{"id":28152686,"url":"https://github.com/lando/code-sign-action","last_synced_at":"2025-05-15T05:11:56.274Z","repository":{"id":42074812,"uuid":"481314397","full_name":"lando/code-sign-action","owner":"lando","description":"A GitHub action to code sign files","archived":false,"fork":false,"pushed_at":"2025-03-28T22:50:47.000Z","size":95,"stargazers_count":26,"open_issues_count":3,"forks_count":2,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-05-06T23:02:12.962Z","etag":null,"topics":["actions","devops","github-actions","lando"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lando.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["lando","pirog"],"patreon":"devwithlando","open_collective":"devwithlando","custom":"https://lando.dev/join"}},"created_at":"2022-04-13T17:37:12.000Z","updated_at":"2025-05-05T18:45:30.000Z","dependencies_parsed_at":"2023-01-11T17:22:10.640Z","dependency_job_id":"35a68e3d-303d-46cc-880c-0f0514a0e0e0","html_url":"https://github.com/lando/code-sign-action","commit_stats":{"total_commits":27,"total_committers":4,"mean_commits":6.75,"dds":"0.14814814814814814","last_synced_commit":"0779d463b08142ea9cb9bc87dc755670a8675c30"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lando%2Fcode-sign-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lando%2Fcode-sign-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lando%2Fcode-sign-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lando%2Fcode-sign-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lando","download_url":"https://codeload.github.com/lando/code-sign-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253700655,"owners_count":21949698,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","devops","github-actions","lando"],"created_at":"2025-05-15T05:11:56.057Z","updated_at":"2025-05-15T05:11:56.261Z","avatar_url":"https://github.com/lando.png","language":"JavaScript","readme":"# Code Sign Action\n\nThis is a GitHub action that allows you to code sign binary files.\n\nIt was developed specifically to code sign binaries built using [@lando/pkg-action](https://github.com/marketplace/actions/pkg-action) so it may not be appropriate for all use cases. It also can do basic [macOS notarization](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution).\n\nIt will automatically set the `signtool` based on `runner.os` and the inputs that you pass in.\n\nNote that signing is **not supported** on `linux` because you cannot sign binary files on Linux and it is not required for binaries to be signed anyway.\n\n## Required Inputs\n\n### Signtool\n\n[Signtool](https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool) is the default `signtool` when using `windows` runners.\n\nThese keys must be set correctly on a `windows` runner.\n\n| Name | Description | Example Value |\n|---|---|---|\n| `file` | The file to sign.  | `bin/test` |\n| `certificate-data` | A `base64` encoded string of your `p12` or `pfx` cert contents.| `${{ secrets.APPLE_CERT_DATA }}` |\n| `certificate-password` | The password to unlock the `certificate-data`. | `${{ secrets.APPLE_CERT_PASSWORD }}` |\n\n```yaml\njobs:\n  sign:\n    runs-on: windows-2022\n    steps:\n      - name: Sign binary\n        uses: lando/code-sign-action@v3\n        with:\n          file: path/to/binary.exe\n          certificate-data: ${{ secrets.WINDOZE_CERT_DATA }}\n          certificate-password: ${{ secrets.WINDOZE_CERT_PASSWORD }}\n```\n\n### Codesign\n\n[Codesign](https://ss64.com/mac/codesign.htmll) is the default (and currently only) `signtool` when using `macos` runners.\n\nThese keys must be set correctly on a `macos` runner.\n\n| Name | Description | Example Value |\n|---|---|---|\n| `file` | The file to sign.  | `bin/test` |\n| `certificate-data` | A `base64` encoded string of your `p12` or `pfx` cert contents. | `${{ secrets.APPLE_CERT_DATA }}` |\n| `certificate-id \\| apple-team-id` | A string to identify the correct signing cert.| `FY8GAUX282` |\n| `certificate-password` | The password to unlock the `certificate-data`. | `${{ secrets.APPLE_CERT_PASSWORD }}` |\n\n```yaml\njobs:\n  sign:\n    runs-on: macos-14\n    steps:\n      - name: Sign binary\n        uses: lando/code-sign-action@v3\n        with:\n          file: path/to/binary\n          certificate-data: ${{ secrets.APPLE_CERT_DATA }}\n          certificate-id: FY8GAUX282\n          certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}\n```\n\nNote that you can also use `apple-team-id` to set the `certificate-id` if you prefer.\n\nAlso note that if you are using an [Apple Developer](https://developer.apple.com/) codesigning certificate **you must** set the `certificate-id` or `apple-team-id` to your [Apple Team ID](https://developer.apple.com/help/account/manage-your-team/locate-your-team-id/)\n\n### Codesign w/ Notarization\n\nYou can also `codesign` with basic macOS [notarization](https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution).\n\nThese keys must be set correctly on a `macos` runner.\n\n| Name | Description | Example Value |\n|---|---|---|\n| `file` | The file to sign.  | `bin/test` |\n| `certificate-data` | A `base64` encoded string of your `p12` or `pfx` cert contents. | `${{ secrets.APPLE_CERT_DATA }}` |\n| `certificate-password` | The password to unlock the `certificate-data`. | `${{ secrets.APPLE_CERT_PASSWORD }}` |\n| `apple-notary-user` | The Apple Developer account email to use in notarization. | `${{ secrets.APPLE_NOTARY_USER }}` |\n| `apple-notary-password` | The Apple Developer account password to use in notarization. | `${{ secrets.APPLE_NOTARY_PASSWORD }}` |\n| `apple-product-id` | The Apple Developer Product ID to use in notarization. | `dev.lando.code-sign-action` |\n| `apple-team-id` | The Apple Team ID for the certificate. | `FY8GAUX282` |\n| `options` | Additional options to pass into `codesign` | `--options runtime --entitlements entitlements.xml` |\n\n```yaml\njobs:\n  package:\n    runs-on: macos-11\n  steps:\n    name: Sign binary\n    uses: lando/code-sign-action@v2\n    with:\n      file: path/to/binary\n      certificate-data: ${{ secrets.APPLE_CERT_DATA }}\n      certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}\n      apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}\n      apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}\n      apple-notary-tool: altool\n      apple-team-id: FY8GAUX282\n      apple-product-id: dev.lando.code-sign-action\n      options: --options runtime --entitlements entitlements.xml\n```\n\nNote that it's only possible to `codesign` and `notarize` using an Apple Developer certificate.\n\nAlso note that you _probably_ need to set the `options` as above. You can look [here](https://github.com/lando/code-sign-action/blob/main/entitlements.xml) for an example `entitlements.xml` but you will want to configure it to your needs.\n\n### KeyLocker\n\nYou can also sign on `windows` runners using [KeyLocker](https://docs.digicert.com/zh/digicert-keylocker.html) by setting the additional `keylocker` inputs as below:\n\nThese keys must be set correctly on a `windows` runner.\n\n| Name | Description | Example Value |\n|---|---|---|\n| `file` | The file to sign.  | `bin/test` |\n| `certificate-data` | A `base64` encoded string of your `SM_CLIENT_CERT_FILE`. | `${{ secrets.KEYLOCKER_CLIENT_CERT }}` |\n| `certificate-password` | The `SM_CLIENT_CERT_PASSWORD` to unlock the `SM_CLIENT_CERT_FILE`. | `${{ secrets.KEYLOCKER_CLIENT_CERT_PASSWORD }}` |\n| `keylocker-host` | The `SM_HOST` of the KeyLocker host eg DigiCert One. | `https://clientauth.one.digicert.com`|\n| `keylocker-api-key` | The `SM_API_KEY` for the KeyLocker `SM_HOST`. | `${{ secrets.KEYLOCKER_API_KEY }}` |\n| `keylocker-cert-sha1-hash` | The `SM_CODE_SIGNING_CERT_SHA1_HASH` fingerprint for `SM_CLIENT_CERT_FILE`. | `${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}` |\n| `keylocker-keypair-alias` | The `SM_KEYPAIR_ALIAS` for the KeyLocker `SM_HOST`. | `${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}` |\n\n```yaml\njobs:\n  sign:\n    runs-on: windows-2022\n    steps:\n      - name: Sign binary\n        uses: lando/code-sign-action@v3\n        with:\n          file: dist/@lando/code-sign-action.exe\n          certificate-data: ${{ secrets.KEYLOCKER_CLIENT_CERT }}\n          certificate-password: ${{ secrets.KEYLOCKER_CLIENT_CERT_PASSWORD }}\n          keylocker-host: https://clientauth.one.digicert.com\n          keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }}\n          keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}\n          keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}\n\n```\n\n## Outputs\n\n```yaml\noutputs:\n  file:\n    description: \"The path to the signed and/or notarized file.\"\n    value: ${{ steps.code-sign-action.outputs.file }}\n```\n\n## Changelog\n\nWe try to log all changes big and small in both [THE CHANGELOG](https://github.com/lando/code-sign-action/blob/main/CHANGELOG.md) and the [release notes](https://github.com/lando/code-sign-action/releases).\n\n## Releasing\n\nCreate a release and publish to [GitHub Actions Marketplace](https://docs.github.com/en/enterprise-cloud@latest/actions/creating-actions/publishing-actions-in-github-marketplace). Note that the release tag must be a [semantic version](https://semver.org/).\n\n## Maintainers\n\n* [@pirog](https://github.com/pirog)\n* [@reynoldsalec](https://github.com/reynoldsalec)\n\n## Contributors\n\n\u003ca href=\"https://github.com/lando/code-sign-action/graphs/contributors\"\u003e\n  \u003cimg src=\"https://contrib.rocks/image?repo=lando/code-sign-action\" /\u003e\n\u003c/a\u003e\n\nMade with [contrib.rocks](https://contrib.rocks).\n\n## Other Resources\n\n* [Important advice](https://www.youtube.com/watch?v=WA4iX5D9Z64)\n","funding_links":["https://github.com/sponsors/lando","https://github.com/sponsors/pirog","https://patreon.com/devwithlando","https://opencollective.com/devwithlando","https://lando.dev/join"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flando%2Fcode-sign-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flando%2Fcode-sign-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flando%2Fcode-sign-action/lists"}