Releases: digicert/code-signing-software-trust-action
Security hardening, reliability improvements, and test infrastructure
[v1.1.0] – Security hardening, reliability improvements, and test infrastructure
Description
This release strengthens supply chain security, improves the reliability of network and tool installation workflows, and expands the project’s automated test infrastructure. It also includes small GitHub Action interface improvements and macOS installation enhancements.
Upgrade steps
- No special steps required
- Update your workflow to reference
v1.1.0 - Use the corrected input name
digest-alg
Breaking changes
- None
New features
- Enforced HTTPS for the
digicert-cdndownload source - Added SHA-256 checksum verification for downloaded binaries with fail-fast behavior on mismatch
- Introduced retry with exponential backoff for transient network failures
- Added new GitHub Action output for the PKCS#11 config file path
- Expanded test infrastructure to support unit, integration, coverage, and CI runs
Bug fixes
- Fixed typo in the
digest-alginput and deprecated the incorrect parameter - Improved macOS DMG handling to ensure volumes are unmounted even when errors occur
- Improved temporary and cache directory handling for better safety and clarity
Performance improvements
- Added retry with exponential backoff to reduce failures caused by transient network issues
- Installed macOS tools in parallel to speed up setup time
- Improved DMG cleanup to prevent resource leaks
Other changes
- Added secure temporary directory helper to reduce risk from insecure temporary files (CWE-377)
- Updated and expanded dev dependencies for Jest and TypeScript testing, including
jest,ts-jest, andnock - Expanded
package.jsonscripts to support unit, integration, coverage, and CI test workflows
Full changelog
- Merged PR:
v1.0.1
Description
Fixes MSI installation failures in the GitHub Action when the product is already installed in a different location (applicable for Self-hosted Windows runner). The action now automatically handles existing installations and improves reliability in non-interactive CI/CD environments.
Upgrade steps
- Upgrade to this version to apply the fixes
Breaking changes
- None
New features
- None
Bug fixes
- Fixed MSI reinstallation failures by automatically uninstalling existing installations before reinstalling (resolves DOSTM-8717)
- Fixed CI/CD pipeline blocking caused by interactive registry prompts by adding the
/fflag to allreg addcommands (fixes #11)
Performance improvements
- Optimized MSI installation by removing registry and WMIC queries
- Improved fail-fast behavior with clearer error handling
Other changes
- Refactored MSI installation logic for more reliable error handling
- Added detailed MSI log output to improve troubleshooting
New GitHub Actions for code signing with DigiCert® Software Trust Manager
Overview
code-signing-software-trust-action enables secure, automated code signing directly within your GitHub workflows. This integration provides a seamless way to incorporate trusted signing into your DevOps pipelines, ensuring the authenticity and integrity of your released software.
Using a keypair-based signing workflow, developers can sign binaries across Windows, Linux, and macOS with strong security controls and full platform compatibility. This action automatically installs and configures Software Trust client tools, allowing quick setup for both GitHub-hosted and self-hosted runners.
Additionally, this action supports simple signing, a streamlined process that eliminates the need for third-party tools or libraries, delivering fast, consistent, and efficient code signing across environments.
Key features
Simple signing mode
A streamlined signing workflow designed to simplify configuration and improve performance:
- Sign code without relying on third-party tools
- A unified, consistent signing experience across Windows, Linux, and macOS
- Delivers faster signing by removing library overhead and reducing unnecessary API calls
- Built to support DigiCert's long-term direction as legacy signing methods are deprecated
Bulk signing mode
An efficient option for teams that need to sign large sets of artifacts:
- Sign multiple files in a single operation, dramatically improving throughput
- Reduces network round-trip calls, improving performance in high-volume CI/CD pipelines
- Contact DigiCert Sales to activate bulk signing
Optimized installation
Enhancements designed to speed installation, reduce redundant downloads, and ensure accurate tool updates:
- Faster, consistent downloads of required signing tools
- Automatically checks CDN-hosted checksums to detect and download new tool versions
- Supports GitHub's caching service across both hosted and self-hosted runners