This is an updated and stripped down version of https://github.com/dlemstra/code-sign-action via https://github.com/vespakoen/code-sign-action/commit/36116b6c909e1f6decd8584a798e4feec15835fe.
This action signs .exe
files in the specified directory using signtool.exe
. This works on Windows only. The cert and password must be provided via secrets.
The files being signed are overwritten with their signed copy.
Assuming that you have a valid .pfx file,
- run
certutil -encode my_cert.pfx my_cert_as_base64.txt
- open my_cert_as_base64.txt and remove the header/footer, e.g. "-----BEGIN CERTIFICATE-----"
- remove all new line chars to make it a single continuous string
- copy-paste the string into the "secret" on GitHub
This code does not parse the contents of the base64 cert - it decodes it and saves as a binary .pfx file for signtool to use.
Required The base64 encoded certificate as a single base64, no header, footer or line breaks.
Required Certificate's password. Optional, but you really should have one.
Required The folder that contains the files to sign, e.g. target\release
or .
..
runs-on: windows-latest
steps:
uses: stackmuncher/code-sign-action
with:
certificate: '${{ secrets.WIN_CERT_B64 }}'
password: '${{ secrets.WIN_CERT_B64_P }}'
folder: '.'