Fix signing (#2)

lukekim · sgrebnov · lukekim · commit 543fe32e80df · 2025-04-14T18:35:45.000-07:00
* Tweak

* Tweak

* Remove folder

* Remove bash

* Windows Updates

* Build updates

* Use hardcoded path

* Try hardcoding

* Tweaks for testing

* Add powershell script

* Use Powershell script

* Add error checks

* Test

* Test

* Fix the environment

* Add upload step

* Fix script

* Fix

* Fix

* Use machines Java

* Tweaks

* Try storepass

* Use http

---------

Co-authored-by: Sergei Grebnov &lt;sergei.grebnov@gmail.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -24,3 +24,9 @@ jobs:
       - name: Make Package
         run: |
           make package
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: spice.unsigned.taco
+          path: spice.taco
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,45 +2,60 @@ name: release
 on:
   workflow_dispatch:
     inputs:
+      workflow_run_id:
+        description: 'ID of the workflow run to fetch artifacts from'
+        required: true
+        type: string
       signed_binary_name:
         description: 'Name of the signed binary'
         required: false
-        default: 'spiceai.signed.taco'
+        default: 'spiceai.taco'
         type: string
   release:
     types: [created]
 
 jobs:
-  build:
+  release:
     runs-on: code-signing
-    if: github.event.action == 'created' && github.event.release.prerelease == true
+    environment: signed_release
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
 
-      - name: Install Python
-        uses: actions/setup-python@v4
+      - name: Download Artifact
+        uses: actions/download-artifact@v4
         with:
-          python-version: 3.13
+          name: spice.unsigned.taco
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ inputs.workflow_run_id }}
 
-      - name: Make Package (unsigned)
+      - name: Copy unsigned taco
         run: |
-          make package
+          cp spice.taco ${{ inputs.signed_binary_name }}
+          echo "Signed binary name: ${{ inputs.signed_binary_name }}"
 
       - name: Set up Java for signing
         uses: actions/setup-java@v4
         with:
           java-version: '11'
           distribution: 'zulu'
 
-      - name: Sign ${{ inputs.signed_binary_name}}
+      - name: Sign ${{ inputs.signed_binary_name }}
+        shell: powershell
         env:
+          DIGICERT_TOKEN_PASSWORD: ${{ secrets.DIGICERT_TOKEN_PASSWORD }}
           DIGICERT_KEY_ALIAS: ${{ secrets.DIGICERT_KEY_ALIAS }}
-        run: |
-          jarsigner -tsa http://timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11properties.cfg -sigalg SHA256withRSA -signedjar ${{ inputs.signed_binary_name}} spice.taco $DIGICERT_KEY_ALIAS
-        shell: bash
+          DIGICERT_TOKEN_CFG_PATH: ${{ secrets.DIGICERT_TOKEN_CFG_PATH }}
+          SIGNED_BINARY_NAME: ${{ inputs.signed_binary_name }}
+        run: .\sign.ps1
+
+      - name: Upload ${{ inputs.signed_binary_name }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.signed_binary_name }}
+          path: ${{ inputs.signed_binary_name }}
 
       - name: Upload to release
         uses: softprops/action-gh-release@v2
diff --git a/sign.ps1 b/sign.ps1
@@ -0,0 +1,31 @@
+echo "Signing with Digicert Token"
+
+# Check if the required environment variables are set
+if (-not $env:DIGICERT_TOKEN_PASSWORD) {
+    Write-Host "Error: DIGICERT_TOKEN_PASSWORD environment variable is not set."
+    exit 1
+}
+if (-not $env:DIGICERT_TOKEN_CFG_PATH) {
+    Write-Host "Error: DIGICERT_TOKEN_CFG_PATH environment variable is not set."
+    exit 1
+}
+if (-not $env:DIGICERT_KEY_ALIAS) {
+    Write-Host "Error: DIGICERT_KEY_ALIAS environment variable is not set."
+    exit 1
+}
+if (-not $env:SIGNED_BINARY_NAME) {
+    Write-Host "Error: SIGNED_BINARY_NAME environment variable is not set."
+    exit 1
+}
+
+jarsigner -verbose `
+    -tsa http://timestamp.digicert.com `
+    -keystore NONE `
+    -storetype PKCS11 `
+    -storepass $env:DIGICERT_TOKEN_PASSWORD `
+    -providerClass sun.security.pkcs11.SunPKCS11 `
+    -providerArg "$env:DIGICERT_TOKEN_CFG_PATH" `
+    -sigalg SHA256withRSA `
+    -signedjar $env:SIGNED_BINARY_NAME `
+    spice.taco `
+    "$env:DIGICERT_KEY_ALIAS" 
