diff options
| -rw-r--r-- | .github/workflows/build.yml | 37 | ||||
| -rw-r--r-- | .github/workflows/trigger_builds.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/trigger_release.yml | 3 | ||||
| -rw-r--r-- | launcher/Application.cpp | 1 | ||||
| -rw-r--r-- | launcher/MMCZip.cpp | 17 |
5 files changed, 55 insertions, 5 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 625ac099..8934f584 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,12 @@ on: SPARKLE_ED25519_KEY: description: Private key for signing Sparkle updates required: false + WINDOWS_CODESIGN_CERT: + description: Certificate for signing Windows builds + required: false + WINDOWS_CODESIGN_PASSWORD: + description: Password for signing Windows builds + required: false CACHIX_AUTH_TOKEN: description: Private token for authenticating against Cachix cache required: false @@ -40,6 +46,7 @@ jobs: - os: windows-2022 name: "Windows-MinGW-w64" msystem: clang64 + vcvars_arch: 'amd64_x86' - os: windows-2022 name: "Windows-MSVC-Legacy" @@ -151,7 +158,7 @@ jobs: - name: Retrieve ccache cache (Windows MinGW-w64) if: runner.os == 'Windows' && matrix.msystem != '' && inputs.build_type == 'Debug' - uses: actions/cache@v3.2.5 + uses: actions/cache@v3.2.6 with: path: '${{ github.workspace }}\.ccache' key: ${{ matrix.os }}-mingw-w64-ccache-${{ github.run_id }} @@ -225,7 +232,7 @@ jobs: cache: ${{ inputs.is_qt_cached }} - name: Install MSVC (Windows MSVC) - if: runner.os == 'Windows' && matrix.msystem == '' + if: runner.os == 'Windows' # We want this for MinGW builds as well, as we need SignTool uses: ilammy/msvc-dev-cmd@v1 with: vsversion: 2022 @@ -377,6 +384,23 @@ jobs: Copy-Item D:/a/PrismLauncher/Qt/Tools/OpenSSL/Win_x86/bin/libssl-1_1.dll -Destination libssl-1_1.dll } + - name: Fetch codesign certificate (Windows) + if: runner.os == 'Windows' + shell: bash # yes, we are not using MSYS2 or PowerShell here + run: | + echo '${{ secrets.WINDOWS_CODESIGN_CERT }}' | base64 --decode > codesign.pfx + + - name: Sign executable (Windows) + if: runner.os == 'Windows' + run: | + if (Get-Content ./codesign.pfx){ + cd ${{ env.INSTALL_DIR }} + # We ship the exact same executable for portable and non-portable editions, so signing just once is fine + SignTool sign /fd sha256 /td sha256 /f ../codesign.pfx /p '${{ secrets.WINDOWS_CODESIGN_PASSWORD }}' /tr http://timestamp.digicert.com prismlauncher.exe + } else { + ":warning: Skipped code signing for Windows, as certificate was not present." >> $env:GITHUB_STEP_SUMMARY + } + - name: Package (Windows MinGW-w64, portable) if: runner.os == 'Windows' && matrix.msystem != '' shell: msys2 {0} @@ -396,6 +420,15 @@ jobs: cd ${{ env.INSTALL_DIR }} makensis -NOCD "${{ github.workspace }}/${{ env.BUILD_DIR }}/program_info/win_install.nsi" + - name: Sign installer (Windows) + if: runner.os == 'Windows' + run: | + if (Get-Content ./codesign.pfx){ + SignTool sign /fd sha256 /td sha256 /f codesign.pfx /p '${{ secrets.WINDOWS_CODESIGN_PASSWORD }}' /tr http://timestamp.digicert.com PrismLauncher-Setup.exe + } else { + ":warning: Skipped code signing for Windows, as certificate was not present." >> $env:GITHUB_STEP_SUMMARY + } + - name: Package (Linux) if: runner.os == 'Linux' run: | diff --git a/.github/workflows/trigger_builds.yml b/.github/workflows/trigger_builds.yml index a08193a0..26ee4380 100644 --- a/.github/workflows/trigger_builds.yml +++ b/.github/workflows/trigger_builds.yml @@ -31,4 +31,6 @@ jobs: is_qt_cached: true secrets: SPARKLE_ED25519_KEY: ${{ secrets.SPARKLE_ED25519_KEY }} + WINDOWS_CODESIGN_CERT: ${{ secrets.WINDOWS_CODESIGN_CERT }} + WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }} CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} diff --git a/.github/workflows/trigger_release.yml b/.github/workflows/trigger_release.yml index a2f89819..3c56a38e 100644 --- a/.github/workflows/trigger_release.yml +++ b/.github/workflows/trigger_release.yml @@ -15,6 +15,9 @@ jobs: is_qt_cached: false secrets: SPARKLE_ED25519_KEY: ${{ secrets.SPARKLE_ED25519_KEY }} + WINDOWS_CODESIGN_CERT: ${{ secrets.WINDOWS_CODESIGN_CERT }} + WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }} + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} create_release: needs: build_release diff --git a/launcher/Application.cpp b/launcher/Application.cpp index 0d3b086f..caaa74c8 100644 --- a/launcher/Application.cpp +++ b/launcher/Application.cpp @@ -79,6 +79,7 @@ #include <iostream> #include <mutex> +#include <QFileOpenEvent> #include <QAccessible> #include <QCommandLineParser> #include <QDir> diff --git a/launcher/MMCZip.cpp b/launcher/MMCZip.cpp index f6600343..31460bf4 100644 --- a/launcher/MMCZip.cpp +++ b/launcher/MMCZip.cpp @@ -275,7 +275,8 @@ bool MMCZip::findFilesInZip(QuaZip * zip, const QString & what, QStringList & re // ours std::optional<QStringList> MMCZip::extractSubDir(QuaZip *zip, const QString & subdir, const QString &target) { - QDir directory(target); + auto absDirectoryUrl = QUrl::fromLocalFile(target); + QStringList extracted; qDebug() << "Extracting subdir" << subdir << "from" << zip->getZipName() << "to" << target; @@ -305,6 +306,11 @@ std::optional<QStringList> MMCZip::extractSubDir(QuaZip *zip, const QString & su name.remove(0, subdir.size()); auto original_name = name; + // Fix subdirs/files ending with a / getting transformed into absolute paths + if(name.startsWith('/')){ + name = name.mid(1); + } + // Fix weird "folders with a single file get squashed" thing QString path; if(name.contains('/') && !name.endsWith('/')){ @@ -317,11 +323,16 @@ std::optional<QStringList> MMCZip::extractSubDir(QuaZip *zip, const QString & su QString absFilePath; if(name.isEmpty()) { - absFilePath = directory.absoluteFilePath(name) + "/"; + absFilePath = FS::PathCombine(target, "/"); // FIXME this seems weird } else { - absFilePath = directory.absoluteFilePath(path + name); + absFilePath = FS::PathCombine(target, path + name); + } + + if (!absDirectoryUrl.isParentOf(QUrl::fromLocalFile(absFilePath))) { + qWarning() << "Extracting" << name << "was cancelled, because it was effectively outside of the target path" << target; + return std::nullopt; } if (!JlCompress::extractFile(zip, "", absFilePath)) |