### Install testing dependencies Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Install the required testing packages including Jest and Nock. ```bash npm install --save-dev jest @types/jest ts-jest @jest/globals nock @types/nock ``` -------------------------------- ### Setup Software Trust Manager on Windows (Standard) Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/README.md Configures the Software Trust Manager action with standard features on Windows. Ensure SM_CLIENT_CERT_FILE is correctly set to the decoded certificate path. ```yaml steps: - name: Setup SM_CLIENT_CERT_FILE from base64 secret data run: | echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 shell: bash - name: Setup Software Trust Manager uses: digicert/code-signing-software-trust-action@v1 env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} shell: bash ``` -------------------------------- ### Setup Software Trust Manager on Windows (Simple Signing) Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/README.md Configures the Software Trust Manager action for simple signing mode on Windows. This mode is recommended and requires input files and a keypair alias for signing. ```yaml steps: - name: Setup SM_CLIENT_CERT_FILE from base64 secret data run: | echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 shell: bash - name: Setup Software Trust Manager uses: digicert/code-signing-software-trust-action@v1 with: simple-signing-mode: true # If the below 2 parameters are supplied, then smctl executable is invoked to attempt the signing. input: keypair-alias: env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} shell: bash ``` -------------------------------- ### Setup Software Trust Manager on Ubuntu/macOS (Standard) Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/README.md Configures the Software Trust Manager action with standard features on Ubuntu and macOS. Uses RUNNER_TEMP_DIR for certificate storage. ```yaml steps: - name: Setup SM_CLIENT_CERT_FILE from base64 secret data run: | export SM_CLIENT_CERT_FILE=${RUNNER_TEMP_DIR}/Certificate_pkcs12.p12 echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${SM_CLIENT_CERT_FILE} shell: bash - name: Setup Software Trust Manager uses: digicert/code-signing-software-trust-action@v1 env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: ${SM_CLIENT_CERT_FILE} SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} shell: bash ``` -------------------------------- ### Install Jest types Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Install missing Jest type definitions if global variables are not found. ```bash npm install --save-dev @types/jest ``` -------------------------------- ### smctl command examples for simplified signing Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt These examples illustrate how the `smctl sign` command is constructed for simplified signing operations, including options for timestamping, digest algorithms, and bulk signing. ```typescript // Example smctl command generated: // smctl sign --simple --input ./dist/app.exe --keypair-alias prod-key --timestamp=true --digalg SHA-256 --exit-non-zero-on-fail --failfast ``` ```typescript // With bulk signing enabled: // smctl sign --simple --input ./release/ --keypair-alias prod-key --bulk ``` ```typescript // Sign only unsigned files: // smctl sign --simple --input ./mixed-signed/ --keypair-alias prod-key --unsigned ``` -------------------------------- ### Software Trust Manager tool setup process Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt This outlines the internal process for downloading, verifying, extracting, and caching Software Trust Manager tools across different platforms. It includes checksum verification and retry mechanisms. ```typescript // Internal tool setup with caching and verification // src/tool_setup.ts // Available tools: // - SMCTL: Command-line signing tool (all platforms) // - SMTOOLS: Bundled toolkit (Windows MSI, Linux TAR) // - SMPKCS11: PKCS#11 library (macOS DMG) // - SMCTK: Signing client toolkit (macOS ZIP) // - SCD: Smart card daemon (macOS DMG) // Tool download flow: // 1. Check GitHub tool cache for existing version // 2. Download SHA-256 checksum from CDN // 3. Download tool binary with retry (3 attempts, exponential backoff) // 4. Verify downloaded file against checksum // 5. Extract archive (MSI/DMG/ZIP/TAR based on platform) // 6. Cache extracted tool for future runs // 7. Add to PATH (executables only) // PKCS#11 configuration generated at: // ${toolPath}/pkc11Properties.cfg // Contents: // name="DigiCert Software Trust Manager" // library=/path/to/smpkcs11.