Skip to content

Commit 473f6a9

Browse files
authored
Merge pull request #5552 from piotr-grabalski/win-installer-codesign
Add code sign of Windows installer
2 parents 9ed3fb7 + b8f2f9d commit 473f6a9

File tree

1 file changed

+21
-0
lines changed

1 file changed

+21
-0
lines changed

.github/workflows/release-packages.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,10 @@ jobs:
112112
choco install winflexbison3
113113
- uses: microsoft/[email protected]
114114
name: Setup Visual Studio environment
115+
- name: Setup code sign environment
116+
run: |
117+
echo "$(Split-Path -Path $(Get-ChildItem -Path ${env:ProgramFiles(x86)} -Recurse -Filter 'signtool.exe' | Where-Object FullName -like '*10.0.19041.0\x64\signtool.exe').FullName)" >> $env:GITHUB_PATH
118+
echo "pfxcert=$([string](Get-Location)+'\CodeSignCertificate.pfx')" >> $env:GITHUB_ENV
115119
- name: Configure with cmake
116120
run: |
117121
New-Item -ItemType Directory -Path build
@@ -130,6 +134,23 @@ jobs:
130134
$msi_name = Get-ChildItem -Filter *.msi -Name
131135
Write-Output "::set-output name=msi_installer::build/$msi_name"
132136
Write-Output "::set-output name=msi_name::$msi_name"
137+
- name: Decode signing certificate
138+
id: decode_certificate
139+
run: |
140+
$pfx_bytes=[System.Convert]::FromBase64String("${{ secrets.CODESIGNCERTPFX }}")
141+
[IO.File]::WriteAllBytes($env:pfxcert, $pfx_bytes)
142+
- name: Sign the installer
143+
id: code_sign
144+
run: |
145+
& signtool.exe sign /f $env:pfxcert /p "${{ secrets.CODESIGNCERTPASSWORD }}" /tr http://tsa.starfieldtech.com ${{ steps.create_packages.outputs.msi_installer }}
146+
- name: Remove signing certificate
147+
id: remove_certificate
148+
run: |
149+
Remove-Item $env:pfxcert
150+
- name: Verify installer signature
151+
id: verify_codesign
152+
run: |
153+
& signtool.exe verify /pa ${{ steps.create_packages.outputs.msi_installer }}
133154
- name: Get release info
134155
id: get_release_info
135156
uses: bruceadams/[email protected]

0 commit comments

Comments
 (0)