Skip to content

Commit

Permalink
feat(build): sign windows binaries on release
Browse files Browse the repository at this point in the history
  • Loading branch information
JanDeDobbeleer committed Jul 9, 2024
1 parent df37796 commit 5debf6a
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 13 deletions.
35 changes: 27 additions & 8 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,7 @@ jobs:
artifacts:
needs: changelog
if: ${{ needs.changelog.outputs.skipped == 'false' }}
runs-on: ubuntu-latest
env:
SIGNING_KEY_LOCATION: "/tmp/private_key.pem"
runs-on: windows-latest
defaults:
run:
shell: pwsh
Expand All @@ -49,19 +47,40 @@ jobs:
git config --global user.name "GitHub Actions"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git tag ${{ needs.changelog.outputs.tag }}
- name: Private Key 🔐
- name: Prerequisites 🔐
run: |
$PSDefaultParameterValues['Out-File:Encoding']='UTF8'
$env:SIGNING_KEY > $env:SIGNING_KEY_LOCATION
$shaSigningKeyLocation = Join-Path -Path $env:RUNNER_TEMP -ChildPath sha_signing_key.pem
$env:SIGNING_KEY > $shaSigningKeyLocation
Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# create a base64 encoded value of your certificate using
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
$encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# requires Windows Dev Kit 10.0.22621.0
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
# openssl
$openssl = 'C:/Program Files/Git/usr/bin/openssl.exe'
Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
env:
SIGNING_KEY: ${{secrets.SIGNING_KEY}}
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
- name: Run GoReleaser 🚀
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200
with:
distribution: goreleaser
version: latest
args: release --clean --skip publish
workdir: src
env:
SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
- name: Zip theme files 🤐
run: |
$compress = @{
Expand All @@ -70,8 +89,8 @@ jobs:
DestinationPath = "./dist/themes.zip"
}
Compress-Archive @compress
- name: Add hashes 🤫
run: |
run: |
- name: Add hashes 🤫
Get-ChildItem ./dist -Exclude *.yaml,*.sig | Get-Unique |
Foreach-Object {
$zipHash = Get-FileHash $_.FullName -Algorithm SHA256
Expand Down
4 changes: 2 additions & 2 deletions packages/inno/build.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ Param

# Get signing certificate
$pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe'
$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
# create a base64 encoded value of your certificate using
# [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
# requires Windows Dev Kit 10.0.22000.0
# requires Windows Dev Kit 10.0.22621.0
$encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream

Expand Down
2 changes: 1 addition & 1 deletion packages/inno/oh-my-posh.iss
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ SignedUninstaller=yes
CloseApplications=no

[Files]
Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"; Flags: sign
Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"
Source: "bin\themes\*"; DestDir: "{app}\themes"

[Registry]
Expand Down
9 changes: 7 additions & 2 deletions src/.goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,15 +37,20 @@ builds:
goarch: arm
- goos: windows
goarch: arm
hooks:
post:
- pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
archives:
- id: oh-my-posh
format: binary
name_template: "posh-{{ .Os }}-{{ .Arch }}"
checksum:
name_template: 'checksums.txt'
signs:
- cmd: openssl
args: [ "pkeyutl", "-sign", "-inkey", "{{ .Env.SIGNING_KEY_LOCATION }}", "-out", "${artifact}.sig", "-rawin", "-in", "${artifact}" ]
- cmd: pwsh
args:
- "-c"
- "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
artifacts: checksum
changelog:
disable: true

0 comments on commit 5debf6a

Please sign in to comment.