{dll|so|dylib} // slotListIndex=0 ``` -------------------------------- ### Setup Software Trust Manager on Ubuntu/macOS (Simple Signing) Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/README.md Configures the Software Trust Manager action for simple signing mode on Ubuntu and macOS. This recommended mode requires input files and a keypair alias. ```yaml steps: - name: Setup SM_CLIENT_CERT_FILE from base64 secret data run: | export SM_CLIENT_CERT_FILE=${RUNNER_TEMP_DIR}/Certificate_pkcs12.p12 echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${SM_CLIENT_CERT_FILE} shell: bash - name: Setup Software Trust Manager uses: digicert/code-signing-software-trust-action@v1 with: simple-signing-mode: true # If the below 2 parameters are supplied, then smctl executable is invoked to attempt the signing. input: keypair-alias: env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: ${SM_CLIENT_CERT_FILE} SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} shell: bash ``` -------------------------------- ### Setup Self-Hosted Runner Configuration Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt Configures the action for self-hosted runners, including custom CDN URLs and manual cache management. Disables GitHub-specific services that are unavailable in self-hosted environments. ```yaml # Self-hosted runner configuration jobs: sign-self-hosted: runs-on: self-hosted steps: - name: Setup Software Trust Manager uses: digicert/code-signing-software-trust-action@v1 with: simple-signing-mode: true input: ./binaries/ keypair-alias: internal-signing-key # Custom CDN for air-gapped environments digicert-cdn: https://internal-cdn.company.com/stm/latest # Disable GitHub caching service (not available on self-hosted) use-github-caching-service: false # Manual cache version control cache-version: '2.0.0' # Disable SHA-256 checksum (if internal CDN doesn't provide .sha256 files) use-binary-sha256-checksum: false env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} ``` -------------------------------- ### Configure Windows Signing with Simple Signing Mode Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt Sets up the Software Trust Manager for simple signing on Windows. Ensure the certificate file is decoded and available. This configuration uses SHA-256 digest and enables GitHub caching. ```yaml # .github/workflows/sign.yml name: Sign Release Binaries on: release: types: [created] jobs: sign-windows: runs-on: windows-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Decode certificate file run: | echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 shell: bash - name: Setup Software Trust Manager with Simple Signing uses: digicert/code-signing-software-trust-action@v1 with: simple-signing-mode: true input: ./dist/myapp.exe keypair-alias: my-production-key digest-alg: SHA-256 timestamp: true fail-fast: true use-github-caching-service: true use-binary-sha256-checksum: true env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: D:\\Certificate_pkcs12.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} ``` -------------------------------- ### Sign with SignTool on Windows Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt Use this snippet to sign executables on Windows using SignTool and the DigiCert KSP. Ensure the certificate is set up correctly and the thumbprint is available. ```yaml jobs: sign-with-signtool: runs-on: windows-latest steps: - name: Setup certificate run: | echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > D:/cert.p12 shell: bash - name: Setup Software Trust Manager id: stm-setup uses: digicert/code-signing-software-trust-action@v1 with: simple-signing-mode: false # Traditional mode env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: D:\cert.p12 SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - name: Sign with SignTool run: | # Use the PKCS11 config output from setup step echo "PKCS11 Config: ${{ steps.stm-setup.outputs.PKCS11_CONFIG }}" # Sign using SignTool with DigiCert KSP signtool sign /sha1 ${{ secrets.CERT_THUMBPRINT }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 myapp.exe shell: cmd ``` -------------------------------- ### GitHub Actions Workflow with Software Trust Action Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/README.md This YAML snippet demonstrates how to use the Software Trust Action in a GitHub Actions workflow. It shows setting up the action and then using its output to reference the PKCS11 configuration file. ```yaml - name: Setup Software Trust Manager id: stm-setup uses: digicert/code-signing-software-trust-action@v1 env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} shell: bash - name: Use PKCS11 config in subsequent step run: | echo "PKCS11 config file location: ${{ steps.stm-setup.outputs.PKCS11_CONFIG }}" # Use the config file with your signing tool shell: bash ``` -------------------------------- ### Configure Ubuntu/macOS Signing with Simple Signing Mode Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt Sets up the Software Trust Manager for simple signing on Ubuntu or macOS. The certificate is decoded and stored in the runner's temporary directory. This configuration signs files that are not already signed. ```yaml # Simple signing on Ubuntu/macOS jobs: sign-linux: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup certificate run: | export SM_CLIENT_CERT_FILE=${RUNNER_TEMP}/Certificate_pkcs12.p12 echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${SM_CLIENT_CERT_FILE} echo "SM_CLIENT_CERT_FILE=${SM_CLIENT_CERT_FILE}" >> $GITHUB_ENV shell: bash - name: Setup Software Trust Manager uses: digicert/code-signing-software-trust-action@v1 with: simple-signing-mode: true input: ./build/ keypair-alias: release-signing-key-2024 unsigned: true # Only sign files that aren't already signed env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} ``` -------------------------------- ### Run test commands Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Various