feat(build): sign windows binaries on release

JanDeDobbeleer · Jul 9, 2024 · 9bbd91b · 9bbd91b
1 parent df37796
commit 9bbd91b
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 12 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,9 +32,7 @@ jobs:
   artifacts:
     needs: changelog
     if: ${{ needs.changelog.outputs.skipped == 'false' }}
-    runs-on: ubuntu-latest
-    env:
-      SIGNING_KEY_LOCATION: "/tmp/private_key.pem"
+    runs-on: windows-latest
     defaults:
       run:
         shell: pwsh
@@ -49,19 +47,40 @@ jobs:
           git config --global user.name "GitHub Actions"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git tag ${{ needs.changelog.outputs.tag }}
-      - name: Private Key 🔐
+      - name: Prerequisites 🔐
         run: |
           $PSDefaultParameterValues['Out-File:Encoding']='UTF8'
-          $env:SIGNING_KEY > $env:SIGNING_KEY_LOCATION
+
+          $shaSigningKeyLocation = Join-Path -Path $env:RUNNER_TEMP -ChildPath sha_signing_key.pem
+          $env:SIGNING_KEY > $shaSigningKeyLocation
+          Write-Output "SHA_SIGNING_KEY_LOCATION=$shaSigningKeyLocation" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+          # create a base64 encoded value of your certificate using
+          # [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
+          $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "code_signing_cert.pfx"
+          $encodedBytes = [System.Convert]::FromBase64String($env:SIGNING_CERTIFICATE)
+          Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
+          Write-Output "SIGNING_CERTIFICATE_LOCATION=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+          # requires Windows Dev Kit 10.0.22621.0
+          $signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
+          Write-Output "SIGNTOOL=$signtool" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+          # openssl
+          $openssl = 'C:/Program Files/Git/usr/bin/openssl.exe'
+          Write-Output "OPENSSL=$openssl" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
         env:
-          SIGNING_KEY: ${{secrets.SIGNING_KEY}}
+          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          SIGNING_CERTIFICATE: ${{ secrets.CERTIFICATE }}
       - name: Run GoReleaser 🚀
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200
         with:
           distribution: goreleaser
           version: latest
           args: release --clean --skip publish
           workdir: src
+        env:
+          SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
       - name: Zip theme files 🤐
         run: |
           $compress = @{
@@ -77,7 +96,6 @@ jobs:
             $zipHash = Get-FileHash $_.FullName -Algorithm SHA256
             $zipHash.Hash | Out-File -Encoding 'UTF8' "./dist/$($_.Name).sha256"
           }
-        shell: pwsh
       - name: Release 🎓
         uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0
         with:

diff --git a/packages/inno/build.ps1 b/packages/inno/build.ps1
@@ -10,10 +10,10 @@ Param
 
 # Get signing certificate
 $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"
-$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe'
+$signtool = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe'
 # create a base64 encoded value of your certificate using
 # [convert]::ToBase64String((Get-Content -path "certificate.pfx" -AsByteStream))
-# requires Windows Dev Kit 10.0.22000.0
+# requires Windows Dev Kit 10.0.22621.0
 $encodedBytes = [System.Convert]::FromBase64String($env:CERTIFICATE)
 Set-Content -Path $pfxPath -Value $encodedBytes -AsByteStream
 

diff --git a/packages/inno/oh-my-posh.iss b/packages/inno/oh-my-posh.iss
@@ -17,7 +17,7 @@ SignedUninstaller=yes
 CloseApplications=no
 
 [Files]
-Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"; Flags: sign
+Source: "bin\oh-my-posh.exe"; DestDir: "{app}\bin"
 Source: "bin\themes\*"; DestDir: "{app}\themes"
 
 [Registry]

diff --git a/src/.goreleaser.yml b/src/.goreleaser.yml
@@ -37,15 +37,20 @@ builds:
         goarch: arm
       - goos: windows
         goarch: arm
+    hooks:
+      post:
+        - pwsh -c "if ('{{ .Path }}'.EndsWith('.exe')) { & '{{ .Env.SIGNTOOL }}' sign /f '{{ .Env.SIGNING_CERTIFICATE_LOCATION }}' /p '{{ .Env.SIGNING_CERTIFICATE_PASSWORD }}' /fd SHA256 /t http://timestamp.digicert.com '{{ .Path }}' }"
 archives:
   - id: oh-my-posh
     format: binary
     name_template: "posh-{{ .Os }}-{{ .Arch }}"
 checksum:
   name_template: 'checksums.txt'
 signs:
-  - cmd: openssl
-    args: [ "pkeyutl", "-sign", "-inkey", "{{ .Env.SIGNING_KEY_LOCATION }}", "-out", "${artifact}.sig", "-rawin", "-in", "${artifact}" ]
+  - cmd: pwsh
+    args:
+      - "-c"
+      - "& '{{ .Env.OPENSSL }}' pkeyutl -sign -inkey '{{ .Env.SHA_SIGNING_KEY_LOCATION }}' -out '${artifact}.sig' -rawin -in '${artifact}'"
     artifacts: checksum
 changelog:
   disable: true