Skip to content

Commit

Permalink
Sign both outer bundle and inner installer on Windows
Browse files Browse the repository at this point in the history
  • Loading branch information
nazar-pc committed Nov 10, 2024
1 parent a13d3f7 commit 70b80e0
Showing 1 changed file with 28 additions and 9 deletions.
37 changes: 28 additions & 9 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -301,7 +301,7 @@ jobs:
tool: cargo-wix
if: runner.os == 'Windows'

- name: Package (Windows)
- name: Package and sign (Windows)
run: |
Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue
Expand All @@ -321,24 +321,43 @@ jobs:
# TODO: Ideally something like this would have worked and we wouldn't need to hardcode stuff in `space-acres.wxs`: https://github.com/volks73/cargo-wix/issues/271
# & "C:\Program Files (x86)\WiX Toolset v3.11\bin\heat.exe" dir target\wix\gtk4 -gg -sfrag -template:fragment -out target\wix\gtk4.wxs -cg GTK -dr GTK
cargo wix --target ${{ matrix.build.target }} --profile production --no-build --nocapture
# Create bundle with Microsoft Visual C++ Redistributable in it
Remove-Item target\wix\space-acres.wixobj -Confirm:$false
cargo wix --profile release --no-build --nocapture --include res\windows\wix\bundle.wxs -C -ext -C WixBalExtension
Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue
if: runner.os == 'Windows'

- name: Sign Application (Windows)
- name: Sign installer (Windows)
run: |
$ErrorActionPreference = "Stop"
dotnet tool install --global AzureSignTool
(Get-ChildItem -Path target\wix -Include space-acres-*.exe -Recurse) | ForEach-Object {
(Get-ChildItem -Path target\wix -Include space-acres-*.msi) | ForEach-Object {
Write("Signing $($_)");
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
}
# Allow code signing to fail on non-release builds and in non-autonomys repos (forks)
continue-on-error: ${{ github.repository_owner != 'autonomys' || github.event_name != 'push' || github.ref_type != 'tag' }}
if: runner.os == 'Windows'

- name: Create bundle (Windows)
run: |
# Create a bundle with Microsoft Visual C++ Redistributable in it
Remove-Item target\wix\space-acres.wixobj -Confirm:$false
cargo wix --profile release --no-build --nocapture --include res\windows\wix\bundle.wxs -C -ext -C WixBalExtension
if: runner.os == 'Windows'

- name: Sign bundle (Windows)
run: |
$ErrorActionPreference = "Stop"
dotnet tool install --global AzureSignTool
(Get-ChildItem -Path target\wix -Include space-acres-*.exe) | ForEach-Object {
Write("Signing $($_)");
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
}
# Allow code signing to fail on non-release builds and in non-autonomys repos (forks)
Expand Down

0 comments on commit 70b80e0

Please sign in to comment.