This action enables you to download, cache and set the Venafi CodeSign Protect clients either based on Venafi CSP or PKCS#11.
Optionally you may want to set a default configuration for verification purposes.
if you are not familiar with Code Signing or Venafi CodeSign Protect, please refer to current CodeSign Protect documentation to get an understanding of the benefits and product features.
Table of contents
This action currently supports GitHub-provided Linux and Windows runners, including self-hosted runners.
Currently we provide examples for jarsigner and signtool, which are provided through the Python library Venafi CodeSign Protect: Python (PyPi) Package.
The following optional inputs:
| Input | Description |
|---|---|
venafi-csc-url |
Venafi CodeSign Protect client Download page, which defaults to https://localhost/csc for local development. |
venafi-version |
Venafi CodeSign Protect version, which defaults to 24.1.0, our latest tested version. |
venafi-auth-url |
Trust Protection Platform authentication server URL, which defaults to https://localhost/vedauth for local development. |
venafi-hsm-url |
Trust Protection Platform virtual HSM URL, which defaults to https://localhost/vedhsm for local development. |
include-config |
Does an initial set-url to set the authentication server and virtual HSM URLs, which defaults to false for local development. |
venafi-user |
The login username that has privileges to properly execute signing operations, which defaults to signer and can be overwritten when needed. |
venafi-password |
The password associated with the login username. The latter is useful for storing the password in a Github Secret, which can be accessed through a variable. |
Note: Don't forget to register the password as Github Secret.
The following outputs:
| Output | Description |
|---|---|
csp-driver-cached-config |
Configuration of the cached CSP Driver package. Only if initial-config is set to true. |
csp-driver-cached-path |
Path of the cached CSP Driver package. |
csp-driver-cached-version |
Version of the cached CSP Driver package. |
Add the following entry to your Github workflow YAML file as bare minimum input.:
uses: qensus-labs/venafi-codesigning-wrapper-action@v1.0.0
with:
version: '24.1.0' # optionalThis product is compatible with:
This product supports executing code signing clients in a Shell environment using the Python venafi-csp integration. We currently support Linux and Windows operating systems.
Currently our support differs per OS:
| Signer | OS | Venafi-CSP |
|---|---|---|
| Jarsigner | Linux | ✅ |
| Jarsigner | Windows | ✅ |
| Signtool | Linux | ❌ |
| Signtool | Windows | ✅ |
Below example usage examples you may want to implement using Github Actions shared or self-hosted runners.
Scenario implements a pinned version with minimal configuration.
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Example including initial configuration
steps:
- name: Setup CSPDriver
uses: qensus-labs/venafi-codesigning-wrapper-action@v1.0.0
with:
venafi-version: '24.1.0'
venafi-csc-url: 'https://my-tpp/csc'
venafi-auth-url: 'https://my-tpp/vedauth'
venafi-hsm-url: 'https://my-tpp/vedhsm'
include-config: 'false'
venafi-user: 'signer'
- name: Check CSPDriver (version)
run: pkcs11config --versionScenario implements the default version with minimal configuration. It does require a local development environment (TPP).
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Example with local TPP
steps:
- name: Setup CSPDriver
uses: qensus-labs/venafi-codesigning-wrapper-action@v1.0.0
- name: Check CSPDriver (version)
run: pkcs11config --versionComplete implements a pinned version with minimal configuration. Additionally it demostrated the complete code signing lifecycle using jarsigner.
See the Venafi CodeSign Protect: Python (PyPi) Package documentation for more detailed configuration examples and applicable parameters.
When using a shared runner, only update runs-on: parameter value with ubuntu-latest.
