Skip to content

Commit

Permalink
Sign both outer bundle and inner installer on Windows
Browse files Browse the repository at this point in the history
  • Loading branch information
nazar-pc committed Nov 10, 2024
1 parent a13d3f7 commit 6f28fc6
Showing 1 changed file with 27 additions and 8 deletions.
35 changes: 27 additions & 8 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -321,24 +321,43 @@ jobs:
# TODO: Ideally something like this would have worked and we wouldn't need to hardcode stuff in `space-acres.wxs`: https://github.com/volks73/cargo-wix/issues/271
# & "C:\Program Files (x86)\WiX Toolset v3.11\bin\heat.exe" dir target\wix\gtk4 -gg -sfrag -template:fragment -out target\wix\gtk4.wxs -cg GTK -dr GTK
cargo wix --target ${{ matrix.build.target }} --profile production --no-build --nocapture
# Create bundle with Microsoft Visual C++ Redistributable in it
Remove-Item target\wix\space-acres.wixobj -Confirm:$false
cargo wix --profile release --no-build --nocapture --include res\windows\wix\bundle.wxs -C -ext -C WixBalExtension
Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue
if: runner.os == 'Windows'

- name: Sign Application (Windows)
- name: Sign installer (Windows)
run: |
$ErrorActionPreference = "Stop"
dotnet tool install --global AzureSignTool
(Get-ChildItem -Path target\wix -Include space-acres-*.exe -Recurse) | ForEach-Object {
(Get-ChildItem -Path target\wix -Include space-acres-*.msi) | ForEach-Object {
Write("Signing $($_)");
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
}
# Allow code signing to fail on non-release builds and in non-autonomys repos (forks)
continue-on-error: ${{ github.repository_owner != 'autonomys' || github.event_name != 'push' || github.ref_type != 'tag' }}
if: runner.os == 'Windows'

- name: Create bundle (Windows)
run: |
# Create a bundle with Microsoft Visual C++ Redistributable in it
Remove-Item target\wix\space-acres.wixobj -Confirm:$false
cargo wix --profile release --no-build --nocapture --include res\windows\wix\bundle.wxs -C -ext -C WixBalExtension
if: runner.os == 'Windows'

- name: Sign bundle (Windows)
run: |
$ErrorActionPreference = "Stop"
dotnet tool install --global AzureSignTool
(Get-ChildItem -Path target\wix -Include space-acres-*.exe) | ForEach-Object {
Write("Signing $($_)");
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
}
# Allow code signing to fail on non-release builds and in non-autonomys repos (forks)
Expand Down

0 comments on commit 6f28fc6

Please sign in to comment.