feat(build): sign windows binaries on release

2024-09-19 21:17:31 -07:00 · 2024-07-09 09:52:49 +02:00 · 2024-07-09 09:52:49 +02:00 · 9bbd91b1b9
parent df37796147
commit 9bbd91b1b9
4 changed files with 35 additions and 12 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -32,9 +32,7 @@ jobs:
  artifacts:
    needs: changelog
    if: ${{ needs.changelog.outputs.skipped == 'false' }}
-    runs-on: ubuntu-latest
-    env:
-      SIGNING_KEY_LOCATION: "/tmp/private_key.pem"
+    runs-on: windows-latest
    defaults:
      run:
        shell: pwsh
@ -49,12 +47,31 @@ jobs:
          git config --global user.name "GitHub Actions"
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git tag ${{ needs.changelog.outputs.tag }}
-      - name: Private Key 🔐
+      - name: Prerequisites 🔐
        run: |
          $PSDefaultParameterValues['Out-File:Encoding']='UTF8'
-          $env:SIGNING_KEY > $env:SIGNING_KEY_LOCATION
+
+          $shaSigningKeyLocation = Join-Path -Path $env:RUNNER_TEMP -ChildPath sha_signing_key.pem
+          $env:SIGNING_KEY > $shaSigningKeyLocation
+          Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+          # create a base64 encoded value of your certificate using
+          # [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
+          $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
+          $encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
+          Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
+          Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+          # requires Windows Dev Kit 10.0.22621.0
+          $signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
+          Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+          # openssl
+          $openssl = 'C:/Program Files/Git/usr/bin/openssl.exe'
+          Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
        env:
-          SIGNING_KEY: ${{secrets.SIGNING_KEY}}
+          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
      - name: Run GoReleaser 🚀
        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200
        with:
@ -62,6 +79,8 @@ jobs:
          version: latest
          args: release --clean --skip publish
          workdir: src
+        env:
+          SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
      - name: Zip theme files 🤐
        run: |
          $compress = @{
@ -77,7 +96,6 @@ jobs:
            $zipHash = Get-FileHash $_.FullName -Algorithm SHA256
            $zipHash.Hash | Out-File -Encoding 'UTF8' "./dist/$($_.Name).sha256"
          }
-        shell: pwsh
      - name: Release 🎓
        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0
        with:
--- a/packages/inno/build.ps1
+++ b/packages/inno/build.ps1
@ -10,10 +10,10 @@ Param

 # Get signing certificate
 $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
-$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe'
+$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
 # create a base64 encoded value of your certificate using
 # [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
-# requires Windows Dev Kit 10.0.22000.0
+# requires Windows Dev Kit 10.0.22621.0
 $encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
 Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream

--- a/packages/inno/oh-my-posh.iss
+++ b/packages/inno/oh-my-posh.iss
@ -17,7 +17,7 @@ SignedUninstaller=yes
 CloseApplications=no

 [Files]
-Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"; Flags: sign
+Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"
 Source: "bin\themes\*"; DestDir: "{app}\themes"

 [Registry]
--- a/src/.goreleaser.yml
+++ b/src/.goreleaser.yml
@ -37,6 +37,9 @@ builds:
        goarch: arm
      - goos: windows
        goarch: arm
+    hooks:
+      post:
+        - pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
 archives:
  - id: oh-my-posh
    format: binary
@ -44,8 +47,10 @@ archives:
 checksum:
  name_template: 'checksums.txt'
 signs:
-  - cmd: openssl
-    args: [ "pkeyutl", "-sign", "-inkey", "{{ .Env.SIGNING_KEY_LOCATION }}", "-out", "${artifact}.sig", "-rawin", "-in", "${artifact}" ]
+  - cmd: pwsh
+    args:
+      - "-c"
+      - "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
    artifacts: checksum
 changelog:
  disable: true