feat(ci): add test signing step
This commit is contained in:
Federico Terzi
parent
30bb30de8c
commit
2cb9845e26
22
.github/workflows/release.yml
vendored
22
.github/workflows/release.yml
vendored
|
|
@ -8,6 +8,8 @@ on:
|
|||
branches:
|
||||
- master
|
||||
- dev
|
||||
# TODO: remove
|
||||
- feat/windows-code-sign
|
||||
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
@ -65,8 +67,24 @@ jobs:
|
|||
cargo install --force cargo-make --version 0.34.0
|
||||
- name: Test
|
||||
run: cargo make test-binary --profile release
|
||||
- name: Build
|
||||
run: cargo make build-windows-all --profile release
|
||||
- name: Build resources
|
||||
run: cargo make build-windows-resources --profile release
|
||||
- name: Sign resources
|
||||
run: cargo make sign-windows-resources
|
||||
env:
|
||||
CODESIGN_PWD: ${{ secrets.WIN_CODESIGN_PWD }}
|
||||
CODESIGN_CROSS_SIGNED_B64: ${{ secrets.WIN_CODESIGN_INTERMEDIATE_B64 }}
|
||||
CODESIGN_CERTIFICATE_B64: ${{ secrets.WIN_CODESIGN_CERTIFICATE_B64 }}
|
||||
- name: Build installer
|
||||
run: cargo make build-windows-installer --profile release
|
||||
- name: Sign installer
|
||||
run: cargo make sign-windows-installer
|
||||
env:
|
||||
CODESIGN_PWD: ${{ secrets.WIN_CODESIGN_PWD }}
|
||||
CODESIGN_CROSS_SIGNED_B64: ${{ secrets.WIN_CODESIGN_INTERMEDIATE_B64 }}
|
||||
CODESIGN_CERTIFICATE_B64: ${{ secrets.WIN_CODESIGN_CERTIFICATE_B64 }}
|
||||
- name: Build portable mode archive
|
||||
run: cargo make build-windows-portable --profile release
|
||||
- name: Create portable mode archive
|
||||
shell: powershell
|
||||
run: |
|
||||
|
|
|
|||
|
|
@ -50,6 +50,16 @@ dependencies = ["build-windows-resources"]
|
|||
[tasks.build-windows-all]
|
||||
dependencies = ["build-windows-portable", "build-windows-installer"]
|
||||
|
||||
[tasks.sign-windows-resources]
|
||||
env = { "TARGET_SIGNTOOL_FILE" = "target/windows/resources/espansod.exe" }
|
||||
script_runner = "@rust"
|
||||
script = { file = "scripts/sign_windows_exe.rs" }
|
||||
|
||||
[tasks.sign-windows-installer]
|
||||
env = { "TARGET_SIGNTOOL_FILE" = "target/windows/installer/Espanso-Win-Installer-x86_64.exe" }
|
||||
script_runner = "@rust"
|
||||
script = { file = "scripts/sign_windows_exe.rs" }
|
||||
|
||||
# macOS
|
||||
|
||||
[tasks.build-macos-arm-binary]
|
||||
|
|
|
|||
|
|
@ -1,12 +1,14 @@
|
|||
//! ```cargo
|
||||
//! [dependencies]
|
||||
//! glob = "0.3.0"
|
||||
//! envmnt = "*"
|
||||
//! fs_extra = "1.2.0"
|
||||
//! base64 = "0.13.0"
|
||||
//! anyhow = "1.0.38"
|
||||
//! ```
|
||||
|
||||
use anyhow::Result;
|
||||
use std::path::PathBuf;
|
||||
use std::process::Command;
|
||||
|
||||
const WINDOWS_KITS_LOCATION: &str = "C:/Program Files (x86)/Windows Kits/10/bin";
|
||||
const CERTIFICATE_TARGET_DIR: &str = "target/codesign";
|
||||
|
|
@ -22,7 +24,8 @@ fn main() {
|
|||
let signtool_path = get_signtool_location().expect("unable to locate signtool exe");
|
||||
println!("using signtool location: {:?}", signtool_path);
|
||||
|
||||
let target_exe_file = envmnt::get_or_panic("TARGET_SIGNTOOL_FILE");
|
||||
let target_exe_file =
|
||||
std::env::var("TARGET_SIGNTOOL_FILE").expect("TARGET_SIGNTOOL_FILE env variable not found");
|
||||
let target_exe_path = PathBuf::from(target_exe_file);
|
||||
if !target_exe_path.is_file() {
|
||||
panic!(
|
||||
|
|
@ -33,17 +36,19 @@ fn main() {
|
|||
|
||||
println!("signing file: {:?}", target_exe_path);
|
||||
|
||||
let certificate_pwd = envmnt::get_or_panic("CODESIGN_PWD");
|
||||
let cross_signed_certificate_b64 = envmnt::get_or_panic("CODESIGN_CROSS_SIGNED_B64");
|
||||
let codesign_certificate_b64 = envmnt::get_or_panic("CODESIGN_CERTIFICATE_B64");
|
||||
let certificate_pwd = std::env::var("CODESIGN_PWD").expect("CODESIGN_PWD env variable not found");
|
||||
