Update Windows code signing to use KeyLocker

b-boogaard · b-boogaard · commit 267a523924fd · 2025-07-25T11:37:15.000-06:00
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -95,8 +95,10 @@ jobs:
   deploy-windows-bundle:
     needs: deploy
     env:
-      B2_WINDOWS_CODE_SIGNING_CERTIFICATE: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE }}
-      B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD }}
+      SM_HOST: ${{ secrets.SM_HOST }}
+      SM_API_KEY: ${{ secrets.SM_API_KEY }}
+      SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
+      SM_CLIENT_CERT_PASSWORD: ${{ secrets. SM_CLIENT_CERT_PASSWORD }}
     runs-on: windows-2019
     steps:
       - uses: actions/checkout@v4
@@ -112,18 +114,19 @@ jobs:
         id: bundle
         shell: bash
         run: nox -vs bundle
-      - name: Import certificate
-        id: windows_import_cert
-        if: ${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE != '' }}
-        uses: timheuer/base64-to-file@v1
-        with:
-          fileName: 'cert.pfx'
-          encodedString: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE }}
-      - name: Sign the bundle
-        if: ${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE != '' }}
-        id: sign
+      - name: Install client for code signing with Software Trust Manager
+        uses: digicert/ssm-code-signing@v1.1.0
+        env:
+          FORCE_DOWNLOAD_TOOLS: 'true'
+      - name: Set up client authentication certificate
+        id: client_cert
+        run: |
+          echo "${{ env.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
+          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
         shell: bash
-        run: nox -vs sign -- '${{ steps.windows_import_cert.outputs.filePath }}' '${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD }}'
+      - name: Sign the bundle using a keypair alais
+        id: sign
+        run: nox -vs sign -- '${{ secrets.SM_KEYPAIR_ALIAS }}' '${{ secrets.SM_CERT_FINGERPRINT }}'
       - name: Generate hashes
         id: hashes
         run: nox -vs make_dist_digest
diff --git a/changelog.d/+keylocker_migration.changed.md b/changelog.d/+keylocker_migration.changed.md
@@ -0,0 +1 @@
+Switched to cloud-based signing using DigiCert KeyLocker
diff --git a/noxfile.py b/noxfile.py
@@ -365,42 +365,41 @@ def bundle(session: nox.Session):
 def sign(session):
     """Sign the bundled distribution (macOS and Windows only)."""
 
-    def sign_windows(cert_file, cert_password):
-        session.run('certutil', '-f', '-p', cert_password, '-importpfx', cert_file)
+    def sign_windows(keypair_alias, cert_fingerprint):
         for binary_name in ['b2'] + get_versions():
+            binary_path = f'dist/{binary_name}.exe'
+
+            # Sign the binary
             session.run(
-                WINDOWS_SIGNTOOL_PATH,
+                'smctl',
                 'sign',
-                '/f',
-                cert_file,
-                '/p',
-                cert_password,
-                '/tr',
-                WINDOWS_TIMESTAMP_SERVER,
-                '/td',
-                'sha256',
-                '/fd',
-                'sha256',
-                f'dist/{binary_name}.exe',
+                '--keypair-alias',
+                keypair_alias,
+                '--input',
+                binary_path,
                 external=True,
             )
+
+            # Verify the signature
             session.run(
-                WINDOWS_SIGNTOOL_PATH,
+                'smctl',
+                'sign',
                 'verify',
-                '/pa',
-                '/all',
-                f'dist/{binary_name}.exe',
+                '--fingerprint',
+                cert_fingerprint,
+                '--input',
+                binary_path,
                 external=True,
             )
 
     if SYSTEM == 'windows':
         try:
-            certificate_file, certificate_password = session.posargs
+            sm_keypair_alias, sm_cert_fingerprint = session.posargs
         except ValueError:
-            session.error('pass the certificate file and the password as positional arguments')
+            session.error('pass the keypair alias and the cert fingerprint as positional arguments')
             return
 
-        sign_windows(certificate_file, certificate_password)
+        sign_windows(sm_keypair_alias, sm_cert_fingerprint)
     elif SYSTEM == 'linux':
         session.log('signing is not supported for Linux')
     else:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Switched to cloud-based signing using DigiCert KeyLocker`