commands to execute tests, including watch mode, coverage reports, and filtering. ```bash npm test ``` ```bash npm run test:watch ``` ```bash npm run test:coverage ``` ```bash npm run test:unit ``` ```bash npm run test:integration ``` ```bash npm test -- utils.test.ts ``` ```bash npm test -- --testNamePattern="randomFileName" ``` -------------------------------- ### macOS Code Signing Workflow Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt This YAML workflow demonstrates setting up certificates and signing a macOS application using the Software Trust Manager action in traditional mode. ```yaml # macOS code signing workflow jobs: sign-macos: runs-on: macos-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup certificate run: | export SM_CLIENT_CERT_FILE=${RUNNER_TEMP}/Certificate_pkcs12.p12 echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${SM_CLIENT_CERT_FILE} echo "SM_CLIENT_CERT_FILE=${SM_CLIENT_CERT_FILE}" >> $GITHUB_ENV - name: Setup DigiCert STM (Traditional Mode) uses: digicert/code-signing-software-trust-action@v1 with: simple-signing-mode: false env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - name: Sign macOS Application run: | # smctl and signing tools are now in PATH smctl sign --simple --keypair-alias mac-signing-key --input ./MyApp.app ``` -------------------------------- ### Configure Bulk Signing Mode Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt Enables bulk signing for multiple files in a single batch operation on Ubuntu. The certificate is decoded and stored in the runner's temporary directory. This configuration allows signing to continue even if some files fail. ```yaml # Bulk sign all executables in a directory jobs: bulk-sign: runs-on: ubuntu-latest steps: - name: Setup certificate run: | echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${RUNNER_TEMP}/cert.p12 echo "SM_CLIENT_CERT_FILE=${RUNNER_TEMP}/cert.p12" >> $GITHUB_ENV - name: Bulk Sign Release Artifacts uses: digicert/code-signing-software-trust-action@v1 with: simple-signing-mode: true bulk-sign-mode: true # Enable batch signing input: ./release-artifacts/ keypair-alias: production-key fail-fast: false # Continue signing even if some files fail zero-exit-code-on-failure: false env: SM_HOST: ${{ vars.SM_HOST }} SM_API_KEY: ${{ secrets.SM_API_KEY }} SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }} SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} ``` -------------------------------- ### Write a unit test Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Basic structure for a unit test using Jest. ```typescript import { myFunction } from '../../src/my-module'; describe('myFunction', () => { it('should do something specific', () => { const result = myFunction('input'); expect(result).toBe('expected output'); }); it('should handle edge cases', () => { expect(() => myFunction('')).toThrow('Invalid input'); }); }); ``` -------------------------------- ### Implement Arrange-Act-Assert Pattern Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Structure your tests using the Arrange-Act-Assert pattern for clarity and maintainability. This involves setting up preconditions, executing the code under test, and verifying the outcome. ```typescript it('should do something', () => { // Arrange: Setup const input = 'test'; // Act: Execute const result = myFunction(input); // Assert: Verify expect(result).toBe('expected'); }); ``` -------------------------------- ### Project test structure Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Directory layout for the test suite. ```text tests/ ├── unit/ # Pure unit tests (no external dependencies) │ ├── utils.test.ts # Tests for utility functions │ ├── tool_setup.test.ts # Tests for tool setup logic │ └── file_operations.test.ts # Tests for file operations ├── integration/ # Integration tests (mocked external deps) │ ├── cdn_download.test.ts # CDN download with mocked HTTP │ └── windows_registry.test.ts # Windows registry setup tests ├── fixtures/ # Test data and sample files │ ├── sample-files/ │ └── mock-responses/ ├── __mocks__/ # Manual mocks for modules │ └── @actions/ │ └── core.ts # Mock for GitHub Actions core API └── README.md # This file ``` -------------------------------- ### Write platform-specific tests Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Skip tests based on the current operating system. ```typescript it('should set execute permissions on Linux/Mac', async () => { if (process.platform === 'win32') { return; // Skip on Windows } // Test Unix-specific functionality await chmod(filePath); const stats = await fs.stat(filePath); expect(stats.mode & 0o111).toBeGreaterThan(0); }); ``` -------------------------------- ### Configure Authentication Environment Variables Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt Defines the required environment variables for DigiCert Software Trust Manager authentication. Ensure sensitive values are stored as GitHub Actions secrets. ```yaml # Required environment variables env: # DigiCert ONE environment URL (use GitHub Actions variables) SM_HOST: ${{ vars.SM_HOST }} # Example: https://clientauth.one.digicert.com # API key from DigiCert ONE Account Manager (use GitHub Actions secrets) SM_API_KEY: ${{ secrets.SM_API_KEY }} # Path to .p12 client