can be used to set up client tool tasks. 

Get the latest version of GPG signing with DigiCert​​®​​ Software Trust Manager from GitHub Marketplace.

Azureのタスクを設定する

Azure Pipelineの [設定] で、以下を使用して、タスクを構成します。

Create an API token

The API token is an authentication method used to verify the user and their permissions as set in DigiCert ONE®. The client authentication provides the first factor authentication.

 

To generate an API token:

  1. Sign in to DigiCert ONE.

  2. Select the profile icon.

  3. Select Admin Profile.

  4. Scroll down to API Tokens.

  5. Select  Create API token.

    注記

    The information shown after creating an API token cannot be accessed again, securely store all the information specified on the screen to use it later.

Create an authentication certificate

The client authentication certificate is an authentication method used to verify the user and their permissions as set in DigiCert ONE. The client authentication certificate provides the second factor authentication.

To create a client authentication certificate:

  1. Sign in to DigiCert ONE.

  2. Navigate to DigiCert​​®​​ Software Trust Manager > Profile icon > Admin Profile.

  3. Scroll down to Authentication certificates.

  4. Select Create authentication certificate.

    注記

    The information shown after creating an client authentication certificate cannot be accessed again, securely store all the information specified on the screen to use it later.

Azure を安全に利用するためのベストプラクティス

Azure DevOps PipelineのユーザーがDigiCert​​®​​ Software Trust Managerを使用してコードに署名する際には、セキュリティと説明責任を確保するために、シークレットとセキュアファイルを使用してください。この後にあるコード例では、シークレットとセキュアファイルを使用することを前提としています。

シークレット

シークレットは Azure DevOps Pipelineの変数を暗号化したもので、ユーザーはその情報の値を知ることなく情報を入力することができます。たとえば、APIキーの場合、Azureのすべての協力者があなたに固有の APIキーが何であるかを知って欲しくはありませんが、彼らはDigiCert​​®​​ Software Trust Managerを通じて署名ツールを採用する際にそれを使用する必要が出てくるかもしれません。"(api_key)"が名前で値がAPIキーそのものである変数をセットアップすることができます。次に、 この値を秘密にするを選択して、値を暗号化します。また、 Azure Key Vault Secrets を使用することもできます。

Set your certificate file in the environment variables

To add a certificate to GitHub secrets, you need to encode the certificate to a base64 string.

On Linux, run this command in Terminal:

base64 -i <file_name>

On Windows, run this command in PowerShell:

 $fileContentBytes = get-content 'YOURFILEPATH.pfx' -Encoding Byte 

 [System.Convert]::ToBase64String($fileContentBytes)

Configure user credentials in GitHub Secrets

The client tools need these environment variables to connect with DigiCert​​®​​ Software Trust Manager.

To integrate environment variables as GitHub secrets:

  1. Access GitHub repository.

  2. Navigate to: Settings > Secrets > Actions.

  3. Select New repository secret.

  4. Enter the following environment variables:

    Environment variables

    Description

    SM_CLIENT_CERT_PASSWORD

    The password from client authentication certificate setup.

    SM_CLIENT_CERT_FILE_B64

    The base64 encoded text of certificate downloaded from client authentication certificate setup.

    SM_HOST

    The path to the DigiCert​​®​​ Software Trust Manager portal with client authorization. 

    注記

    In most cases, this path stays as it is unless you are connecting to a self-hosted instance of the DigiCert​​®​​ Software Trust Manager product.

    SM_API_KEY

    The API token generated during API token setup.

    SM_CODE_SIGNING_CERT_SHA1_HASH

    The certificate fingerprint.

注記

以下のコマンドで使用する SM_HOStの値は、demo と prodのどちらを使用しているかに依存して異なります。

1. SM_HOST values

Country

Host type

SM_HOST value

United States of America (USA)

Demo

https://clientauth.demo.one.digicert.com

Production

https://clientauth.one.digicert.com

Switzerland (CH)

Demo

https://clientauth.demo.one.ch.digicert.com

Production

https://clientauth.one.ch.digicert.com

Japan (JP)

Demo

https://clientauth.demo.one.digicert.co.jp

Production

https://clientauth.one.digicert.co.jp

Netherlands (NL)

Demo

https://clientauth.demo.one.nl.digicert.com

Production

https://clientauth.one.nl.digicert.com


Commands to set environment variables

Once you save the variable, it is fully encrypted. Not even the creator of the value (you) can see the value. Make sure you save it elsewhere if it is something you will need in the future.

