BUILD-11520 Migrate code-signing off deprecated digicert/ssm-code-signing#301
BUILD-11520 Migrate code-signing off deprecated digicert/ssm-code-signing#301SamirM-BE wants to merge 1 commit into
Conversation
…ning
digicert/ssm-code-signing is vendor-EOL'd (end-of-service 2026-03-01,
end-of-life 2026-05-01) in favour of DigiCert Binary Signing
(digicert/code-signing-software-trust-action), which also runs on Node 24.
Replace the tool-setup step with code-signing-software-trust-action@v1.2.1
(SHA-pinned) in its default (full) mode, which installs the Software Trust
Manager client tools + smctl and generates the PKCS#11 provider config.
Compatibility notes:
- The new action manages its own download/cache/PATH, so the bespoke
gh-action_cache of the smctl tools dir and the manual "add smctl to PATH"
step are removed; jsign keeps its own cache.
- The SM_* env + client certificate are now set up *before* the action,
because it needs them to generate the PKCS#11 config.
- The composite's public contract is preserved: SMTOOLS_PATH is derived from
the action's PKCS11_CONFIG output and a lowercase pkcs11properties.cfg is
ensured there, so consumers (e.g. sonarlint-eclipse pom.xml referencing
${env.SMTOOLS_PATH}/pkcs11properties.cfg) keep working unchanged.
- Inputs (jsign-version, force-download-tools) are unchanged;
force-download-tools now maps to the new action's use-github-caching-service.
Needs a real binary-signing smoke test on a consumer (sonarlint-eclipse).
|
| - name: Setup DigiCert Software Trust Manager tools | ||
| id: digicert-setup | ||
| uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # v1.2.1 | ||
| with: | ||
| force-download-tools: ${{ inputs.force-download-tools }} | ||
| # force-download-tools disables the action's GitHub cache so the tools are re-downloaded | ||
| use-github-caching-service: ${{ inputs.force-download-tools != 'true' }} |
There was a problem hiding this comment.
💡 Quality: Migration depends on unverified third-party action I/O contract
The migration assumes the new digicert/code-signing-software-trust-action@v1.2.1 (1) accepts an input named use-github-caching-service and (2) exposes an output named PKCS11_CONFIG. The entire SMTOOLS_PATH consumer contract is derived from steps.digicert-setup.outputs.PKCS11_CONFIG (line 63). If either name is wrong, the use-github-caching-service input would be silently ignored by Actions (composite inputs are not strictly validated against the called action), and PKCS11_CONFIG would be empty — the latter is at least caught by the fail-fast guard at lines 67-70. The PR description itself flags that real Windows signing cannot be proven here. Recommend confirming the exact input/output names against the action's action.yml before merge (the PR is correctly marked draft pending the downstream smoke test), and noting that an incorrect input name fails open (caching silently not toggled) rather than failing fast.
Was this helpful? React with 👍 / 👎
| SMTOOLS_PATH="$(dirname "${PKCS11_CONFIG}")" | ||
| echo "SMTOOLS_PATH=${SMTOOLS_PATH}" >> "$GITHUB_ENV" | ||
| # Ensure the lowercase filename consumers expect resolves to the generated config. | ||
| if [[ ! -e "${SMTOOLS_PATH}/pkcs11properties.cfg" ]]; then | ||
| ln -sf "${PKCS11_CONFIG}" "${SMTOOLS_PATH}/pkcs11properties.cfg" | ||
| fi |
There was a problem hiding this comment.
💡 Edge Case: SMTOOLS_PATH symlink assumes config dir is writable
SMTOOLS_PATH is computed as dirname(PKCS11_CONFIG) and, when pkcs11properties.cfg is absent there, a symlink is created in that directory (lines 74-76). This assumes the directory the third-party action writes its PKCS#11 config into is owned/writable by the runner user. If the action places the config under a root-owned or read-only location, ln -sf will fail and abort the step. The previous implementation used a /tmp-based path that was always writable. Consider verifying the action's config location is user-writable, or fall back to creating the symlink/copy in a controlled directory and exporting that as SMTOOLS_PATH.
Was this helpful? React with 👍 / 👎
Code Review 👍 Approved with suggestions 0 resolved / 2 findingsMigrates the code-signing action to the maintained DigiCert Binary Signing tool while preserving the 💡 Quality: Migration depends on unverified third-party action I/O contract📄 code-signing/action.yml:53-58 The migration assumes the new 💡 Edge Case: SMTOOLS_PATH symlink assumes config dir is writable📄 code-signing/action.yml:71-76
🤖 Prompt for agentsOptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |



Why
code-signing/action.ymlpinneddigicert/ssm-code-signing@v1.2.1, which DigiCert has vendor-EOL'd:DigiCert steers users to DigiCert Binary Signing (
digicert/code-signing-software-trust-action), which is maintained and runs on Node 24. Tracked as BUILD-11520 (surfaced in the BUILD-10781 audit).What changed (
code-signing/action.yml)Swapped the tool-setup step to
digicert/code-signing-software-trust-action@v1.2.1(SHA-pinned) in its default (full) mode, which installs the Software Trust Manager client tools +smctland generates the PKCS#11 provider config (simple-signing-modewould only installsmctl, without the PKCS#11 modulejsignneeds, so it's intentionally left off).Because the new action manages its own download / caching / PATH, the migration is more than a
uses:swap:gh-action_cacheof/tmp/DigiCert One Signing Manager Tools/...+ manual "add smctl to PATH" stepuse-github-caching-service) — both removedSM_*env + client certSMTOOLS_PATHoutputPKCS11_CONFIGoutput; a lowercasepkcs11properties.cfgsymlink is ensured therejsign-version,force-download-toolsforce-download-toolsnow maps to the action'suse-github-caching-serviceWhy
SMTOOLS_PATHmatters (consumer contract)SonarSource/sonarlint-eclipse(the only consumer) signs via itspom.xml:So
SMTOOLS_PATH+ apkcs11properties.cfgat that path is a public output contract of this action. It is preserved here, sosonarlint-eclipseneeds no change. A fail-fast guard + a verify-step check make a broken contract obvious in CI logs rather than silently breaking signing.Acceptance criteria (BUILD-11520)
ci-github-actions/code-signing/action.ymlto the maintained actionTest plan
pre-commit(yamllint --strict + actionlint), shell specs, etc. validate structure. There is no signing in this repo's CI.sonarlint-eclipse, point the signing jobs at this branch:Verify tool installationsstep passes (smctl,jsign, andpkcs11properties.cfgunderSMTOOLS_PATHall present),jsign/SunPKCS11signing step produces signed binaries,smctl --versionand the signing step logs show no Node 20 deprecation warning.v1tag sosonarlint-eclipse@v1consumers pick it up.Risk / rollback
Low blast radius (single consumer). If signing regresses, revert this commit; the deprecated action still exists on the marketplace but is past EOL, so reverting is only a short-term measure.