mudhorn/oh-my-posh
1
0
Fork 0
mirror of https://github.com/JanDeDobbeleer/oh-my-posh.git synced 2024-09-19 21:17:31 -07:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

feat(build): sign windows binaries on release

Browse source
This commit is contained in:
Jan De Dobbeleer 2024-07-09 09:52:49 +02:00
parent df37796147
commit 9bbd91b1b9
4 changed files with 35 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
.github/workflows/release.yml vendored
View file

@ -32,9 +32,7 @@ jobs:
artifacts: artifacts:
needs: changelog needs: changelog
if: ${{ needs.changelog.outputs.skipped == 'false' }} if: ${{ needs.changelog.outputs.skipped == 'false' }}
runs-on: ubuntu-latest runs-on: windows-latest
env:
SIGNING_KEY_LOCATION: "/tmp/private_key.pem"
defaults: defaults:
run: run:
shell: pwsh shell: pwsh
@ -49,12 +47,31 @@ jobs:
git config --global user.name "GitHub Actions" git config --global user.name "GitHub Actions"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git tag ${{ needs.changelog.outputs.tag }} git tag ${{ needs.changelog.outputs.tag }}
- name: Private Key 🔐 - name: Prerequisites 🔐
run: | run: |
$PSDefaultParameterValues['Out-File:Encoding']='UTF8' $PSDefaultParameterValues['Out-File:Encoding']='UTF8'
$env:SIGNING_KEY > $env:SIGNING_KEY_LOCATION
$shaSigningKeyLocation = Join-Path -Path $env:RUNNER_TEMP -ChildPath sha_signing_key.pem
$env:SIGNING_KEY > $shaSigningKeyLocation
Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# create a base64 encoded value of your certificate using
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
$encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# requires Windows Dev Kit 10.0.22621.0
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# openssl
$openssl = 'C:/Program Files/Git/usr/bin/openssl.exe'
Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
env: env:
SIGNING_KEY: ${{secrets.SIGNING_KEY}} SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
- name: Run GoReleaser 🚀 - name: Run GoReleaser 🚀
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200
with: with:
@ -62,6 +79,8 @@ jobs:
version: latest version: latest
args: release --clean --skip publish args: release --clean --skip publish
workdir: src workdir: src
env:
SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
- name: Zip theme files 🤐 - name: Zip theme files 🤐
run: | run: |
$compress = @{ $compress = @{
@ -77,7 +96,6 @@ jobs:
$zipHash = Get-FileHash $_.FullName -Algorithm SHA256 $zipHash = Get-FileHash $_.FullName -Algorithm SHA256
$zipHash.Hash | Out-File -Encoding 'UTF8' "./dist/$($_.Name).sha256" $zipHash.Hash | Out-File -Encoding 'UTF8' "./dist/$($_.Name).sha256"
} }
shell: pwsh
- name: Release 🎓 - name: Release 🎓
uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0
with: with:

4
packages/inno/build.ps1
View file

@ -10,10 +10,10 @@ Param
# Get signing certificate # Get signing certificate
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx" $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe' $signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
# create a base64 encoded value of your certificate using # create a base64 encoded value of your certificate using
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream)) # [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
# requires Windows Dev Kit 10.0.22000.0 # requires Windows Dev Kit 10.0.22621.0
$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE) $encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream

2
packages/inno/oh-my-posh.iss
View file

@ -17,7 +17,7 @@ SignedUninstaller=yes
CloseApplications=no CloseApplications=no
[Files] [Files]
Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"; Flags: sign Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"
Source: "bin\themes\*"; DestDir: "{app}\themes" Source: "bin\themes\*"; DestDir: "{app}\themes"
[Registry] [Registry]

9
src/.goreleaser.yml
View file

@ -37,6 +37,9 @@ builds:
goarch: arm goarch: arm
- goos: windows - goos: windows
goarch: arm goarch: arm
hooks:
post:
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
archives: archives:
- id: oh-my-posh - id: oh-my-posh
format: binary format: binary
@ -44,8 +47,10 @@ archives:
checksum: checksum:
name_template: 'checksums.txt' name_template: 'checksums.txt'
signs: signs:
- cmd: openssl - cmd: pwsh
args: [ "pkeyutl", "-sign", "-inkey", "{{ .Env.SIGNING_KEY_LOCATION }}", "-out", "${artifact}.sig", "-rawin", "-in", "${artifact}" ] args:
- "-c"
- "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
artifacts: checksum artifacts: checksum
changelog: changelog:
disable: true disable: true