2

I have publishing job in github actions. It uses certificate which is stored in base64 format in repo secrets. I need to decode this certificate and store it on disk on windows-latest machine. My workflow looks like that

name: publish
on: [ push ]
jobs:
  build:
    runs-on: windows-latest
    steps:
      - name: checkout
        uses: actions/checkout@v2
      - run: echo "${{ secrets.WINDOWS_CERT}}" | base64 --decode > $HOME/certificate.pfx   
      - run: cat $HOME/certificate.pfx

When i run it i get error

Run echo "***" | base64 --decode > $HOME/certificate.pfx
  echo "***" | base64 --decode > $HOME/certificate.pfx
  shell: C:\Program Files\PowerShell\7\pwsh.EXE -command ". '{0}'"
/usr/bin/base64: invalid input
##[error]Process completed with exit code 1.

How do i properly decode base64 encoded secrets on windows machines?

Thanks

AlexS
  • 927
  • 4
  • 16
  • 29

1 Answers1

0

I ran into two problems on powershell (using windows-latest default shell) on Github Actions:

  1. Maybe due to newlines, but indeed that invalid input appeared. Needed to pass -i (or --ignore-garbage) to base64 -d so that is silenced.

  2. But then, the output still didn't match the original binary (as verified by dir, wc and md5sum). Because in powershell, the > operator defaults to writing with UTF-16, which will mess up your binary. See https://www.johndcook.com/blog/2008/08/25/powershell-output-redirection-unicode-or-ascii/ on possible workaround using out-file directly.

But in the end, I just changed to shell: bash for the base64 decode operation. All works promptly there.

ron
  • 9,262
  • 4
  • 40
  • 73