search

espressif / esp-idf-ci-action

GitHub Action for ESP32 CI
MIT License
59 stars 24 forks source link

Feature/signing secret (RDT-349) #26

Closed StevenMacias closed 1 year ago

StevenMacias commented 1 year ago

This PR allows to use the espsecure.py command together with GitHub Actions Secrets to generate signed binaries without sharing private keys among developers.

I was not able to route my secret from my action to the docker container in the esp-idf-ci-action action. This PR allows to share the private key with the container without storing it in a file.

What do you think? I have tested it with the following action and it works: 

name: Developer build

on:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repo
      uses: actions/checkout@v2
      with:
        submodules: 'recursive'
    - name: Build
      uses: StevenMacias/esp-idf-ci-action@feature/signing_secret
      with:
        esp_idf_version: v4.4.2
        target: esp32s3
    - name: Sign binary
      env:
        SIGN_KEY: ${{secrets.SIGNING_KEY}}
      uses: StevenMacias/esp-idf-ci-action@feature/signing_secret
      with:
        esp_idf_version: v4.4.2
        target: esp32s3
        signing_secret: "$SIGN_KEY"
        command: scripts/sign_binary.sh
    - name: Verify binary signature
      uses: StevenMacias/esp-idf-ci-action@feature/signing_secret
      with:
        esp_idf_version: v4.4.2
        target: esp32s3
        command: scripts/verify_binary.sh
    - name: Publish artifact
      uses: actions/upload-artifact@v3
      with:
        name: binary-signed
        path: ./build/binary-signed.bin

I have updated the README with relevant information on how to use the new signing_secret input.

Thank a lot for your work!

kumekay commented 1 year ago

Hi @StevenMacias Thank you for your merge request!

If I understand correctly the only goal for the new input is to pass it to a command. Did you try to pass the secret directly to the command?

      ...
      with:
        command: echo "${{secrets.SIGNING_KEY}}" | espsecure.py sign_data --version 2 --keyfile /dev/stdin --output ./build/my-project-signed.bin ./build/my-project.bin
StevenMacias commented 1 year ago

Yes! That was my first approach and I found that only the echo command is processed inside the docker container and the espsecure.py returns the following error since it is executed on the Ubuntu machine: 

/home/runner/work/_temp/844d939b-eabf-4bc6-be73-a14c9c435ace.sh: line 2: espsecure.py: command not found
write /dev/stdout: broken pipe
Error: Process completed with exit code 127.

I have tried to solve the issue with some quoting without success. That is why I finally end up creating a new input in your action and using a bash script. I am not an expert in YAML nor Docker so I might be missing a simpler way of overcoming this issue.

Thanks!

kumekay commented 1 year ago

@StevenMacias, I'm sorry for the delay. The problem is with escaping the command. A PR https://github.com/espressif/esp-idf-ci-action/pull/27 should fix it.

Could you please try to use the PR branch in your workflow:

uses: espressif/esp-idf-ci-action@bugfix/git_inside_repo

The same problem also affected https://github.com/espressif/esp-idf-ci-action/issues/25.

StevenMacias commented 1 year ago

It works now with the custom command: command: echo "${{secrets.SIGNING_KEY}}" | espsecure.py sign_data --version 2 --keyfile /dev/stdin --output ./build/project-signed.bin ./build/project.bin

Thanks a lot! Do you know when this fix will be available in espressif/esp-idf-ci-action@v1.

Happy new year! :fireworks: :tada:

kumekay commented 1 year ago

@StevenMacias Great to hear!

There are better days than Friday December 30th, to release anything. We will update the tag on Monday or Tuesday.

Happy new year!

StevenMacias commented 1 year ago

No hurries! I was just wondering if you have specific dates (monthly, quarterly, etc) for updating the tag. Thanks again!

kumekay commented 1 year ago

@StevenMacias v1 is now default branch (instead of the tag) so you can use espressif/esp-idf-ci-action@v1

I'm closing this PR now, I you want to keep information about signing binaries with this action, you can add it to the wiki: https://github.com/espressif/esp-idf-ci-action/wiki

StevenMacias commented 1 year ago

@kumekay Perfect! I would not mind documenting how to sign binaries with esp-idf-ci-action. However, it seems that the Wiki is not publicly available.

kumekay commented 1 year ago

@StevenMacias Right, I apologize for my mistake. However, Github search is quite good, so it shouldn't be hard to find the example in this PR. I have added the for reference. I hope this will be sufficient.

StevenMacias commented 1 year ago

Thanks!