From d8d13d5e555446ad72af2f14e4395bf8586b90c4 Mon Sep 17 00:00:00 2001
From: Stran Dutton <sdutton@specterops.io>
Date: Wed, 13 May 2026 12:13:59 -0500
Subject: [PATCH 1/2] chore: migrate digicert signing action to Node.js 24
 successor - BED-8168

digicert/ssm-code-signing has been deprecated by the upstream maintainer
and will not receive further updates, including a Node.js 24 runtime upgrade.
Per the maintainer's guidance, migrate to the successor action
digicert/code-signing-software-trust-action@v1.2.1, which runs on Node.js 24
and preserves the PKCS11_CONFIG output our sign job consumes.

Upstream notice: https://github.com/digicert/ssm-code-signing/issues/60
---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 659ca66..8138e60 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -98,7 +98,7 @@ jobs:
 
       - name: Install DigiCert Client Tools
         id: digicert
-        uses: digicert/ssm-code-signing@1d820463733701cf1484c7eb5d7d24a15ca2c454 # ratchet:digicert/ssm-code-signing@v1.2.1
+        uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # ratchet:digicert/code-signing-software-trust-action@v1.2.1
 
       - name: Set PKCS#11 Paths
         id: pkcs11

From b8de6c9cdd339c6ddf7e68769d73bce2e3e8d7d8 Mon Sep 17 00:00:00 2001
From: Dillon Lees <dlees@specterops.io>
Date: Thu, 28 May 2026 11:05:51 -0400
Subject: [PATCH 2/2] cd: align signing action with recommended setup

---
 .github/workflows/publish.yml | 53 +++++++++--------------------------
 1 file changed, 14 insertions(+), 39 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8138e60..bd9fedf 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -91,56 +91,31 @@ jobs:
           name: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
           path: unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
 
-      - name: Install osslsigncode & pkcs11 engine
+      - name: Setup SM_CLIENT_CERT_FILE
+        shell: bash
         run: |
-          sudo apt-get update
-          sudo apt-get install -y osslsigncode libengine-pkcs11-openssl
+          export SM_CLIENT_CERT_FILE=${RUNNER_TEMP}/Certifiact_pkcs12.p12
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${SM_CLIENT_CERT_FILE}
+          echo "SM_CLIENT_CERT_FILE=${SM_CLIENT_CERT_FILE}" >> $GITHUB_ENV
 
-      - name: Install DigiCert Client Tools
+      - name: Setup Software Trust Manager & Sign
         id: digicert
         uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # ratchet:digicert/code-signing-software-trust-action@v1.2.1
-
-      - name: Set PKCS#11 Paths
-        id: pkcs11
-        run: |
-          SM_TOOLS_DIR=$(dirname "$(realpath '${{ steps.digicert.outputs.PKCS11_CONFIG }}')")
-          echo "module=${SM_TOOLS_DIR}/smpkcs11.so" >> "$GITHUB_OUTPUT"
-          LIB_PKCS11="$(dpkg -L libengine-pkcs11-openssl | grep "libpkcs11.so")"
-          echo "engine=$LIB_PKCS11" >> "$GITHUB_OUTPUT"
-
-      - name: Sign Artifacts via DigiCert Signing Manager
+        with:
+          simple-signing-mode: true
+          input: unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
+          keypair-alias: ${{ secrets.SM_KEYPAIR_ALIAS }}
         env:
           SM_HOST: ${{ secrets.SM_HOST }}
           SM_API_KEY: ${{ secrets.SM_API_KEY }}
-          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
+          SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE}}
           SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
-        shell: bash
-        run: |
-          export SM_CLIENT_CERT_FILE=$(mktemp)
-          printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
-          trap 'rm $SM_CLIENT_CERT_FILE' EXIT
 
-          mkdir signed
-          artifact=unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
-          smctl sign --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --input "$artifact" --openssl-pkcs11-engine "${{ steps.pkcs11.outputs.engine }}" --pkcs11-module "${{ steps.pkcs11.outputs.module }}" --tool osslsigncode --verbose
-          mv "$artifact" "signed/azurehound.exe"
-
-      - name: Verify Signed Artifacts
-        env:
-          SM_HOST: ${{ secrets.SM_HOST }}
-          SM_API_KEY: ${{ secrets.SM_API_KEY }}
-          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
-          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+      - name: Move Signed Artifacts
         shell: bash
         run: |
-          export SM_CLIENT_CERT_FILE=$(mktemp)
-          printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
-          smctl certificate download --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --format pem --chain --name cert-chain.pem
-          trap 'rm $SM_CLIENT_CERT_FILE cert-chain.pem' EXIT
-
-          for artifact in signed/*; do
-            osslsigncode verify -CAfile cert-chain.pem "$artifact"
-          done
+          mkdir signed
+          mv unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe signed/azurehound.exe
 
       - name: Zip Signed Executables
         run: |