mirror of
https://github.com/JanDeDobbeleer/oh-my-posh.git
synced 2025-03-05 20:49:04 -08:00
feat(sign): use Azure Code Signing
This commit is contained in:
Jan De Dobbeleer
parent
2aa10619b4
commit
763cdc5782
5
.github/workflows/inno.yml
vendored
5
.github/workflows/inno.yml
vendored
|
|
@ -19,8 +19,9 @@ jobs:
|
|||
- name: Build installer 📦
|
||||
id: build
|
||||
env:
|
||||
CERTIFICATE: ${{ secrets.CERTIFICATE }}
|
||||
CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
|
||||
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
|
||||
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
|
||||
run: |
|
||||
$version = $env:GITHUB_REF.TrimStart("refs/tags/v")
|
||||
./build.ps1 -Architecture ${{ matrix.arch }} -Version $version
|
||||
|
|
|
|||
16
.github/workflows/release.yml
vendored
16
.github/workflows/release.yml
vendored
|
|
@ -55,15 +55,12 @@ jobs:
|
|||
$env:SIGNING_KEY > $shaSigningKeyLocation
|
||||
Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
|
||||
# create a base64 encoded value of your certificate using
|
||||
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
|
||||
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
|
||||
$encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
|
||||
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
|
||||
Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
# install code signing dlib
|
||||
nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.60 -ExcludeVersion -OutputDirectory $env:RUNNER_TEMP
|
||||
Write-Output "SIGNTOOLDLIB=$env:RUNNER_TEMP/Microsoft.Trusted.Signing.Client/bin/x64/Azure.CodeSigning.Dlib.dll" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
|
||||
# requires Windows Dev Kit 10.0.22621.0
|
||||
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
|
||||
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe'
|
||||
Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
|
||||
# openssl
|
||||
|
|
@ -71,7 +68,6 @@ jobs:
|
|||
Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
env:
|
||||
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
|
||||
SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
|
||||
- name: Run GoReleaser 🚀
|
||||
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf
|
||||
with:
|
||||
|
|
@ -80,7 +76,9 @@ jobs:
|
|||
args: release --clean --skip publish
|
||||
workdir: src
|
||||
env:
|
||||
SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
|
||||
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
|
||||
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
|
||||
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
|
||||
- name: Zip theme files 🤐
|
||||
run: |
|
||||
$compress = @{
|
||||
|
|
|
|||
|
|
@ -8,14 +8,12 @@ Param
|
|||
$Version
|
||||
)
|
||||
|
||||
# Get signing certificate
|
||||
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
|
||||
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
|
||||
# create a base64 encoded value of your certificate using
|
||||
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
|
||||
# requires Windows Dev Kit 10.0.22621.0
|
||||
$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
|
||||
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
|
||||
$PSDefaultParameterValues['Out-File:Encoding']='UTF8'
|
||||
|
||||
# setup dependencies
|
||||
nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.60 -x
|
||||
$signtoolDlib = "$PWD/Microsoft.Trusted.Signing.Client/bin/x64/Azure.CodeSigning.Dlib.dll"
|
||||
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe'
|
||||
|
||||
New-Item -Path "." -Name "bin" -ItemType Directory
|
||||
Copy-Item -Path "../../themes" -Destination "./bin" -Recurse
|
||||
|
|
@ -35,7 +33,7 @@ $content | Out-File -Encoding 'UTF8' $ISSName
|
|||
|
||||
# package content
|
||||
$installer = "install-$Architecture"
|
||||
ISCC.exe /F$installer "/Ssigntool=$signtool sign /f $pfxPath /p $env:CERTIFICATE_PASSWORD /fd SHA256 /t http://timestamp.digicert.com `$f" $ISSName
|
||||
ISCC.exe /F$installer "/Ssigntool=$signtool sign /v /debug /fd SHA256 /tr 'http://timestamp.acs.microsoft.com' /td SHA256 /dlib $signtoolDlib /dmdf './metadata.json' `$f" $ISSName
|
||||
# get hash
|
||||
$zipHash = Get-FileHash "Output/$installer.exe" -Algorithm SHA256
|
||||
$zipHash.Hash | Out-File -Encoding 'UTF8' "Output/$installer.exe.sha256"
|
||||
|
|
|
|||
|
|
@ -25,36 +25,36 @@ builds:
|
|||
env:
|
||||
- CGO_ENABLED=0
|
||||
goos:
|
||||
- linux
|
||||
# - linux
|
||||
- windows
|
||||
- darwin
|
||||
- freebsd
|
||||
# - darwin
|
||||
# - freebsd
|
||||
goarch:
|
||||
- amd64
|
||||
# - amd64
|
||||
- arm64
|
||||
- arm
|
||||
- "386"
|
||||
ignore:
|
||||
- goos: darwin
|
||||
goarch: "386"
|
||||
- goos: darwin
|
||||
goarch: arm
|
||||
- goos: windows
|
||||
goarch: arm
|
||||
# - arm
|
||||
# - "386"
|
||||
# ignore:
|
||||
# - goos: darwin
|
||||
# goarch: "386"
|
||||
# - goos: darwin
|
||||
# goarch: arm
|
||||
# - goos: windows
|
||||
# goarch: arm
|
||||
hooks:
|
||||
post:
|
||||
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
|
||||
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /v /debug /fd SHA256 /tr 'http://timestamp.acs.microsoft.com' /td SHA256 /dlib '{{ .Env.SIGNTOOLDLIB }}' /dmdf './metadata.json' '{{ .Path }}' }"
|
||||
archives:
|
||||
- id: oh-my-posh
|
||||
format: binary
|
||||
name_template: "posh-{{ .Os }}-{{ .Arch }}"
|
||||
checksum:
|
||||
name_template: 'checksums.txt'
|
||||
signs:
|
||||
- cmd: pwsh
|
||||
args:
|
||||
- "-c"
|
||||
- "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
|
||||
artifacts: checksum
|
||||
# signs:
|
||||
# - cmd: pwsh
|
||||
# args:
|
||||
# - "-c"
|
||||
# - "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
|
||||
# artifacts: checksum
|
||||
changelog:
|
||||
disable: true
|
||||
|
|
|
|||
14
src/metadata.json
Normal file
14
src/metadata.json
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
"Endpoint": "https://weu.codesigning.azure.net",
|
||||
"CodeSigningAccountName": "oh-my-posh",
|
||||
"CertificateProfileName": "oh-my-posh",
|
||||
"ExcludeCredentials": [
|
||||
"AzureCliCredential",
|
||||
"AzurePowerShellCredential",
|
||||
"ManagedIdentityCredential",
|
||||
"SharedTokenCacheCredential",
|
||||
"VisualStudioCredential",
|
||||
"VisualStudioCodeCredential",
|
||||
"InteractiveBrowserCredential"
|
||||
]
|
||||
}
|
||||
Loading…
Reference in a new issue