feat: Migrate to espressif/release-sign action for signing Windows binaries

peterdragun · peterdragun · commit 299924d8c5c4 · 2025-12-09T11:22:36.000+01:00
diff --git a/README.md b/README.md
@@ -166,10 +166,11 @@ Building the project with default configuration will result in script name `__ma
 
 ### Signing Windows Binaries
 
-If you would like to sign Windows binaries, you can set `certificate` and the action will also take care of signing all binaries.
-It is also recommended to use `certificate-password`.
+If you would like to sign Windows binaries, you can configure Azure Key Vault credentials and the action will automatically sign all binaries after building. Signing is only performed for `windows-amd64` platform builds.
 
-The `certificate` should be a PFX (Personal Information Exchange) certificate file encoded in base64 format.
+The action uses the [espressif/release-sign](https://github.com/espressif/release-sign) action internally, which requires Azure credentials to access a certificate stored in Azure Key Vault. If the Azure client secret is not set, signing will be skipped with a warning message.
+
+To enable signing, you must explicitly pass the Azure credentials as inputs from your workflow. Set the following secrets in your repository and pass them to the action:
 
 ```yaml
 - name: Build Python executable
@@ -178,8 +179,12 @@ The `certificate` should be a PFX (Personal Information Exchange) certificate fi
     scripts: 'app.py'
     output-dir: './dist'
     target-platform: 'windows-amd64'
-    certificate: ${{ secrets.CERTIFICATE }}
-    certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }}
+    # Azure credentials for signing (must be explicitly passed)
+    azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+    azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+    azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+    azure-keyvault-uri: ${{ secrets.AZURE_KEYVAULT_URI }}
+    azure-keyvault-cert-name: ${{ secrets.AZURE_KEYVAULT_CERT_NAME }}
 ```
 
 ### Complete Workflow
@@ -275,12 +280,24 @@ jobs:
 | `install-deps-command`    | Command to install project dependencies   | `"uv pip install -e ."`                     | `"uv pip install -r requirements.txt"`       |
 | `additional-arm-packages` | ARMv7 ONLY: Additional system packages    | `""`                                        | `"openssl libffi-dev"`                       |
 | `test-command-args`       | Command arguments to test executables     | `"--help"`                                  | `"--version"`                                |
-| `certificate`             | Certificate to use for signing binaries   | `""`                                        | `${{ secrets.CERTIFICATE }}`                 |
-| `certificate-password`    | Password for the certificate              | `""`                                        | `${{ secrets.CERTIFICATE_PASSWORD }}`        |
 
 > [!IMPORTANT]
 > Be careful when changing `pyinstaller-version` as it might lead to increased false positives with anti-virus software. It is recommended to check your executables with antivirus software such as [Virustotal](https://www.virustotal.com/gui/home/upload).
 
+### Optional Inputs for Signing Binaries
+
+For signing binaries on Windows, this action uses the [espressif/release-sign](https://github.com/espressif/release-sign) action. The following inputs are optional but required if you want to sign your Windows executables.
+
+Signing is optional but strongly recommended. The action will produce a warning if a Windows executable was built but was not signed.
+
+| Input                     | Description                      | Default  | Example                                   |
+|---------------------------|----------------------------------|----------|-------------------------------------------|
+| `azure-client-id`         | Azure client ID for signing      | `""`     | `${{ secrets.AZURE_CLIENT_ID }}`          |
+| `azure-client-secret`     | Azure client secret for signing  | `""`     | `${{ secrets.AZURE_CLIENT_SECRET }}`      |
+| `azure-tenant-id`         | Azure tenant ID for signing      | `""`     | `${{ secrets.AZURE_TENANT_ID }}`          |
+| `azure-keyvault-uri`      | Azure key vault URI for signing  | `""`     | `${{ secrets.AZURE_KEYVAULT_URI }}`       |
+| `azure-keyvault-cert-name`| Azure key vault certificate name | `""`     | `${{ secrets.AZURE_KEYVAULT_CERT_NAME }}` |
+
 ## Outputs
 
 | Output                 | Description                                                    |
diff --git a/Sign-File.ps1 b/Sign-File.ps1
diff --git a/action.yml b/action.yml
@@ -60,12 +60,24 @@ inputs:
     description: Command arguments to test binaries (e.g. "--help")
     required: false
     default: --help
-  certificate:
-    description: Certificate to use for signing binaries
+  azure-client-id:
+    description: Azure client ID for espressif/release-sign action
     required: false
     default: ''
-  certificate-password:
-    description: Password for the certificate
+  azure-client-secret:
+    description: Azure client secret for espressif/release-sign action
+    required: false
+    default: ''
+  azure-tenant-id:
+    description: Azure tenant ID for espressif/release-sign action
+    required: false
+    default: ''
+  azure-keyvault-uri:
+    description: Azure key vault URI for espressif/release-sign action
+    required: false
+    default: ''
+  azure-keyvault-cert-name:
+    description: Azure key vault certificate name for espressif/release-sign action
     required: false
     default: ''
 
@@ -265,21 +277,27 @@ runs:
           "${{ steps.setup-platform.outputs.exe-extension }}" \
           "${{ inputs.test-command-args }}"
 
-    - name: Sign binaries
-      if: inputs.target-platform == 'windows-amd64'
-      env:
-        CERTIFICATE: ${{ inputs.certificate }}
-        CERTIFICATE_PASSWORD: ${{ inputs.certificate-password }}
+    - name: Check signing certificate
+      if: |
+        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret == ''
       shell: pwsh
-      run: |-
-        if ([string]::IsNullOrEmpty($env:CERTIFICATE)) {
-          Write-Host "::warning title=Signing::Certificate is not set, skipping signing"
-          exit 0
-        }
+      run: |
+        Write-Host "::warning title=Signing::Azure client secret is not set, skipping signing"
+
+    - name: Sign binaries
+      if: |
+        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret != ''
+      uses: espressif/release-sign@master
+      with:
+        path: ${{ inputs.output-dir }}
+        azure-client-id: ${{ inputs.azure-client-id }}
+        azure-client-secret: ${{ inputs.azure-client-secret }}
+        azure-tenant-id: ${{ inputs.azure-tenant-id }}
+        azure-keyvault-uri: ${{ inputs.azure-keyvault-uri }}
+        azure-keyvault-cert-name: ${{ inputs.azure-keyvault-cert-name }}
 
-        $pythonFiles = "${{ inputs.scripts }}".Split(' ')
-        foreach ($file in $pythonFiles) {
-          $baseName = [System.IO.Path]::GetFileNameWithoutExtension($file)
-          $executable = "./${{ inputs.output-dir }}/${baseName}${{ steps.setup-platform.outputs.exe-extension }}"
-          & (Join-Path $env:GITHUB_ACTION_PATH "Sign-File.ps1") -Path $executable
-        }
+    - name: Remove leftover signature files
+      if: |
+        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret != ''
+      shell: bash
+      run: find ./${{ inputs.output-dir }} -name "*.sig" -type f -delete
