diff options
| author | Sefa Eyeoglu <contact@scrumplex.net> | 2023-02-14 11:10:29 +0100 |
|---|---|---|
| committer | Sefa Eyeoglu <contact@scrumplex.net> | 2023-02-15 20:43:33 +0100 |
| commit | 89c945ecc8de579e8f93ae302a7dabf4629e188f (patch) | |
| tree | d30d222532d49f1a75c9fc8b3cf71c29de3c555a | |
| parent | c15962c6c1f2e461178dce09c88cd81c844fce71 (diff) | |
| download | PrismLauncher-89c945ecc8de579e8f93ae302a7dabf4629e188f.tar.gz PrismLauncher-89c945ecc8de579e8f93ae302a7dabf4629e188f.tar.bz2 PrismLauncher-89c945ecc8de579e8f93ae302a7dabf4629e188f.zip | |
feat(ci): add Windows codesigning
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
| -rw-r--r-- | .github/workflows/build.yml | 27 | ||||
| -rw-r--r-- | .github/workflows/trigger_builds.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/trigger_release.yml | 3 |
3 files changed, 31 insertions, 1 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 625ac099..c3b9f206 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,12 @@ on: SPARKLE_ED25519_KEY: description: Private key for signing Sparkle updates required: false + WINDOWS_CODESIGN_CERT: + description: Certificate for signing Windows builds + required: false + WINDOWS_CODESIGN_PASSWORD: + description: Password for signing Windows builds + required: false CACHIX_AUTH_TOKEN: description: Private token for authenticating against Cachix cache required: false @@ -40,6 +46,7 @@ jobs: - os: windows-2022 name: "Windows-MinGW-w64" msystem: clang64 + vcvars_arch: 'amd64_x86' - os: windows-2022 name: "Windows-MSVC-Legacy" @@ -225,7 +232,7 @@ jobs: cache: ${{ inputs.is_qt_cached }} - name: Install MSVC (Windows MSVC) - if: runner.os == 'Windows' && matrix.msystem == '' + if: runner.os == 'Windows' # We want this for MinGW builds as well, as we need SignTool uses: ilammy/msvc-dev-cmd@v1 with: vsversion: 2022 @@ -377,6 +384,19 @@ jobs: Copy-Item D:/a/PrismLauncher/Qt/Tools/OpenSSL/Win_x86/bin/libssl-1_1.dll -Destination libssl-1_1.dll } + - name: Fetch codesign certificate (Windows) + if: runner.os == 'Windows' + shell: bash # yes, we are not using MSYS2 or PowerShell here + run: | + echo '${{ secrets.WINDOWS_CODESIGN_CERT }}' | base64 --decode > codesign.pfx + + - name: Sign executable (Windows) + if: runner.os == 'Windows' + run: | + cd ${{ env.INSTALL_DIR }} + # We ship the exact same executable for portable and non-portable editions, so signing just once is fine + SignTool sign /fd sha256 /td sha256 /f ../codesign.pfx /p '${{ secrets.WINDOWS_CODESIGN_PASSWORD }}' /tr http://timestamp.digicert.com prismlauncher.exe + - name: Package (Windows MinGW-w64, portable) if: runner.os == 'Windows' && matrix.msystem != '' shell: msys2 {0} @@ -396,6 +416,11 @@ jobs: cd ${{ env.INSTALL_DIR }} makensis -NOCD "${{ github.workspace }}/${{ env.BUILD_DIR }}/program_info/win_install.nsi" + - name: Sign installer (Windows) + if: runner.os == 'Windows' + run: | + SignTool sign /fd sha256 /td sha256 /f codesign.pfx /p '${{ secrets.WINDOWS_CODESIGN_PASSWORD }}' /tr http://timestamp.digicert.com PrismLauncher-Setup.exe + - name: Package (Linux) if: runner.os == 'Linux' run: | diff --git a/.github/workflows/trigger_builds.yml b/.github/workflows/trigger_builds.yml index a08193a0..26ee4380 100644 --- a/.github/workflows/trigger_builds.yml +++ b/.github/workflows/trigger_builds.yml @@ -31,4 +31,6 @@ jobs: is_qt_cached: true secrets: SPARKLE_ED25519_KEY: ${{ secrets.SPARKLE_ED25519_KEY }} + WINDOWS_CODESIGN_CERT: ${{ secrets.WINDOWS_CODESIGN_CERT }} + WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }} CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} diff --git a/.github/workflows/trigger_release.yml b/.github/workflows/trigger_release.yml index a2f89819..3c56a38e 100644 --- a/.github/workflows/trigger_release.yml +++ b/.github/workflows/trigger_release.yml @@ -15,6 +15,9 @@ jobs: is_qt_cached: false secrets: SPARKLE_ED25519_KEY: ${{ secrets.SPARKLE_ED25519_KEY }} + WINDOWS_CODESIGN_CERT: ${{ secrets.WINDOWS_CODESIGN_CERT }} + WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }} + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} create_release: needs: build_release |