jobs:
example:
runs-on: ["self-hosted", "Linux", "X64"] # runs-on: ubuntu-latest
name: Example with self-hosted Linux runner
steps:
- name: Setup CSPDriver
id: cspdriver
uses: qensus-labs/venafi-codesigning-wrapper-action@v1.0.0
with:
venafi-version: '24.1.0'
venafi-csc-url: 'https://my-tpp/csc'
venafi-auth-url: 'https://my-tpp/vedauth'
venafi-hsm-url: 'https://my-tpp/vedhsm'
include-config: 'false'
- name: Display output values
run: |
echo "Output \"csp-driver-cached-path\" [${{steps.cspdriver.outputs.csp-driver-cached-path}}]"
echo "Output \"csp-driver-cached-version\" [${{steps.cspdriver.outputs.csp-driver-cached-version}}]"
- name: Check CSPDriver (version)
run: pkcs11config --version
- name: Setup Java SDK
uses: actions/setup-java@v4
with:
distribution: 'oracle' # See 'Supported distributions' for available options
java-version: '21'
- name: Show JarSigner version
run: jarsigner -version
- name: Build foo.jar
run: |
echo 'public class Foo { public static void main() { } }' > Foo.java
javac Foo.java
jar -cf foo.jar Foo.class
- name: Store the foo.jar artifact
uses: actions/upload-artifact@v4
with:
name: foo.jar
path: foo.jar
- name: Setup Python 3.10
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install Venafi Python package
run: pip install venafi-csp
- name: Run Library command
run: python -mvenafi_csp.version_command
- name: Sign artifact with JarSigner
run: python -mvenafi_csp.jarsigner_sign_command
env:
TPP_AUTH_URL: 'https://my-tpp/vedauth'
TPP_HSM_URL: 'https://my-tpp/vedhsm'
TPP_USERNAME: signer
TPP_PASSWORD: ${{ secrets.TPP_PASSWORD }}
VENAFI_CLIENT_TOOLS_DIR: '${{ runner.tool_cache }}/CSPDriver/24.1.0/x64/opt/venafi/codesign'
INPUT_PATH: foo.jar
CERTIFICATE_LABEL: github-signer-development-codesigner
- name: verify artifact with JarSigner
run: python -mvenafi_csp.jarsigner_verify_command
env:
TPP_AUTH_URL: 'https://my-tpp/vedauth'
TPP_HSM_URL: 'https://my-tpp/vedhsm'
TPP_USERNAME: signer
TPP_PASSWORD: ${{ secrets.TPP_PASSWORD }}
INPUT_PATH: foo.jar
CERTIFICATE_LABEL: github-signer-development-codesigner
- name: Store the foo.jar signed & validated artifact
uses: actions/upload-artifact@v4
with:
name: foo-signed.jar
path: foo.jarScenario implements a pinned version with minimal configuration. Additionally it demostrated the complete code signing lifecycle using signtool.
See the Venafi CodeSign Protect: Python (PyPi) Package documentation for more detailed configuration examples and applicable parameters.
When using a shared runner, only update runs-on: parameter value with windows-latest.
jobs:
example_job:
runs-on: ["self-hosted", "Windows", "X64" ] # runs-on: windows-latest
name: Example with self-hosted Windows runner
steps:
- name: Setup CSPDriver
id: cspdriver
uses: qensus-labs/venafi-codesigning-wrapper-action@v1.0.0
with:
venafi-version: '24.1.0'
venafi-csc-url: 'https://my-tpp/csc'
venafi-auth-url: 'https://my-tpp/vedauth'
venafi-hsm-url: 'https://my-tpp/vedhsm'
include-config: 'false'
- name: Display output values
run: |
echo "Output \"csp-driver-cached-path\" [${{steps.cspdriver.outputs.csp-driver-cached-path}}]"
echo "Output \"csp-driver-cached-version\" [${{steps.cspdriver.outputs.csp-driver-cached-version}}]"
- name: Check CSPDriver (version)
run: |
cspconfig.exe version
- name: Build foo.exe
run: |
copy C:\Windows\System32\Notepad.exe foo.exe
- name: Store the foo.exe artifact
uses: actions/upload-artifact@v4
with:
name: foo.exe
path: foo.exe
- name: Setup Python 3.11
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install Venafi Python package
run: pip install venafi-csp
- name: Setup Windows SDK
uses: GuillaumeFalourd/setup-windows10-sdk-action@v2
with:
sdk-version: 20348
- name: Add SDK (20348) to GITHUB_PATH
run: |
"C:\Program files (x86)\Windows Kits\10\bin\10.0.20348.0\x64" >> $env:GITHUB_PATH
- name: Sign artifact with signtool
shell: cmd
run: python -mvenafi_csp.signtool_sign_command
env:
TPP_AUTH_URL: 'https://uvo1gm8xtvysk75eax6.env.cloudshare.com/vedauth'
TPP_HSM_URL: 'https://uvo1gm8xtvysk75eax6.env.cloudshare.com/vedhsm'
TPP_USERNAME: signer
TPP_PASSWORD: ${{ secrets.TPP_PASSWORD }}
INPUT_PATH: foo.exe
CERTIFICATE_SUBJECT_NAME: signer
TIMESTAMPING_SERVERS: http://timestamp.digicert.com
- name: Verify artifact with signtool
shell: cmd
run: python -mvenafi_csp.signtool_verify_command
env:
TPP_AUTH_URL: 'https://uvo1gm8xtvysk75eax6.env.cloudshare.com/vedauth'
TPP_HSM_URL: 'https://uvo1gm8xtvysk75eax6.env.cloudshare.com/vedhsm'
TPP_USERNAME: signer
TPP_PASSWORD: ${{ secrets.TPP_PASSWORD }}
INPUT_PATH: foo.exe
- name: Store the foo.exe signed & validated artifact
uses: actions/upload-artifact@v4
with:
name: foo-signed.exe
path: foo.exeSee the contribution guide.