From 8fcf051955c6eb648ce7aa0638c2063f023dd2d5 Mon Sep 17 00:00:00 2001 From: rekhoff Date: Fri, 24 Apr 2026 10:31:42 -0700 Subject: [PATCH 01/13] Update Code Signing to use GitHub Actions and Software Trust Manager --- .github/workflows/package.yml | 70 +++++++++++++++++------------------ 1 file changed, 33 insertions(+), 37 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 2580d098000..3918d5a435b 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -50,57 +50,53 @@ jobs: - name: Install rust target run: rustup target add ${{ matrix.target }} - - name: Add signtool.exe to PATH - if: ${{ runner.os == 'Windows' }} - shell: pwsh + - name: Decode DigiCert client auth certificate + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: bash run: | - $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin" - $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | - Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } | - Sort-Object FullName -Descending | - Select-Object -First 1 - - if (-not $signtool) { throw "signtool.exe not found under $root" } + echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 - "Found: $($signtool.FullName)" - $dir = Split-Path $signtool.FullName - Add-Content -Path $env:GITHUB_PATH -Value $dir - - - name: Write certificate file for signing - if: ${{ runner.os == 'Windows' }} - shell: powershell + - name: Setup DigiCert Software Trust Manager + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + uses: digicert/code-signing-software-trust-action@v1 env: - DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }} - run: | - [IO.File]::WriteAllBytes("digicert.pfx", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) + SM_HOST: ${{ vars.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - name: Compile run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - name: Sign binaries for Windows - # Disabled for now since the current flow isn't working. - if: false - #if: ${{ runner.os == 'Windows' }} - shell: powershell + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: bash env: DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} + run: | + targetDir="$GITHUB_WORKSPACE/target/x86_64-pc-windows-msvc/release" + for exe in spacetimedb-update.exe spacetimedb-cli.exe spacetimedb-standalone.exe; do + echo "Signing $exe..." + smctl sign --keypair-alias "$DIGICERT_KEYPAIR_ALIAS" \ + --input "$targetDir/$exe" + done + + - name: Verify signatures + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: pwsh run: | $ErrorActionPreference = 'Stop' - $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' - $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.pfx' - - $signtool = Get-Command signtool.exe -ErrorAction Stop - - $files = @( - (Join-Path $targetDir 'spacetimedb-update.exe'), - (Join-Path $targetDir 'spacetimedb-cli.exe'), - (Join-Path $targetDir 'spacetimedb-standalone.exe') - ) + $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin" + $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | + Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } | + Sort-Object FullName -Descending | + Select-Object -First 1 + if (-not $signtool) { throw "signtool.exe not found" } - foreach ($file in $files) { - & $signtool.Path sign /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file - & $signtool.Path verify /v /pa $file + $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' + foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { + & $signtool.FullName verify /v /pa (Join-Path $targetDir $exe) } - name: Package (unix) From 15fe4793622d3a491523a028d3c544f544e387f6 Mon Sep 17 00:00:00 2001 From: rekhoff Date: Fri, 24 Apr 2026 11:37:09 -0700 Subject: [PATCH 02/13] Add branches to package script --- .github/workflows/package.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 3918d5a435b..711ecac33b7 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -4,6 +4,9 @@ on: push: tags: - '**' + branches: + - master + - release/* workflow_dispatch: permissions: From 36eb8a119c43f612c01e117f1bfede5ca605cb4e Mon Sep 17 00:00:00 2001 From: rekhoff Date: Fri, 24 Apr 2026 11:38:26 -0700 Subject: [PATCH 03/13] Remove branches from package script --- .github/workflows/package.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 711ecac33b7..3918d5a435b 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -4,9 +4,6 @@ on: push: tags: - '**' - branches: - - master - - release/* workflow_dispatch: permissions: From acc8d348139a785a3887d0798298cc8af136ce3d Mon Sep 17 00:00:00 2001 From: rekhoff Date: Fri, 24 Apr 2026 14:15:35 -0700 Subject: [PATCH 04/13] Adding DigiCert Healthcheck step for troubleshooting --- .github/workflows/package.