Skip to content

Windows Binary Signing through DigiCert #4906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rekhoff wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Windows Binary Signing through DigiCert #4906

Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
8fcf051
Update Code Signing to use GitHub Actions and Software Trust Manager
rekhoff Apr 24, 2026
15fe479
Add branches to package script
rekhoff Apr 24, 2026
36eb8a1
Remove branches from package script
rekhoff Apr 24, 2026
acc8d34
Adding DigiCert Healthcheck step for troubleshooting
rekhoff Apr 24, 2026
8acf721
Add keys to binary signing step
rekhoff Apr 24, 2026
6361f8b
Correct `signtool` install
rekhoff Apr 25, 2026
080d7fe
Readding DigiCert authentication environment variables
rekhoff Apr 25, 2026
10a3c68
Adding step to register signtool with smctl
rekhoff Apr 25, 2026
7ca1076
Added verbose logging to code sign command
rekhoff Apr 25, 2026
57c1b77
Sync certificates from DigiCert cloud to local Windows certificate store
rekhoff Apr 25, 2026
9b780d5
Add certificates diagnostics for troubleshooting
rekhoff Apr 25, 2026
589957f
Yet another test with additional logging
rekhoff Apr 27, 2026
29ecdf9
Merge branch 'master' into rekhoff/windows-digicert-binary-signing
rekhoff Apr 27, 2026
9b26db3
Cleaned up and removed debug diagnostics and dead paths
rekhoff Apr 27, 2026
53bec59
Merge branch 'master' into rekhoff/windows-digicert-binary-signing
rekhoff Apr 27, 2026
5e6dd74
Merge branch 'master' into rekhoff/windows-digicert-binary-signing
rekhoff Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 36 additions & 22 deletions .github/workflows/package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,41 +66,55 @@ jobs:
$dir = Split-Path $signtool.FullName
Add-Content -Path $env:GITHUB_PATH -Value $dir

- name: Write certificate file for signing
if: ${{ runner.os == 'Windows' }}
shell: powershell
env:
DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }}
- name: Decode DigiCert client auth certificate
if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
shell: bash
run: |
[IO.File]::WriteAllBytes("digicert.pfx", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12

- name: Setup DigiCert Software Trust Manager
if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
uses: digicert/code-signing-software-trust-action@v1
env:
SM_HOST: ${{ vars.SM_HOST }}
SM_API_KEY: ${{ secrets.SM_API_KEY }}
SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}

- name: Compile
run: |
cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update

- name: Sign binaries for Windows
# Disabled for now since the current flow isn't working.
if: false
#if: ${{ runner.os == 'Windows' }}
shell: powershell
if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
shell: pwsh
env:
SM_HOST: ${{ vars.SM_HOST }}
SM_API_KEY: ${{ secrets.SM_API_KEY }}
SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
run: |
$ErrorActionPreference = 'Stop'
$targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
$certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.pfx'

$signtool = Get-Command signtool.exe -ErrorAction Stop

$files = @(
(Join-Path $targetDir 'spacetimedb-update.exe'),
(Join-Path $targetDir 'spacetimedb-cli.exe'),
(Join-Path $targetDir 'spacetimedb-standalone.exe')
)
foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
$path = Join-Path $targetDir $exe
Write-Host "Signing $exe..."
& smctl sign --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path
if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" }
Write-Host "$exe signed successfully"
}

foreach ($file in $files) {
& $signtool.Path sign /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
& $signtool.Path verify /v /pa $file
- name: Verify signatures
if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
shell: pwsh
run: |
$ErrorActionPreference = 'Stop'
$targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
$path = Join-Path $targetDir $exe
& signtool.exe verify /v /pa $path
if ($LASTEXITCODE -ne 0) { throw "Signature verification failed for $exe" }
}

- name: Package (unix)
Expand Down
Loading