CI: Switch to production codesigning cert

.github/actions/bouf/action.yaml

@@ -30,9 +30,9 @@ runs:
     - name: Setup bouf
       shell: pwsh
       env:
-        BOUF_TAG: 'v0.6.1'
-        BOUF_HASH: '7292e43186ecc6210079fa5702254455797c7652dc6b08b5b61ac2d721766d86'
-        BOUF_NSIS_HASH: '2f5ecff05a002913c10aafa838febc1b0ae6e779f5ca67efa545ed787ae485a0'
+        BOUF_TAG: 'v0.6.2'
+        BOUF_HASH: '40ca34457a8ac60b9710a41b4cde2a0fc36d8740ab21b01d702069be2e1c5fb9'
+        BOUF_NSIS_HASH: '88958a9e4e0f3cb6f78e8359fdfa3343d050d5c2158e3ee77cb2cc4a8785ac61'
         GH_TOKEN: ${{ github.token }}
       run: |
         # Download bouf release
@@ -76,8 +76,8 @@ runs:
     - name: Install pandoc and rclone
       shell: pwsh
       run: |
-        choco install rclone --version 1.64.2 -y --no-progress
-        choco install pandoc --version 3.1.9 -y --no-progress
+        choco install rclone --version=1.64.2 -y --no-progress
+        choco install pandoc --version=3.1.9 -y --no-progress
 
     - name: Prepare Release Notes
       shell: pwsh

.github/actions/bouf/config.toml

@@ -19,9 +19,9 @@ never_copy = [
 ]
 
 [prepare.codesign]
-sign_cert_file = "repo/.github/actions/bouf/test.crt"
-sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/testing/cryptoKeys/signing-hsm/cryptoKeyVersions/1"
-sign_digest = "sha256"
+sign_cert_file = "repo/.github/actions/bouf/prod.crt"
+sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1"
+sign_digest = "sha384"
 sign_ts_serv = "http://timestamp.digicert.com"
 sign_exts = ['exe', 'dll', 'pyd']
 

.github/actions/bouf/prod.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEYzCCA+mgAwIBAgIQDUFqBoO4wZHe6N7uxU2rNzAKBggqhkjOPQQDAzBkMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPDA6BgNVBAMTM0Rp
+Z2lDZXJ0IEdsb2JhbCBHMyBDb2RlIFNpZ25pbmcgRUNDIFNIQTM4NCAyMDIxIENB
+MTAeFw0yNDAxMjgwMDAwMDBaFw0yNzAxMjcyMzU5NTlaMIHPMRMwEQYLKwYBBAGC
+NzwCAQMTAlVTMRgwFgYLKwYBBAGCNzwCAQITB1d5b21pbmcxHTAbBgNVBA8MFFBy
+aXZhdGUgT3JnYW5pemF0aW9uMRcwFQYDVQQFEw4yMDIzLTAwMTI3MjI1MjELMAkG
+A1UEBhMCVVMxEDAOBgNVBAgTB1d5b21pbmcxETAPBgNVBAcTCFNoZXJpZGFuMRkw
+FwYDVQQKExBPQlMgUHJvamVjdCwgTExDMRkwFwYDVQQDExBPQlMgUHJvamVjdCwg
+TExDMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEqTLCTWIc06ek5TtAQC3l910Ifnuk
+cd3EnGuBuPTpQ41oscNjcBGCOphtUEdgivn2Vbn2XReD+u5bNpf5gdaEmvOuJoIj
+/NN/yVqZsEQMkF8iQwNAPyQkPF/NrgO6VTR5o4IB8jCCAe4wHwYDVR0jBBgwFoAU
+m1+wNrqdBq4ZJ73AoCLAi4s4d+0wHQYDVR0OBBYEFPPrwCDxNi6AiZftFVF3ep6b
+W1jbMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3
+dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggr
+BgEFBQcDAzCBqwYDVR0fBIGjMIGgME6gTKBKhkhodHRwOi8vY3JsMy5kaWdpY2Vy
+dC5jb20vRGlnaUNlcnRHbG9iYWxHM0NvZGVTaWduaW5nRUNDU0hBMzg0MjAyMUNB
+MS5jcmwwTqBMoEqGSGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds
+b2JhbEczQ29kZVNpZ25pbmdFQ0NTSEEzODQyMDIxQ0ExLmNybDCBjgYIKwYBBQUH
+AQEEgYEwfzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFcG
+CCsGAQUFBzAChktodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
+bG9iYWxHM0NvZGVTaWduaW5nRUNDU0hBMzg0MjAyMUNBMS5jcnQwCQYDVR0TBAIw
+ADAKBggqhkjOPQQDAwNoADBlAjEAwcabTk6TwhmuhWtqdmx5UZvO4RdU/IBxcQ1i
+ZSA9NfQqK4fs48refxEB/rz7bR+2AjBhgW5WdpPv8xv2gqO2D1XVSynuMVQi62Ii
+O/MY6qCzjzXtCKUoufNIezML/5OX1so=
+-----END CERTIFICATE-----

.github/workflows/push.yaml

@@ -217,7 +217,7 @@ jobs:
       - name: Set Up Environment 🔧
         id: setup
         env:
-          BOUF_ACTION_HASH: '4b421d1fa51cbf35f9c68f80795be3468dc480d47989c0bf713c39a7d62dec9e'
+          BOUF_ACTION_HASH: 'e91375eb41c3c9d97df14dc3c2775ce254e50f92dad782341e8cd2a1f9faf7de'
         run: |
           $channel = if ($env:GITHUB_REF_NAME -match "(beta|rc)") { "beta" } else { "stable" }
           $shortHash = $env:GITHUB_SHA.Substring(0,9)