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 3918d5a435b..a3d988792eb 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -65,6 +65,26 @@ jobs: SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + - name: DigiCert healthcheck + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: bash + env: + SM_HOST: ${{ vars.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + run: | + echo "SM_HOST length: ${#SM_HOST}" + echo "SM_API_KEY length: ${#SM_API_KEY}" + echo "SM_CLIENT_CERT_PASSWORD length: ${#SM_CLIENT_CERT_PASSWORD}" + echo "SM_CLIENT_CERT_FILE: ${SM_CLIENT_CERT_FILE}" + if [ -f /d/Certificate_pkcs12.p12 ]; then + echo "Cert file size: $(wc -c < /d/Certificate_pkcs12.p12) bytes" + else + echo "CERT FILE MISSING" + fi + smctl healthcheck + - name: Compile run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update From 8acf72118327f46868be85e5572078077e7e5a78 Mon Sep 17 00:00:00 2001 From: rekhoff Date: Fri, 24 Apr 2026 15:54:43 -0700 Subject: [PATCH 05/13] Add keys to binary signing step --- .github/workflows/package.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index a3d988792eb..3a3c4086ee4 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -93,6 +93,10 @@ jobs: if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} shell: bash env: + SM_HOST: ${{ vars.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} run: | targetDir="$GITHUB_WORKSPACE/target/x86_64-pc-windows-msvc/release" From 6361f8b2b008ee144673d70f9a6fde566b8c135c Mon Sep 17 00:00:00 2001 From: rekhoff Date: Fri, 24 Apr 2026 18:21:13 -0700 Subject: [PATCH 06/13] Correct `signtool` install --- .github/workflows/package.yml | 67 +++++++++++++++++------------------ 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 3a3c4086ee4..e96540a9696 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -50,6 +50,22 @@ jobs: - name: Install rust target run: rustup target add ${{ matrix.target }} + - name: Add signtool.exe to PATH + if: ${{ runner.os == 'Windows' }} + shell: pwsh + run: | + $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin" + $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | + Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } | + Sort-Object FullName -Descending | + Select-Object -First 1 + + if (-not $signtool) { throw "signtool.exe not found under $root" } + + "Found: $($signtool.FullName)" + $dir = Split-Path $signtool.FullName + Add-Content -Path $env:GITHUB_PATH -Value $dir + - name: Decode DigiCert client auth certificate if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} shell: bash @@ -65,26 +81,6 @@ jobs: SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - - name: DigiCert healthcheck - if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} - shell: bash - env: - SM_HOST: ${{ vars.SM_HOST }} - SM_API_KEY: ${{ secrets.SM_API_KEY }} - SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 - SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - run: | - echo "SM_HOST length: ${#SM_HOST}" - echo "SM_API_KEY length: ${#SM_API_KEY}" - echo "SM_CLIENT_CERT_PASSWORD length: ${#SM_CLIENT_CERT_PASSWORD}" - echo "SM_CLIENT_CERT_FILE: ${SM_CLIENT_CERT_FILE}" - if [ -f /d/Certificate_pkcs12.p12 ]; then - echo "Cert file size: $(wc -c < /d/Certificate_pkcs12.p12) bytes" - else - echo "CERT FILE MISSING" - fi - smctl healthcheck - - name: Compile run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update @@ -93,34 +89,37 @@ jobs: if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} shell: bash env: - SM_HOST: ${{ vars.SM_HOST }} - SM_API_KEY: ${{ secrets.SM_API_KEY }} - SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 - SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} run: | + set -e targetDir="$GITHUB_WORKSPACE/target/x86_64-pc-windows-msvc/release" + failed=0 for exe in spacetimedb-update.exe spacetimedb-cli.exe spacetimedb-standalone.exe; do echo "Signing $exe..." - smctl sign --keypair-alias "$DIGICERT_KEYPAIR_ALIAS" \ - --input "$targetDir/$exe" + output=$(smctl sign --keypair-alias "$DIGICERT_KEYPAIR_ALIAS" \ + --input "$targetDir/$exe" 2>&1) || true + echo "$output" + if echo "$output" | grep -q "FAILED"; then + echo "::error::$exe signing FAILED" + failed=1 + else + echo "$exe signed successfully" + fi done + if [ "$failed" -eq 1 ]; then + exit 1 + fi - name: Verify signatures if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} shell: pwsh run: | $ErrorActionPreference = 'Stop' - $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin" - $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | - Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } | - Sort-Object FullName -Descending | - Select-Object -First 1 - if (-not $signtool) { throw "signtool.exe not found" } - $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { - & $signtool.FullName verify /v /pa (Join-Path $targetDir $exe) + $path = Join-Path $targetDir $exe + & signtool.exe verify /v /pa $path + if ($LASTEXITCODE -ne 0) { throw "Signature verification failed for $exe" } } - name: Package (unix) From 080d7fe3d8456fc9d05cc622d814a1663166007e Mon Sep 17 00:00:00 2001 From: rekhoff Date: Fri, 24 Apr 2026 18:57:42 -0700 Subject: [PATCH 07/13] Readding DigiCert authentication environment variables --- .github/workflows/package.