[ci] Include CA certificate file alongside signed binaries

Include the relevant CA certificate in the UEFI Secure Boot build artifacts. This allows for easy identification of test-signed builds without having to extract the certificate from the signed binary. This also eases the process of adding the ephemeral test-signing certificate to the UEFI trusted certificate list, if a user wants to test a non-release build with Secure Boot enabled. (The corresponding private key is deliberately not preserved, to minimise the attack surface that this would otherwise open up on the user's system.) Include the commit hash and build architecture within the ephemeral test-signing certificate's subject name, to make it obvious that the scope is limited to signing only that single build. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-05-08 15:02:55 +03:00 · 2026-02-17 15:00:08 +00:00
parent a956c5feac
commit 93fc2123c3
1 changed files with 8 additions and 5 deletions
@@ -238,9 +238,11 @@ jobs:

      - name: Test certificate
        run: |
+          COMMITID=$(echo ${{ github.sha }} | cut -c1-9)
+          SUBJECT="iPXE Test Signing (${COMMITID}, ${{ matrix.arch }})"
          openssl req \
              -newkey rsa:2048 -passout 'pass:testpw' -keyout testsign.key \
-              -subj '/CN=Test Signing/' -x509 -out testsign.crt
+              -subj "/CN=${SUBJECT}/" -x509 -out testsign.crt

      - name: Certificate chain
        run: |
@@ -260,13 +262,13 @@ jobs:
                  -pass ${{ env.signpass }} \
                  -ts http://timestamp.digicert.com \
                  -in unsigned/${binary} \
-                  -out signed/${binary}
+                  -out ${binary}
          done

      - name: Verify
        run: |
          for binary in ${{ env.binaries }} ; do
-              osslsigncode verify -CAfile ${{ env.cacert }} signed/${binary}
+              osslsigncode verify -CAfile ${{ env.cacert }} ${binary}
          done

      - name: Upload
@@ -275,8 +277,9 @@ jobs:
          name: ${{ env.bindir }}
          if-no-files-found: error
          path: |
-            signed/ipxe.efi
-            signed/snponly.efi
+            ${{ env.cacert }}
+            ipxe.efi
+            snponly.efi

  linux:
    name: Linux / ${{ matrix.arch }}