chore: migrate digicert signing action to Node.js 24 successor - BED-8168

.github/workflows/publish.yml

@@ -91,56 +91,31 @@ jobs:
           name: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
           path: unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
 
-      - name: Install osslsigncode & pkcs11 engine
+      - name: Setup SM_CLIENT_CERT_FILE
+        shell: bash
         run: |
-          sudo apt-get update
-          sudo apt-get install -y osslsigncode libengine-pkcs11-openssl
+          export SM_CLIENT_CERT_FILE=${RUNNER_TEMP}/Certifiact_pkcs12.p12
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${SM_CLIENT_CERT_FILE}
+          echo "SM_CLIENT_CERT_FILE=${SM_CLIENT_CERT_FILE}" >> $GITHUB_ENV
 
-      - name: Install DigiCert Client Tools
+      - name: Setup Software Trust Manager & Sign
         id: digicert
-        uses: digicert/ssm-code-signing@1d820463733701cf1484c7eb5d7d24a15ca2c454 # ratchet:digicert/ssm-code-signing@v1.2.1
-
-      - name: Set PKCS#11 Paths
-        id: pkcs11
-        run: |
-          SM_TOOLS_DIR=$(dirname "$(realpath '${{ steps.digicert.outputs.PKCS11_CONFIG }}')")
-          echo "module=${SM_TOOLS_DIR}/smpkcs11.so" >> "$GITHUB_OUTPUT"
-          LIB_PKCS11="$(dpkg -L libengine-pkcs11-openssl | grep "libpkcs11.so")"
-          echo "engine=$LIB_PKCS11" >> "$GITHUB_OUTPUT"
-
-      - name: Sign Artifacts via DigiCert Signing Manager
+        uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # ratchet:digicert/code-signing-software-trust-action@v1.2.1
+        with:
+          simple-signing-mode: true
+          input: unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
+          keypair-alias: ${{ secrets.SM_KEYPAIR_ALIAS }}
         env:
           SM_HOST: ${{ secrets.SM_HOST }}
           SM_API_KEY: ${{ secrets.SM_API_KEY }}
-          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
+          SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE}}
           SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
-        shell: bash
-        run: |
-          export SM_CLIENT_CERT_FILE=$(mktemp)
-          printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
-          trap 'rm $SM_CLIENT_CERT_FILE' EXIT
 
-          mkdir signed
-          artifact=unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
-          smctl sign --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --input "$artifact" --openssl-pkcs11-engine "${{ steps.pkcs11.outputs.engine }}" --pkcs11-module "${{ steps.pkcs11.outputs.module }}" --tool osslsigncode --verbose
-          mv "$artifact" "signed/azurehound.exe"
-
-      - name: Verify Signed Artifacts
-        env:
-          SM_HOST: ${{ secrets.SM_HOST }}
-          SM_API_KEY: ${{ secrets.SM_API_KEY }}
-          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
-          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+      - name: Move Signed Artifacts
         shell: bash
         run: |
-          export SM_CLIENT_CERT_FILE=$(mktemp)
-          printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
-          smctl certificate download --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --format pem --chain --name cert-chain.pem
-          trap 'rm $SM_CLIENT_CERT_FILE cert-chain.pem' EXIT
-
-          for artifact in signed/*; do
-            osslsigncode verify -CAfile cert-chain.pem "$artifact"
-          done
+          mkdir signed
+          mv unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe signed/azurehound.exe
 
       - name: Zip Signed Executables
         run: |