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index e96540a9696..e0519710944 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -89,6 +89,10 @@ jobs: if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} shell: bash env: + SM_HOST: ${{ vars.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} run: | set -e From 10a3c68a9cc8d3f71eec16c2a33a2206029fd88a Mon Sep 17 00:00:00 2001 From: rekhoff Date: Sat, 25 Apr 2026 09:24:00 -0700 Subject: [PATCH 08/13] Adding step to register signtool with smctl --- .github/workflows/package.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index e0519710944..b9870a66083 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -81,6 +81,21 @@ jobs: SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + - name: Register signtool with smctl and verify + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: pwsh + env: + SM_HOST: ${{ vars.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + run: | + $ErrorActionPreference = 'Stop' + # Register signtool with smctl so it can find it during signing + smctl windows signtool register + # Run healthcheck to confirm everything is connected + smctl healthcheck + - name: Compile run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update From 7ca107690e8786f54f21e83df374e910f22be9df Mon Sep 17 00:00:00 2001 From: rekhoff Date: Sat, 25 Apr 2026 10:16:14 -0700 Subject: [PATCH 09/13] Added verbose logging to code sign command --- .github/workflows/package.yml | 36 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index b9870a66083..8ab28833ec6 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -102,7 +102,7 @@ jobs: - name: Sign binaries for Windows if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} - shell: bash + shell: pwsh env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} @@ -110,24 +110,22 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} run: | - set -e - targetDir="$GITHUB_WORKSPACE/target/x86_64-pc-windows-msvc/release" - failed=0 - for exe in spacetimedb-update.exe spacetimedb-cli.exe spacetimedb-standalone.exe; do - echo "Signing $exe..." - output=$(smctl sign --keypair-alias "$DIGICERT_KEYPAIR_ALIAS" \ - --input "$targetDir/$exe" 2>&1) || true - echo "$output" - if echo "$output" | grep -q "FAILED"; then - echo "::error::$exe signing FAILED" - failed=1 - else - echo "$exe signed successfully" - fi - done - if [ "$failed" -eq 1 ]; then - exit 1 - fi + $ErrorActionPreference = 'Continue' + $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' + $failed = $false + foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { + $path = Join-Path $targetDir $exe + Write-Host "Signing $exe..." + & smctl sign --verbose --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path 2>&1 | Tee-Object -Variable output + $output = $output -join "`n" + if ($output -match 'FAILED') { + Write-Host "::error::$exe signing FAILED" + $failed = $true + } else { + Write-Host "$exe signed successfully" + } + } + if ($failed) { exit 1 } - name: Verify signatures if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} From 57c1b773d72323b9f9c435875722b227f50f0cf3 Mon Sep 17 00:00:00 2001 From: rekhoff Date: Sat, 25 Apr 2026 11:11:53 -0700 Subject: [PATCH 10/13] Sync certificates from DigiCert cloud to local Windows certificate store --- .github/workflows/package.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 8ab28833ec6..967d8332d74 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -81,7 +81,7 @@ jobs: SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - - name: Register signtool with smctl and verify + - name: Sync DigiCert certificate to local store and verify if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} shell: pwsh env: @@ -91,8 +91,9 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} run: | $ErrorActionPreference = 'Stop' - # Register signtool with smctl so it can find it during signing - smctl windows signtool register + # Sync certificates from DigiCert cloud to local Windows certificate store + # This is required so signtool can find the certificate + smctl windows certsync # Run healthcheck to confirm everything is connected smctl healthcheck From 9b780d52430fb6105adf49cff37b4ef169a202c6 Mon Sep 17 00:00:00 2001 From: rekhoff Date: Sat, 25 Apr 2026 12:05:42 -0700 Subject: [PATCH 11/13] Add certificates diagnostics for troubleshooting --- .github/workflows/package.yml | 43 ++++++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 967d8332d74..ebe599b64f2 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -101,6 +101,22 @@ jobs: run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update + - name: List synced certificates (diagnostic) + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: pwsh + env: + SM_HOST: ${{ vars.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + run: | + Write-Host "=== Certificates in CurrentUser\My ===" + Get-ChildItem Cert:\CurrentUser\My | Format-Table Subject, Thumbprint, NotAfter -AutoSize + Write-Host "=== Certificates in LocalMachine\My ===" + Get-ChildItem Cert:\LocalMachine\My | Format-Table Subject, Thumbprint, NotAfter -AutoSize + Write-Host "=== smctl keypair list ===" + smctl keypair ls + - name: Sign binaries for Windows if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} shell: pwsh @@ -111,22 +127,27 @@ jobs: SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} run: | - $ErrorActionPreference = 'Continue' + $ErrorActionPreference = 'Stop' $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' - $failed = $false + + # Find the code signing certificate synced from DigiCert + $cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 + if (-not $cert) { + $cert = Get-ChildItem Cert:\LocalMachine\My -CodeSigningCert | Select-Object -First 1 + } + if (-not $cert) { + throw "No code signing certificate found in certificate store" + } + $thumbprint = $cert.Thumbprint + Write-Host "Using certificate: $($cert.Subject) [$thumbprint]" + foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { $path = Join-Path $targetDir $exe Write-Host "Signing $exe..." - & smctl sign --verbose --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path 2>&1 | Tee-Object -Variable output - $output = $output -join "`n" - if ($output -match 'FAILED') { - Write-Host "::error::$exe signing FAILED" - $failed = $true - } else { - Write-Host "$exe signed successfully" - } + & signtool.exe sign /sha1 $thumbprint /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $path + if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" } + Write-Host "$exe signed successfully" } - if ($failed) { exit 1 } - name: Verify signatures if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} From 589957ff23ba6bd6ff1d33e83c60e5c39862986a Mon Sep 17 00:00:00 2001 From: rekhoff Date: Mon, 27 Apr 2026 08:37:23 -0700 Subject: [PATCH 12/13] Yet another test with additional logging --- .github/workflows/package.yml | 40 ++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index ebe599b64f2..0c35e5b22f3 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -93,7 +93,8 @@ jobs: $ErrorActionPreference = 'Stop' # Sync certificates from DigiCert cloud to local Windows certificate store # This is required so signtool can find the certificate - smctl windows certsync + Write-Host "Syncing certificates from DigiCert cloud..." + smctl windows certsync --verbose # Run healthcheck to confirm everything is connected smctl healthcheck @@ -130,23 +131,32 @@ jobs: $ErrorActionPreference = 'Stop' $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' - # Find the code signing certificate synced from DigiCert - $cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 + # Check if certsync placed a code signing certificate in the store + $cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert -ErrorAction SilentlyContinue | Select-Object -First 1 if (-not $cert) { - $cert = Get-ChildItem Cert:\LocalMachine\My -CodeSigningCert | Select-Object -First 1 + $cert = Get-ChildItem Cert:\LocalMachine\My -CodeSigningCert -ErrorAction SilentlyContinue | Select-Object -First 1 } - if (-not $cert) { - throw "No code signing certificate found in certificate store" - } - $thumbprint = $cert.Thumbprint - Write-Host "Using certificate: $($cert.Subject) [$thumbprint]" - foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { - $path = Join-Path $targetDir $exe - Write-Host "Signing $exe..." - & signtool.exe sign /sha1 $thumbprint /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $path - if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" } - Write-Host "$exe signed successfully" + if ($cert) { + $thumbprint = $cert.Thumbprint + Write-Host "Found certificate: $($cert.Subject) [$thumbprint]" + Write-Host "Signing with signtool /sha1..." + foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { + $path = Join-Path $targetDir $exe + Write-Host "Signing $exe..." + & signtool.exe sign /sha1 $thumbprint /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $path + if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" } + Write-Host "$exe signed successfully" + } + } else { + Write-Host "No cert in store, using smctl sign with keypair alias..." + foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { + $path = Join-Path $targetDir $exe + Write-Host "Signing $exe..." + & smctl sign --verbose --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path + if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" } + Write-Host "$exe signed successfully" + } } - name: Verify signatures From 9b26db319e49acb8606a28c4e6e2f179544a479a Mon Sep 17 00:00:00 2001 From: rekhoff Date: Mon, 27 Apr 2026 09:33:05 -0700 Subject: [PATCH 13/13] Cleaned up and removed debug diagnostics and dead paths --- .github/workflows/package.yml | 66 ++++------------------------------- 1 file changed, 6 insertions(+), 60 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 0c35e5b22f3..75be770d754 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -81,43 +81,10 @@ jobs: SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - - name: Sync DigiCert certificate to local store and verify - if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} - shell: pwsh - env: - SM_HOST: ${{ vars.SM_HOST }} - SM_API_KEY: ${{ secrets.SM_API_KEY }} - SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 - SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - run: | - $ErrorActionPreference = 'Stop' - # Sync certificates from DigiCert cloud to local Windows certificate store - # This is required so signtool can find the certificate - Write-Host "Syncing certificates from DigiCert cloud..." - smctl windows certsync --verbose - # Run healthcheck to confirm everything is connected - smctl healthcheck - - name: Compile run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - - name: List synced certificates (diagnostic) - if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} - shell: pwsh - env: - SM_HOST: ${{ vars.SM_HOST }} - SM_API_KEY: ${{ secrets.SM_API_KEY }} - SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 - SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - run: | - Write-Host "=== Certificates in CurrentUser\My ===" - Get-ChildItem Cert:\CurrentUser\My | Format-Table Subject, Thumbprint, NotAfter -AutoSize - Write-Host "=== Certificates in LocalMachine\My ===" - Get-ChildItem Cert:\LocalMachine\My | Format-Table Subject, Thumbprint, NotAfter -AutoSize - Write-Host "=== smctl keypair list ===" - smctl keypair ls - - name: Sign binaries for Windows if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} shell: pwsh @@ -130,33 +97,12 @@ jobs: run: | $ErrorActionPreference = 'Stop' $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' - - # Check if certsync placed a code signing certificate in the store - $cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert -ErrorAction SilentlyContinue | Select-Object -First 1 - if (-not $cert) { - $cert = Get-ChildItem Cert:\LocalMachine\My -CodeSigningCert -ErrorAction SilentlyContinue | Select-Object -First 1 - } - - if ($cert) { - $thumbprint = $cert.Thumbprint - Write-Host "Found certificate: $($cert.Subject) [$thumbprint]" - Write-Host "Signing with signtool /sha1..." - foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { - $path = Join-Path $targetDir $exe - Write-Host "Signing $exe..." - & signtool.exe sign /sha1 $thumbprint /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $path - if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" } - Write-Host "$exe signed successfully" - } - } else { - Write-Host "No cert in store, using smctl sign with keypair alias..." - foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { - $path = Join-Path $targetDir $exe - Write-Host "Signing $exe..." - & smctl sign --verbose --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path - if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" } - Write-Host "$exe signed successfully" - } + foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { + $path = Join-Path $targetDir $exe + Write-Host "Signing $exe..." + & smctl sign --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path + if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" } + Write-Host "$exe signed successfully" } - name: Verify signatures