To set the API token as a new repository secret:

Name

SM_ SM_API_KEY

Value

Insert the API token you created.

To set the client authentication certificate as a new repository secret:

Name

SM_CLIENT_CERT_FILE_B64

Value

Insert the base64 encoded string you generated above.

To set the client authentication certificate password as a new repository secret:

Name

SM_CLIENT_CERT_PASSWORD

Value

Insert the password you were shown when creating the client certificate password.

Set up environment variables

To set up the certificate file for signing:

- name: Setup Certificate 

  run: | 

    echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 

  shell: bash

To set environment variables:

- name: Set variables 

  id: variables 

  run: | 

    echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" 

    echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" 

    echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" 

    echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" 

    echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" 

    shell: bash

Usage example

Copy and paste the following snippet into your .yml file.

name: 'GPG Signing Template'
on:
  workflow_dispatch:

jobs:
  release:
    runs-on: ${{ matrix.os }}
    
    strategy:
      matrix:
        os: [windows-latest]
        
    steps:
      - name: Check out Git repository
        uses: actions/checkout@v4

      - name: Set up certificate 
        run: | 
          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 
        shell: bash

      - name: Set variables 
        id: variables 
        run: | 
          echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" 
          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" 
          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" 
          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" 
          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" 
        shell: bash

注記

Once you save the variable, it is fully encrypted. Not even the creator of the value (you) can see the value. Make sure you save it elsewhere if it is something you will need in the future.

Software Trust Manager client tools setup

The DigiCert​​®​​ Software Trust Manager client tools set up task installs and configures all the DigiCert​​®​​ Software Trust Manager client tools, including the CTL client and the SCD client.

- name: GPG Signing with Secure Software Manager
        id: installer
        uses: digicert/ssm-gpg-signing@v0.0.2

To find the client tools installation path:

- run: echo “installation Path "${{ steps.installer.outputs.extractPath }}"

Configure GPG signing

In C:\Users\RUNNER~1\.gnupg\gpg-agent.conf, the gpg-agent.conf file needs to be replaced with a custom gpg-agent.conf.

Review the following example of what gpg-agent.conf should contain:

verbose 
debug-all
scdaemon-program C:\\Users\\RUNNER~1\\AppData\\Local\\Temp\\DigiCert One Signing Manager Tools\\ssm-scd.exe

You can upload the above configuration file to your repository, and then use the following command to replace the file:

- name: Configuration
        run: |
          del "C:\Users\RUNNER~1\.gnupg\gpg-agent.conf"
          copy path\togpg-agent.conf\inRepository "C:\Users\RUNNER~1\.gnupg\gpg-agent.conf"

To sign using a GPG keypair:

- name: Sign the artifact
        run: |
          gpgconf --kill all
          smctl gpg keyring download YOUR_GPG_KEYPAIR_ID --file-path C:\\Users\\RUNNER~1\\.gnupg\\pubring.gpg
          gpg --card-status
          gpg --list-keys
          gpg --list-secret-keys
          gpg --sign FileToSign

Sample GitHub actions

name: 'GPG Signing Template'
on:
  workflow_dispatch:

jobs:
  release:
    runs-on: ${{ matrix.os }}
    
    strategy:
      matrix:
        os: [windows-latest]
        
    steps:
      - name: Check out Git repository
        uses: actions/checkout@v4

      - name: Set up certificate 
        run: | 
          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 
        shell: bash

      - name: Set variables 
        id: variables 
        run: | 
          echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" 
          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" 
          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" 
          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" 
          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" 
        shell: bash

      - name: GPG Signing with Secure Software Manager
        id: installer
        uses: digicert/ssm-gpg-signing@v0.0.2

      - name: Configuration
        run: |
          del "C:\Users\RUNNER~1\.gnupg\gpg-agent.conf"
          copy path\togpg-agent.conf\inRepository "C:\Users\RUNNER~1\.gnupg\gpg-agent.conf"

      - name: Sign the artifact
        run: |
          gpgconf --kill all
          smctl gpg keyring download YOUR_GPG_KEYPAIR_ID --file-path C:\\Users\\RUNNER~1\\.gnupg\\pubring.gpg
          gpg --card-status
          gpg --list-keys
          gpg --list-secret-keys
          gpg --sign FileToSign

Related articles

Troubleshooting

© 2025 DigiCert, Inc.
発行日: