GPG signing with DigiCert® Software Trust Manager GitHub action is a streamlined GPG-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux.
This action accelerates the installation and configuration of clients tools to help developers become signing-ready for GitHub action workflows.
GPG signing with DigiCert® Software Trust Manager action can be used to set up client tool tasks.
Get the latest version of GPG signing with DigiCert® Software Trust Manager from GitHub Marketplace.
DigiCert® Software Trust Manager requires multifactor authentication. You will need to set up two credential types, namely an API token and an authentication certificate before you can access keypairs, certificates, and to sign code.
Create an API token
The API token is an authentication method used to verify the user and their permissions as set in DigiCert ONE®. The client authentication provides the first factor authentication.
To generate an API token:
Sign in to DigiCert ONE.
Select the profile icon.
Select Admin Profile.
Scroll down to API Tokens.
Select Create API token.
Note
The information shown after creating an API token cannot be accessed again, securely store all the information specified on the screen to use it later.
Create an authentication certificate
The client authentication certificate is an authentication method used to verify the user and their permissions as set in DigiCert ONE. The client authentication certificate provides the second factor authentication.
To create a client authentication certificate:
Sign in to DigiCert ONE.
Navigate to DigiCert® Software Trust Manager > Profile icon > Admin Profile.
Scroll down to Authentication certificates.
Select Create authentication certificate.
Use secrets and secure files to ensure security and accountability among your GitHub users when they use DigiCert® Software Trust Manager to sign code. The code examples later assume that you are using secrets and secure files.
GitHub Secrets
Secrets are variables in GitHub encrypted so users can input information without knowing what the value of that information is. For example, with API keys, you do not want all of your GitHub collaborators knowing what your unique API key is, but they may need to use it to use signing tools through DigiCert® Software Trust Manager. You can set up a variable where "(api_key)" is the name and the value is the API key itself.
To add a certificate to GitHub secrets, you need to encode the certificate to a base64 string.
On Linux, run this command in Terminal:
base64 -i <file_name>On Windows, run this command in PowerShell:
$fileContentBytes = get-content 'YOURFILEPATH.pfx' -Encoding Byte
[System.Convert]::ToBase64String($fileContentBytes) The client tools need these environment variables to connect with DigiCert® Software Trust Manager.
To integrate environment variables as GitHub secrets:
Access GitHub repository.
Navigate to: Settings > Secrets > Actions.
Select New repository secret.
Enter the following environment variables:
Environment variables
Description
SM_CLIENT_CERT_PASSWORD
The password from client authentication certificate setup.
SM_CLIENT_CERT_FILE_B64
The base64 encoded text of certificate downloaded from client authentication certificate setup.
SM_HOST
The path to the DigiCert® Software Trust Manager portal with client authorization.
Note
In most cases, this path stays as it is unless you are connecting to a self-hosted instance of the DigiCert® Software Trust Manager product.
SM_API_KEY
The API token generated during API token setup.
SM_CODE_SIGNING_CERT_SHA1_HASH
The certificate fingerprint.
Note
The SM_HOST value you use for the commands below will depend on whether you are using demo or prod.
Country | Host type | SM_HOST value |
|---|---|---|
United States of America (USA) | Demo | https://clientauth.demo.one.digicert.com |
Production | https://clientauth.one.digicert.com | |
Switzerland (CH) | Demo | https://clientauth.demo.one.ch.digicert.com |
Production | https://clientauth.one.ch.digicert.com | |
Japan (JP) | Demo | https://clientauth.demo.one.digicert.co.jp |
Production | https://clientauth.one.digicert.co.jp | |
Netherlands (NL) | Demo | https://clientauth.demo.one.nl.digicert.com |
Production | https://clientauth.one.nl.digicert.com |
Commands to set environment variables
Once you save the variable, it is fully encrypted. Not even the creator of the value (you) can see the value. Make sure you save it elsewhere if it is something you will need in the future.
To set the API token as a new repository secret:
Name | SM_ SM_API_KEY |
Value | Insert the API token you created. |
To set the client authentication certificate as a new repository secret:
Name | SM_CLIENT_CERT_FILE_B64 |
Value | Insert the base64 encoded string you generated above. |
To set the client authentication certificate password as a new repository secret:
Name | SM_CLIENT_CERT_PASSWORD |
Value | Insert the password you were shown when creating the client certificate password. |
To set up the certificate file for signing:
- name: Setup Certificate
run: |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
shell: bash To set environment variables:
- name: Set variables
id: variables
run: |
echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
shell: bash
Usage example
Copy and paste the following snippet into your .yml file.
name: 'GPG Signing Template'
on:
workflow_dispatch:
jobs:
release:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [windows-latest]
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Set up certificate
run: |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
shell: bash
- name: Set variables
id: variables
run: |
echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
shell: bash
Note
Once you save the variable, it is fully encrypted. Not even the creator of the value (you) can see the value. Make sure you save it elsewhere if it is something you will need in the future.
The DigiCert® Software Trust Manager client tools set up task installs and configures all the DigiCert® Software Trust Manager client tools, including the CTL client and the SCD client.
- name: GPG Signing with Secure Software Manager
id: installer
uses: digicert/ssm-gpg-signing@v0.0.2To find the client tools installation path:
- run: echo “installation Path "${{ steps.installer.outputs.extractPath }}"” In C:\Users\RUNNER~1\.gnupg\gpg-agent.conf, the gpg-agent.conf file needs to be replaced with a custom gpg-agent.conf.
Review the following example of what gpg-agent.conf should contain:
verbose
debug-all
scdaemon-program C:\\Users\\RUNNER~1\\AppData\\Local\\Temp\\DigiCert One Signing Manager Tools\\ssm-scd.exeYou can upload the above configuration file to your repository, and then use the following command to replace the file:
- name: Configuration
run: |
del "C:\Users\RUNNER~1\.gnupg\gpg-agent.conf"
copy path\togpg-agent.conf\inRepository "C:\Users\RUNNER~1\.gnupg\gpg-agent.conf"To sign using a GPG keypair:
- name: Sign the artifact
run: |
gpgconf --kill all
smctl gpg keyring download YOUR_GPG_KEYPAIR_ID --file-path C:\\Users\\RUNNER~1\\.gnupg\\pubring.gpg
gpg --card-status
gpg --list-keys
gpg --list-secret-keys
gpg --sign FileToSignname: 'GPG Signing Template'
on:
workflow_dispatch:
jobs:
release:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [windows-latest]
steps:
- name: Check out Git repository
uses: actions/checkout@v4
- name: Set up certificate
run: |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
shell: bash
- name: Set variables
id: variables
run: |
echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
shell: bash
- name: GPG Signing with Secure Software Manager
id: installer
uses: digicert/ssm-gpg-signing@v0.0.2
- name: Configuration
run: |
del "C:\Users\RUNNER~1\.gnupg\gpg-agent.conf"
copy path\togpg-agent.conf\inRepository "C:\Users\RUNNER~1\.gnupg\gpg-agent.conf"
- name: Sign the artifact
run: |
gpgconf --kill all
smctl gpg keyring download YOUR_GPG_KEYPAIR_ID --file-path C:\\Users\\RUNNER~1\\.gnupg\\pubring.gpg
gpg --card-status
gpg --list-keys
gpg --list-secret-keys
gpg --sign FileToSign