mirror of
https://github.com/Chia-Network/chia-blockchain.git
synced 2024-08-17 23:01:02 +03:00
New windows signing cert (#16032)
* Updates for new windows signing * Add to PATH
This commit is contained in:
parent
914505f945
commit
a91e8d226c
38
.github/workflows/build-windows-installer.yml
vendored
38
.github/workflows/build-windows-installer.yml
vendored
@ -126,16 +126,39 @@ jobs:
|
||||
if [ -n "$GLUE_ACCESS_TOKEN" ]; then HAS_GLUE_SECRET='true' ; fi
|
||||
echo HAS_GLUE_SECRET=${HAS_GLUE_SECRET} >> "$GITHUB_OUTPUT"
|
||||
env:
|
||||
SIGNING_SECRET: "${{ secrets.WIN_CODE_SIGN_CERT }}"
|
||||
SIGNING_SECRET: "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}"
|
||||
AWS_SECRET: "${{ secrets.INSTALLER_UPLOAD_KEY }}"
|
||||
GLUE_ACCESS_TOKEN: "${{ secrets.GLUE_ACCESS_TOKEN }}"
|
||||
|
||||
- name: Decode code signing cert into an encrypted file
|
||||
- name: Setup Certificate
|
||||
if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
|
||||
uses: kitek/decode-base64-into-file-action@1.0
|
||||
with:
|
||||
encoded-value: ${{ secrets.WIN_CODE_SIGN_CERT }}
|
||||
destination-file: .\win_code_sign_cert.p12
|
||||
shell: bash
|
||||
run: |
|
||||
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
|
||||
|
||||
- name: Set signing variables
|
||||
if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
|
||||
shell: bash
|
||||
run: |
|
||||
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
|
||||
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
|
||||
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
|
||||
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
|
||||
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
|
||||
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
|
||||
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
|
||||
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
|
||||
|
||||
- name: Setup SSM KSP on windows latest
|
||||
if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
|
||||
shell: cmd
|
||||
run: |
|
||||
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
|
||||
msiexec /i smtools-windows-x64.msi /quiet /qn
|
||||
smksp_registrar.exe list
|
||||
smctl.exe keypair ls
|
||||
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
|
||||
smksp_cert_sync.exe
|
||||
|
||||
# Create our own venv outside of the git directory JUST for getting the ACTUAL version so that install can't break it
|
||||
- name: Get version number
|
||||
@ -230,8 +253,7 @@ jobs:
|
||||
- name: Build Windows installer
|
||||
env:
|
||||
CHIA_INSTALLER_VERSION: ${{ steps.version_number.outputs.CHIA_INSTALLER_VERSION }}
|
||||
HAS_SECRET: ${{ steps.check_secrets.outputs.HAS_SIGNING_SECRET }}
|
||||
CSC_KEY_PASSWORD: ${{ secrets.WIN_CODE_SIGN_PASS }}
|
||||
HAS_SIGNING_SECRET: ${{ steps.check_secrets.outputs.HAS_SIGNING_SECRET }}
|
||||
run: |
|
||||
$env:path="C:\Program` Files` (x86)\Microsoft` Visual` Studio\2019\Enterprise\SDK\ScopeCppSDK\vc15\VC\bin\;$env:path"
|
||||
$env:path="C:\Program` Files` (x86)\Windows` Kits\10\App` Certification` Kit;$env:path"
|
||||
|
@ -38,9 +38,6 @@ npm ci
|
||||
$Env:Path = $(npm bin) + ";" + $Env:Path
|
||||
|
||||
Set-Location -Path "..\..\" -PassThru
|
||||
If ($env:HAS_SECRET) {
|
||||
$env:CSC_LINK = Join-Path "." "win_code_sign_cert.p12" -Resolve
|
||||
}
|
||||
|
||||
Write-Output " ---"
|
||||
Write-Output "Prepare Electron packager"
|
||||
@ -76,12 +73,15 @@ electron-builder build --win --x64 --config.productName="Chia"
|
||||
Get-ChildItem dist\win-unpacked\resources
|
||||
Write-Output " ---"
|
||||
|
||||
If ($env:HAS_SECRET) {
|
||||
If ($env:HAS_SIGNING_SECRET) {
|
||||
Write-Output " ---"
|
||||
Write-Output "Sign App"
|
||||
signtool.exe sign /sha1 $env:SM_CODE_SIGNING_CERT_SHA1_HASH /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 .\dist\ChiaSetup-$packageVersion.exe
|
||||
Write-Output " ---"
|
||||
Write-Output "Verify signature"
|
||||
Write-Output " ---"
|
||||
signtool.exe verify /v /pa .\dist\ChiaSetup-$packageVersion.exe
|
||||
} Else {
|
||||
} Else {
|
||||
Write-Output "Skipping verify signatures - no authorization to install certificates"
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user