mirror of
https://github.com/JanDeDobbeleer/oh-my-posh.git
synced 2024-09-19 21:17:31 -07:00
feat(build): sign windows binaries on release
This commit is contained in:
parent
df37796147
commit
9bbd91b1b9
30
.github/workflows/release.yml
vendored
30
.github/workflows/release.yml
vendored
|
@ -32,9 +32,7 @@ jobs:
|
||||||
artifacts:
|
artifacts:
|
||||||
needs: changelog
|
needs: changelog
|
||||||
if: ${{ needs.changelog.outputs.skipped == 'false' }}
|
if: ${{ needs.changelog.outputs.skipped == 'false' }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: windows-latest
|
||||||
env:
|
|
||||||
SIGNING_KEY_LOCATION: "/tmp/private_key.pem"
|
|
||||||
defaults:
|
defaults:
|
||||||
run:
|
run:
|
||||||
shell: pwsh
|
shell: pwsh
|
||||||
|
@ -49,12 +47,31 @@ jobs:
|
||||||
git config --global user.name "GitHub Actions"
|
git config --global user.name "GitHub Actions"
|
||||||
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||||
git tag ${{ needs.changelog.outputs.tag }}
|
git tag ${{ needs.changelog.outputs.tag }}
|
||||||
- name: Private Key 🔐
|
- name: Prerequisites 🔐
|
||||||
run: |
|
run: |
|
||||||
$PSDefaultParameterValues['Out-File:Encoding']='UTF8'
|
$PSDefaultParameterValues['Out-File:Encoding']='UTF8'
|
||||||
$env:SIGNING_KEY > $env:SIGNING_KEY_LOCATION
|
|
||||||
|
$shaSigningKeyLocation = Join-Path -Path $env:RUNNER_TEMP -ChildPath sha_signing_key.pem
|
||||||
|
$env:SIGNING_KEY > $shaSigningKeyLocation
|
||||||
|
Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||||
|
|
||||||
|
# create a base64 encoded value of your certificate using
|
||||||
|
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
|
||||||
|
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
|
||||||
|
$encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
|
||||||
|
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
|
||||||
|
Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||||
|
|
||||||
|
# requires Windows Dev Kit 10.0.22621.0
|
||||||
|
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
|
||||||
|
Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||||
|
|
||||||
|
# openssl
|
||||||
|
$openssl = 'C:/Program Files/Git/usr/bin/openssl.exe'
|
||||||
|
Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||||
env:
|
env:
|
||||||
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
|
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
|
||||||
|
SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
|
||||||
- name: Run GoReleaser 🚀
|
- name: Run GoReleaser 🚀
|
||||||
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200
|
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200
|
||||||
with:
|
with:
|
||||||
|
@ -62,6 +79,8 @@ jobs:
|
||||||
version: latest
|
version: latest
|
||||||
args: release --clean --skip publish
|
args: release --clean --skip publish
|
||||||
workdir: src
|
workdir: src
|
||||||
|
env:
|
||||||
|
SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
|
||||||
- name: Zip theme files 🤐
|
- name: Zip theme files 🤐
|
||||||
run: |
|
run: |
|
||||||
$compress = @{
|
$compress = @{
|
||||||
|
@ -77,7 +96,6 @@ jobs:
|
||||||
$zipHash = Get-FileHash $_.FullName -Algorithm SHA256
|
$zipHash = Get-FileHash $_.FullName -Algorithm SHA256
|
||||||
$zipHash.Hash | Out-File -Encoding 'UTF8' "./dist/$($_.Name).sha256"
|
$zipHash.Hash | Out-File -Encoding 'UTF8' "./dist/$($_.Name).sha256"
|
||||||
}
|
}
|
||||||
shell: pwsh
|
|
||||||
- name: Release 🎓
|
- name: Release 🎓
|
||||||
uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0
|
uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0
|
||||||
with:
|
with:
|
||||||
|
|
|
@ -10,10 +10,10 @@ Param
|
||||||
|
|
||||||
# Get signing certificate
|
# Get signing certificate
|
||||||
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
|
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
|
||||||
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe'
|
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
|
||||||
# create a base64 encoded value of your certificate using
|
# create a base64 encoded value of your certificate using
|
||||||
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
|
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
|
||||||
# requires Windows Dev Kit 10.0.22000.0
|
# requires Windows Dev Kit 10.0.22621.0
|
||||||
$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
|
$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
|
||||||
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
|
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,7 @@ SignedUninstaller=yes
|
||||||
CloseApplications=no
|
CloseApplications=no
|
||||||
|
|
||||||
[Files]
|
[Files]
|
||||||
Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"; Flags: sign
|
Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"
|
||||||
Source: "bin\themes\*"; DestDir: "{app}\themes"
|
Source: "bin\themes\*"; DestDir: "{app}\themes"
|
||||||
|
|
||||||
[Registry]
|
[Registry]
|
||||||
|
|
|
@ -37,6 +37,9 @@ builds:
|
||||||
goarch: arm
|
goarch: arm
|
||||||
- goos: windows
|
- goos: windows
|
||||||
goarch: arm
|
goarch: arm
|
||||||
|
hooks:
|
||||||
|
post:
|
||||||
|
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
|
||||||
archives:
|
archives:
|
||||||
- id: oh-my-posh
|
- id: oh-my-posh
|
||||||
format: binary
|
format: binary
|
||||||
|
@ -44,8 +47,10 @@ archives:
|
||||||
checksum:
|
checksum:
|
||||||
name_template: 'checksums.txt'
|
name_template: 'checksums.txt'
|
||||||
signs:
|
signs:
|
||||||
- cmd: openssl
|
- cmd: pwsh
|
||||||
args: [ "pkeyutl", "-sign", "-inkey", "{{ .Env.SIGNING_KEY_LOCATION }}", "-out", "${artifact}.sig", "-rawin", "-in", "${artifact}" ]
|
args:
|
||||||
|
- "-c"
|
||||||
|
- "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
|
||||||
artifacts: checksum
|
artifacts: checksum
|
||||||
changelog:
|
changelog:
|
||||||
disable: true
|
disable: true
|
||||||
|
|
Loading…
Reference in a new issue