let cross_signed_certificate_b64 = std::env::var("CODESIGN_CROSS_SIGNED_B64")
|
||||
.expect("CODESIGN_CROSS_SIGNED_B64 env variable not found");
|
||||
let codesign_certificate_b64 = std::env::var("CODESIGN_CERTIFICATE_B64")
|
||||
.expect("CODESIGN_CERTIFICATE_B64 env variable not found");
|
||||
|
||||
let cross_signed_certificate = DecodedCertificate::new(
|
||||
cross_signed_certificate_b64,
|
||||
&cross_signed_certificate_b64,
|
||||
certificate_target_dir.join("SectigoPublicCodeSigningRootR46_AAA.crt"),
|
||||
)
|
||||
.expect("unable to decode intermediate cross-signed certificate");
|
||||
let codesign_certificate = DecodedCertificate::new(
|
||||
codesign_certificate_b64,
|
||||
&codesign_certificate_b64,
|
||||
certificate_target_dir.join("codesign.pfx"),
|
||||
)
|
||||
.expect("unable to decode codesign certificate");
|
||||
|
|
@ -63,7 +68,7 @@ fn main() {
|
|||
"http://timestamp.sectigo.com/rfc3161",
|
||||
"/td",
|
||||
"sha256",
|
||||
&target_exe_path,
|
||||
&target_exe_path.to_string_lossy(),
|
||||
]);
|
||||
|
||||
let mut handle = cmd.spawn().expect("signtool spawn failed");
|
||||
|
|
@ -77,14 +82,14 @@ fn main() {
|
|||
fn get_signtool_location() -> Option<PathBuf> {
|
||||
let mut path: Option<PathBuf> = None;
|
||||
let mut max_version = 0;
|
||||
for entry in glob::glob(format!("{}/*", WINDOWS_KITS_LOCATION))
|
||||
for entry in glob::glob(&format!("{}/*", WINDOWS_KITS_LOCATION))
|
||||
.expect("unable to glob windows kits location")
|
||||
{
|
||||
let entry = entry.expect("unable to unwrap glob entry");
|
||||
if (!entry.is_dir()) {
|
||||
if !entry.is_dir() {
|
||||
continue;
|
||||
}
|
||||
if (!entry.display().ends_with(".0")) {
|
||||
if !entry.to_string_lossy().ends_with(".0") {
|
||||
continue;
|
||||
}
|
||||
let folder_name = entry.file_name().expect("unable to extract folder_name");
|
||||
|
|
@ -95,7 +100,7 @@ fn get_signtool_location() -> Option<PathBuf> {
|
|||
if folder_version > max_version {
|
||||
let signtool_path_candidate = entry.join("x86").join("signtool.exe");
|
||||
if signtool_path_candidate.is_file() {
|
||||
path = signtool_path_candidate;
|
||||
path = Some(signtool_path_candidate);
|
||||
max_version = folder_version;
|
||||
}
|
||||
}
|
||||
|
|
@ -104,26 +109,23 @@ fn get_signtool_location() -> Option<PathBuf> {
|
|||
return path;
|
||||
}
|
||||
|
||||
fn decode_b64_and_save_to_file(b64: &str, target_file: &Path) -> Result<()> {
|
||||
let decoded = base64::decode(b64);
|
||||
std::fs::write(target_file, decoded)
|
||||
}
|
||||
|
||||
struct DecodedCertificate {
|
||||
decoded_file: PathBuf,
|
||||
}
|
||||
|
||||
impl DecodedCertificate {
|
||||
pub fn new(b64: &str, target_file: PathBuf) -> Result<()> {
|
||||
let decoded = base64::decode(b64);
|
||||
std::fs::write(&target_file, decoded)?;
|
||||
Self {
|
||||
pub fn new(b64: &str, target_file: PathBuf) -> Result<Self> {
|
||||
// Keys and certificates are encoded with whitespaces/newlines in them, but we need to remove them
|
||||
let filtered_b64: String = b64.chars().filter(|c| !c.is_whitespace()).collect();
|
||||
let decoded = base64::decode(filtered_b64)?;
|
||||
std::fs::write(&target_file, &decoded)?;
|
||||
Ok(Self {
|
||||
decoded_file: target_file,
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
pub fn path(&self) -> String {
|
||||
self.decoded_file.display()
|
||||
self.decoded_file.to_string_lossy().to_string()
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -131,6 +133,6 @@ impl DecodedCertificate {
|
|||
// to minimize the attack surface
|
||||
impl Drop for DecodedCertificate {
|
||||
fn drop(&mut self) {
|
||||
std::fs::remove_file(self.decoded_file).expect("unable to remove certificate file")
|
||||
std::fs::remove_file(&self.decoded_file).expect("unable to remove certificate file")
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user