mudhorn/oh-my-posh
1
0
Fork 0
mirror of https://github.com/JanDeDobbeleer/oh-my-posh.git synced 2025-03-05 20:49:04 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(sign): use Azure Code Signing

Browse source
This commit is contained in:
Jan De Dobbeleer 2024-11-15 13:45:02 +01:00
parent 2aa10619b4
commit 763cdc5782
5 changed files with 51 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.github/workflows/inno.yml vendored
View file

@ -19,8 +19,9 @@ jobs:
- name: Build installer 📦 - name: Build installer 📦
id: build id: build
env: env:
CERTIFICATE: ${{ secrets.CERTIFICATE }} AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
run: | run: |
$version = $env:GITHUB_REF.TrimStart("refs/tags/v") $version = $env:GITHUB_REF.TrimStart("refs/tags/v")
./build.ps1 -Architecture ${{ matrix.arch }} -Version $version ./build.ps1 -Architecture ${{ matrix.arch }} -Version $version

16
.github/workflows/release.yml vendored
View file

@ -55,15 +55,12 @@ jobs:
$env:SIGNING_KEY > $shaSigningKeyLocation $env:SIGNING_KEY > $shaSigningKeyLocation
Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# create a base64 encoded value of your certificate using # install code signing dlib
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream)) nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.60 -ExcludeVersion -OutputDirectory $env:RUNNER_TEMP
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx" Write-Output "SIGNTOOLDLIB=$env:RUNNER_TEMP/Microsoft.Trusted.Signing.Client/bin/x64/Azure.CodeSigning.Dlib.dll" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
$encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# requires Windows Dev Kit 10.0.22621.0 # requires Windows Dev Kit 10.0.22621.0
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe' $signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe'
Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# openssl # openssl
@ -71,7 +68,6 @@ jobs:
Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
env: env:
SIGNING_KEY: ${{ secrets.SIGNING_KEY }} SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
- name: Run GoReleaser 🚀 - name: Run GoReleaser 🚀
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf
with: with:
@ -80,7 +76,9 @@ jobs:
args: release --clean --skip publish args: release --clean --skip publish
workdir: src workdir: src
env: env:
SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
- name: Zip theme files 🤐 - name: Zip theme files 🤐
run: | run: |
$compress = @{ $compress = @{

16
packages/inno/build.ps1
View file

@ -8,14 +8,12 @@ Param
$Version $Version
) )
# Get signing certificate $PSDefaultParameterValues['Out-File:Encoding']='UTF8'
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe' # setup dependencies
# create a base64 encoded value of your certificate using nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.60 -x
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream)) $signtoolDlib = "$PWD/Microsoft.Trusted.Signing.Client/bin/x64/Azure.CodeSigning.Dlib.dll"
# requires Windows Dev Kit 10.0.22621.0 $signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe'
$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
New-Item -Path "." -Name "bin" -ItemType Directory New-Item -Path "." -Name "bin" -ItemType Directory
Copy-Item -Path "../../themes" -Destination "./bin" -Recurse Copy-Item -Path "../../themes" -Destination "./bin" -Recurse
@ -35,7 +33,7 @@ $content | Out-File -Encoding 'UTF8' $ISSName
# package content # package content
$installer = "install-$Architecture" $installer = "install-$Architecture"
ISCC.exe /F$installer "/Ssigntool=$signtool sign /f $pfxPath /p $env:CERTIFICATE_PASSWORD /fd SHA256 /t http://timestamp.digicert.com `$f" $ISSName ISCC.exe /F$installer "/Ssigntool=$signtool sign /v /debug /fd SHA256 /tr 'http://timestamp.acs.microsoft.com' /td SHA256 /dlib $signtoolDlib /dmdf './metadata.json' `$f" $ISSName
# get hash # get hash
$zipHash = Get-FileHash "Output/$installer.exe" -Algorithm SHA256 $zipHash = Get-FileHash "Output/$installer.exe" -Algorithm SHA256
$zipHash.Hash | Out-File -Encoding 'UTF8' "Output/$installer.exe.sha256" $zipHash.Hash | Out-File -Encoding 'UTF8' "Output/$installer.exe.sha256"

40
src/.goreleaser.yml
View file

@ -25,36 +25,36 @@ builds:
env: env:
- CGO_ENABLED=0 - CGO_ENABLED=0
goos: goos:
- linux # - linux
- windows - windows
- darwin # - darwin
- freebsd # - freebsd
goarch: goarch:
- amd64 # - amd64
- arm64 - arm64
- arm # - arm
- "386" # - "386"
ignore: # ignore:
- goos: darwin # - goos: darwin
goarch: "386" # goarch: "386"
- goos: darwin # - goos: darwin
goarch: arm # goarch: arm
- goos: windows # - goos: windows
goarch: arm # goarch: arm
hooks: hooks:
post: post:
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }" - pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /v /debug /fd SHA256 /tr 'http://timestamp.acs.microsoft.com' /td SHA256 /dlib '{{ .Env.SIGNTOOLDLIB }}' /dmdf './metadata.json' '{{ .Path }}' }"
archives: archives:
- id: oh-my-posh - id: oh-my-posh
format: binary format: binary
name_template: "posh-{{ .Os }}-{{ .Arch }}" name_template: "posh-{{ .Os }}-{{ .Arch }}"
checksum: checksum:
name_template: 'checksums.txt' name_template: 'checksums.txt'
signs: # signs:
- cmd: pwsh # - cmd: pwsh
args: # args:
- "-c" # - "-c"
- "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'" # - "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
artifacts: checksum # artifacts: checksum
changelog: changelog:
disable: true disable: true

14
src/metadata.json Normal file
View file

@ -0,0 +1,14 @@
{
"Endpoint": "https://weu.codesigning.azure.net",
"CodeSigningAccountName": "oh-my-posh",
"CertificateProfileName": "oh-my-posh",
"ExcludeCredentials": [
"AzureCliCredential",
"AzurePowerShellCredential",
"ManagedIdentityCredential",
"SharedTokenCacheCredential",
"VisualStudioCredential",
"VisualStudioCodeCredential",
"InteractiveBrowserCredential"
]
}