mirror of
https://github.com/JanDeDobbeleer/oh-my-posh.git
synced 2024-09-19 13:07:31 -07:00
feat(build): sign windows binaries on release
This commit is contained in:
parent
df37796147
commit
9bbd91b1b9
32
.github/workflows/release.yml
vendored
32
.github/workflows/release.yml
vendored
|
@ -32,9 +32,7 @@ jobs:
|
|||
artifacts:
|
||||
needs: changelog
|
||||
if: ${{ needs.changelog.outputs.skipped == 'false' }}
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
SIGNING_KEY_LOCATION: "/tmp/private_key.pem"
|
||||
runs-on: windows-latest
|
||||
defaults:
|
||||
run:
|
||||
shell: pwsh
|
||||
|
@ -49,12 +47,31 @@ jobs:
|
|||
git config --global user.name "GitHub Actions"
|
||||
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||
git tag ${{ needs.changelog.outputs.tag }}
|
||||
- name: Private Key 🔐
|
||||
- name: Prerequisites 🔐
|
||||
run: |
|
||||
$PSDefaultParameterValues['Out-File:Encoding']='UTF8'
|
||||
$env:SIGNING_KEY > $env:SIGNING_KEY_LOCATION
|
||||
|
||||
$shaSigningKeyLocation = Join-Path -Path $env:RUNNER_TEMP -ChildPath sha_signing_key.pem
|
||||
$env:SIGNING_KEY > $shaSigningKeyLocation
|
||||
Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
|
||||
# create a base64 encoded value of your certificate using
|
||||
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
|
||||
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
|
||||
$encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
|
||||
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
|
||||
Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
|
||||
# requires Windows Dev Kit 10.0.22621.0
|
||||
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
|
||||
Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
|
||||
# openssl
|
||||
$openssl = 'C:/Program Files/Git/usr/bin/openssl.exe'
|
||||
Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||
env:
|
||||
SIGNING_KEY: ${{secrets.SIGNING_KEY}}
|
||||
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
|
||||
SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
|
||||
- name: Run GoReleaser 🚀
|
||||
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200
|
||||
with:
|
||||
|
@ -62,6 +79,8 @@ jobs:
|
|||
version: latest
|
||||
args: release --clean --skip publish
|
||||
workdir: src
|
||||
env:
|
||||
SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
|
||||
- name: Zip theme files 🤐
|
||||
run: |
|
||||
$compress = @{
|
||||
|
@ -77,7 +96,6 @@ jobs:
|
|||
$zipHash = Get-FileHash $_.FullName -Algorithm SHA256
|
||||
$zipHash.Hash | Out-File -Encoding 'UTF8' "./dist/$($_.Name).sha256"
|
||||
}
|
||||
shell: pwsh
|
||||
- name: Release 🎓
|
||||
uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0
|
||||
with:
|
||||
|
|
|
@ -10,10 +10,10 @@ Param
|
|||
|
||||
# Get signing certificate
|
||||
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
|
||||
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe'
|
||||
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
|
||||
# create a base64 encoded value of your certificate using
|
||||
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
|
||||
# requires Windows Dev Kit 10.0.22000.0
|
||||
# requires Windows Dev Kit 10.0.22621.0
|
||||
$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
|
||||
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ SignedUninstaller=yes
|
|||
CloseApplications=no
|
||||
|
||||
[Files]
|
||||
Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"; Flags: sign
|
||||
Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"
|
||||
Source: "bin\themes\*"; DestDir: "{app}\themes"
|
||||
|
||||
[Registry]
|
||||
|
|
|
@ -37,6 +37,9 @@ builds:
|
|||
goarch: arm
|
||||
- goos: windows
|
||||
goarch: arm
|
||||
hooks:
|
||||
post:
|
||||
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
|
||||
archives:
|
||||
- id: oh-my-posh
|
||||
format: binary
|
||||
|
@ -44,8 +47,10 @@ archives:
|
|||
checksum:
|
||||
name_template: 'checksums.txt'
|
||||
signs:
|
||||
- cmd: openssl
|
||||
args: [ "pkeyutl", "-sign", "-inkey", "{{ .Env.SIGNING_KEY_LOCATION }}", "-out", "${artifact}.sig", "-rawin", "-in", "${artifact}" ]
|
||||
- cmd: pwsh
|
||||
args:
|
||||
- "-c"
|
||||
- "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
|
||||
artifacts: checksum
|
||||
changelog:
|
||||
disable: true
|
||||
|
|
Loading…
Reference in a new issue