Skip to content

Commit b8f2f9d

Browse files
piograbpiograb
committed
Add code sign of Windows installer
Windows installer will now get automatically signed using Diffblue code sign certificate so that it will no longer appear as from unknown publisher when installer is executed. Windows package release action has 5 tasks added: 1. Setup code sign environment where path to signtool.exe is added to GITHUB_PATH environmental variable and PFX certificate file name is kept as "pfxcert" variable in GITHUB_ENV envronmental variable. 2. Decoding Personal Information Exchange file (*.pfx) from Github Secrets into a file. 3. Signing the Windows Installer package with decoded certificate using signtool from Windows SDK. 4. Deleting decoded certificate file. 5. Verifying the signature.
1 parent 076b72e commit b8f2f9d

File tree

1 file changed

+21
-0
lines changed

1 file changed

+21
-0
lines changed

.github/workflows/release-packages.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,10 @@ jobs:
112112
choco install winflexbison3
113113
- uses: microsoft/[email protected]
114114
name: Setup Visual Studio environment
115+
- name: Setup code sign environment
116+
run: |
117+
echo "$(Split-Path -Path $(Get-ChildItem -Path ${env:ProgramFiles(x86)} -Recurse -Filter 'signtool.exe' | Where-Object FullName -like '*10.0.19041.0\x64\signtool.exe').FullName)" >> $env:GITHUB_PATH
118+
echo "pfxcert=$([string](Get-Location)+'\CodeSignCertificate.pfx')" >> $env:GITHUB_ENV
115119
- name: Configure with cmake
116120
run: |
117121
New-Item -ItemType Directory -Path build
@@ -130,6 +134,23 @@ jobs:
130134
$msi_name = Get-ChildItem -Filter *.msi -Name
131135
Write-Output "::set-output name=msi_installer::build/$msi_name"
132136
Write-Output "::set-output name=msi_name::$msi_name"
137+
- name: Decode signing certificate
138+
id: decode_certificate
139+
run: |
140+
$pfx_bytes=[System.Convert]::FromBase64String("${{ secrets.CODESIGNCERTPFX }}")
141+
[IO.File]::WriteAllBytes($env:pfxcert, $pfx_bytes)
142+
- name: Sign the installer
143+
id: code_sign
144+
run: |
145+
& signtool.exe sign /f $env:pfxcert /p "${{ secrets.CODESIGNCERTPASSWORD }}" /tr http://tsa.starfieldtech.com ${{ steps.create_packages.outputs.msi_installer }}
146+
- name: Remove signing certificate
147+
id: remove_certificate
148+
run: |
149+
Remove-Item $env:pfxcert
150+
- name: Verify installer signature
151+
id: verify_codesign
152+
run: |
153+
& signtool.exe verify /pa ${{ steps.create_packages.outputs.msi_installer }}
133154
- name: Get release info
134155
id: get_release_info
135156
uses: bruceadams/[email protected]

0 commit comments

Comments
 (0)