certificate file SM_CLIENT_CERT_FILE: /path/to/certificate.p12 # Password for the encrypted .p12 certificate (use GitHub Actions secrets) SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} # Generating base64-encoded certificate for secrets: # Linux/macOS: # base64 -w 0 certificate.p12 > cert_base64.txt # Windows PowerShell: # [Convert]::ToBase64String([IO.File]::ReadAllBytes("certificate.p12")) > cert_base64.txt ``` -------------------------------- ### Mock @actions/core Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Use manual mocks for the GitHub Actions core API. ```typescript import * as core from '@actions/core'; import { mockInputs, resetMocks } from '../__mocks__/@actions/core'; // Tell Jest to use our mock jest.mock('@actions/core'); describe('Action Logic', () => { beforeEach(() => { resetMocks(); }); it('should read input values', () => { // Setup mock inputs mockInputs.set('my-input', 'test-value'); // Your test code that calls core.getInput() const value = core.getInput('my-input'); expect(value).toBe('test-value'); }); }); ``` -------------------------------- ### Write an integration test with Nock Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Mock HTTP requests using Nock for integration testing. ```typescript import nock from 'nock'; import { downloadFromCDN } from '../../src/downloader'; describe('CDN Download', () => { beforeEach(() => { nock.cleanAll(); }); it('should download file from CDN', async () => { nock('https://cdn.example.com') .get('/file.zip') .reply(200, Buffer.from('fake content')); const result = await downloadFromCDN('file.zip'); expect(result).toBeDefined(); }); }); ``` -------------------------------- ### Clean up test resources Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Use lifecycle hooks to manage temporary files or resources. ```typescript describe('File Operations', () => { let tempDir: string; beforeEach(async () => { tempDir = await createSecureTempDir(); }); afterEach(async () => { await fs.rm(tempDir, { recursive: true, force: true }); }); it('should create files in temp directory', async () => { // Test code using tempDir }); }); ``` -------------------------------- ### Implement Exponential Backoff Retry Logic Source: https://context7.com/digicert/code-signing-software-trust-action/llms.txt Configures retry behavior for transient network failures during tool downloads. Adjust maxAttempts and initialDelayMs to suit specific network stability requirements. ```typescript // src/utils.ts - Retry configuration and usage interface RetryConfig { maxAttempts?: number; // Default: 3 initialDelayMs?: number; // Default: 1000ms backoffMultiplier?: number; // Default: 2 maxDelayMs?: number; // Default: 30000ms (30s) } // Internal usage example: const downloadedPath = await retryWithBackoff( async () => await tc.downloadTool(toolDownloadUrl), `Download ${tool.name} from ${toolDownloadUrl}`, { maxAttempts: 3, initialDelayMs: 1000 } ); // Retry sequence: 1000ms -> 2000ms -> 4000ms (capped at maxDelayMs) // Output on failure: // ⚠ Download smctl from https://... failed (attempt 1/3): Network error // Retrying in 1000ms with exponential backoff... // ⚠ Download smctl from https://... failed (attempt 2/3): Network error // Retrying in 2000ms with exponential backoff... // ✓ Download smctl from https://... succeeded on attempt 3/3 ``` -------------------------------- ### Write asynchronous tests Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Use async/await for testing asynchronous functions. ```typescript it('should download file asynchronously', async () => { const result = await downloadFile('test.zip'); expect(result).toBeDefined(); }); ``` -------------------------------- ### Configure Global Jest Timeout Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Set a global timeout for all tests in your Jest configuration file. This is useful for projects with consistently slow tests. ```javascript testTimeout: 30000 ``` -------------------------------- ### Mock Module Before Import Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Ensure `jest.mock()` is called before any `import` statements to correctly mock external modules. This is crucial for isolating tests. ```typescript jest.mock('@actions/core'); // Must be at top, before imports import * as core from '@actions/core'; ``` -------------------------------- ### Decode Base64 Certificate Secret Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/README.md Decodes a Base64-encoded client certificate stored in a GitHub secret into a temporary file for use by the Software Trust action. ```yaml steps: - name: Setup SM_CLIENT_CERT_FILE from base64 secret data run: | export SM_CLIENT_CERT_FILE=${RUNNER_TEMP_DIR}/Certificate_pkcs12.p12 echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${SM_CLIENT_CERT_FILE} shell: bash ``` -------------------------------- ### Increase Test Timeout in Jest Source: https://github.com/digicert/code-signing-software-trust-action/blob/main/tests/README.md Use this to increase the timeout for individual slow tests. Ensure the timeout value is appropriate for the operation's expected duration. ```typescript it('should complete slow operation', async () => { // Test code }, 30000); // 30 second timeout ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.