This is a GitHub action that allows you to code sign binary files.
It was developed specifically to code sign binaries built using @lando/pkg-action so it may not be appropriate for all use cases. It also can do basic macOS notarization.
It will automatically set the signtool based on runner.os and the inputs that you pass in.
Note that signing is not supported on linux because you cannot sign binary files on Linux and it is not required for binaries to be signed anyway.
Required Inputs
Signtool
Signtool is the default signtool when using windows runners.
These keys must be set correctly on a windows runner.
| Name | Description | Example Value |
|---|---|---|
file |
The file to sign. | bin/test |
certificate-data |
A base64 encoded string of your p12 or pfx cert contents. |
${{ secrets.APPLE_CERT_DATA }} |
certificate-password |
The password to unlock the certificate-data. |
${{ secrets.APPLE_CERT_PASSWORD }} |
jobs: sign: runs-on: windows-2022 steps: - name: Sign binary uses: lando/code-sign-action@v3 with: file: path/to/binary.exe certificate-data: ${{ secrets.WINDOZE_CERT_DATA }} certificate-password: ${{ secrets.WINDOZE_CERT_PASSWORD }}
Codesign
Codesign is the default (and currently only) signtool when using macos runners.
These keys must be set correctly on a macos runner.
| Name | Description | Example Value |
|---|---|---|
file |
The file to sign. | bin/test |
certificate-data |
A base64 encoded string of your p12 or pfx cert contents. |
${{ secrets.APPLE_CERT_DATA }} |
certificate-id | apple-team-id |
A string to identify the correct signing cert. | FY8GAUX282 |
certificate-password |
The password to unlock the certificate-data. |
${{ secrets.APPLE_CERT_PASSWORD }} |
jobs: sign: runs-on: macos-14 steps: - name: Sign binary uses: lando/code-sign-action@v3 with: file: path/to/binary certificate-data: ${{ secrets.APPLE_CERT_DATA }} certificate-id: FY8GAUX282 certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
Note that you can also use apple-team-id to set the certificate-id if you prefer.
Also note that if you are using an Apple Developer codesigning certificate you must set the certificate-id or apple-team-id to your Apple Team ID
Codesign w/ Notarization
You can also codesign with basic macOS notarization.
These keys must be set correctly on a macos runner.
| Name | Description | Example Value |
|---|---|---|
file |
The file to sign. | bin/test |
certificate-data |
A base64 encoded string of your p12 or pfx cert contents. |
${{ secrets.APPLE_CERT_DATA }} |
certificate-password |
The password to unlock the certificate-data. |
${{ secrets.APPLE_CERT_PASSWORD }} |
apple-notary-user |
The Apple Developer account email to use in notarization. | ${{ secrets.APPLE_NOTARY_USER }} |
apple-notary-password |
The Apple Developer account password to use in notarization. | ${{ secrets.APPLE_NOTARY_PASSWORD }} |
apple-product-id |
The Apple Developer Product ID to use in notarization. | dev.lando.code-sign-action |
apple-team-id |
The Apple Team ID for the certificate. | FY8GAUX282 |
options |
Additional options to pass into codesign |
--options runtime --entitlements entitlements.xml |
jobs: package: runs-on: macos-11 steps: name: Sign binary uses: lando/code-sign-action@v2 with: file: path/to/binary certificate-data: ${{ secrets.APPLE_CERT_DATA }} certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }} apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} apple-notary-tool: altool apple-team-id: FY8GAUX282 apple-product-id: dev.lando.code-sign-action options: --options runtime --entitlements entitlements.xml
Note that it's only possible to codesign and notarize using an Apple Developer certificate.
Also note that you probably need to set the options as above. You can look here for an example entitlements.xml but you will want to configure it to your needs.
KeyLocker
You can also sign on windows runners using KeyLocker by setting the additional keylocker inputs as below:
These keys must be set correctly on a windows runner.
| Name | Description | Example Value |
|---|---|---|
file |
The file to sign. | bin/test |
certificate-data |
A base64 encoded string of your SM_CLIENT_CERT_FILE. |
${{ secrets.KEYLOCKER_CLIENT_CERT }} |
certificate-password |
The SM_CLIENT_CERT_PASSWORD to unlock the SM_CLIENT_CERT_FILE. |
${{ secrets.KEYLOCKER_CLIENT_CERT_PASSWORD }} |
keylocker-host |
The SM_HOST of the KeyLocker host eg DigiCert One. |
https://clientauth.one.digicert.com |
keylocker-api-key |
The SM_API_KEY for the KeyLocker SM_HOST. |
${{ secrets.KEYLOCKER_API_KEY }} |
keylocker-cert-sha1-hash |
The SM_CODE_SIGNING_CERT_SHA1_HASH fingerprint for SM_CLIENT_CERT_FILE. |
${{ secrets.KEYLOCKER_CERT_SHA1_HASH }} |
keylocker-keypair-alias |
The SM_KEYPAIR_ALIAS for the KeyLocker SM_HOST. |
${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }} |
jobs: sign: runs-on: windows-2022 steps: - name: Sign binary uses: lando/code-sign-action@v3 with: file: dist/@lando/code-sign-action.exe certificate-data: ${{ secrets.KEYLOCKER_CLIENT_CERT }} certificate-password: ${{ secrets.KEYLOCKER_CLIENT_CERT_PASSWORD }} keylocker-host: https://clientauth.one.digicert.com keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }} keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }} keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}
Outputs
outputs: file: description: "The path to the signed and/or notarized file." value: ${{ steps.code-sign-action.outputs.file }}
Changelog
We try to log all changes big and small in both THE CHANGELOG and the release notes.
Releasing
Create a release and publish to GitHub Actions Marketplace. Note that the release tag must be a semantic version.
Maintainers
Contributors
Made with contrib.rocks.