I'm trying to implement code-signing in a GitHub action using a digicert certificate. I'm using this GitHub action to guide me.
I'm using smctl
with the digicert/ssm-code-signing@v0.0.2
action.
After using the ssm-code-signing
action, I have smctl
working, and it, indeed, finds a certificate:
ID Key Modal TYPE ALIAS ALGORITHM & SIZE/CURVE STATUS TYPE STORAGE CERTIFICATE
af658fe8-eb5b-40a2-927a-xyzxyzxyzxyz STATIC key_554917318 RSA - 3072 ONLINE PRODUCTION HSM
However, the "CERTIFICATE" column is empty, and when I try to certsync or sign I get the following error message:
$ smctl windows certsync --keypair-alias="key_554917318"
Certificate for keypair alias: key_554917318 not found
and
$ smctl sign --verbose --keypair-alias=key_554917318 --input partitions.exe
Command :
signtool sign /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "my-app.exe"
Error :
exit status 1: SignTool Error: No certificates were found that met all the given criteria.
signCommand command for file my-app.exe FAILED
Any idea of what I did wrong, and why smctl can't use my certificate? Do I need to change something on the server side?
The order of our certificate at https://one.digicert.com was still marked as "pending".
We needed to go into the key locker, and there, in the "certificates" tab, click on the "sync orders" button that appears when one hovers over the order ID.