mirror of
https://github.com/Chia-Network/chia-blockchain.git
synced 2024-09-17 13:49:19 +03:00
New windows signing cert (#16032)
* Updates for new windows signing * Add to PATH
This commit is contained in:
parent
914505f945
commit
a91e8d226c
38
.github/workflows/build-windows-installer.yml
vendored
38
.github/workflows/build-windows-installer.yml
vendored
@ -126,16 +126,39 @@ jobs:
|
|||||||
if [ -n "$GLUE_ACCESS_TOKEN" ]; then HAS_GLUE_SECRET='true' ; fi
|
if [ -n "$GLUE_ACCESS_TOKEN" ]; then HAS_GLUE_SECRET='true' ; fi
|
||||||
echo HAS_GLUE_SECRET=${HAS_GLUE_SECRET} >> "$GITHUB_OUTPUT"
|
echo HAS_GLUE_SECRET=${HAS_GLUE_SECRET} >> "$GITHUB_OUTPUT"
|
||||||
env:
|
env:
|
||||||
SIGNING_SECRET: "${{ secrets.WIN_CODE_SIGN_CERT }}"
|
SIGNING_SECRET: "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}"
|
||||||
AWS_SECRET: "${{ secrets.INSTALLER_UPLOAD_KEY }}"
|
AWS_SECRET: "${{ secrets.INSTALLER_UPLOAD_KEY }}"
|
||||||
GLUE_ACCESS_TOKEN: "${{ secrets.GLUE_ACCESS_TOKEN }}"
|
GLUE_ACCESS_TOKEN: "${{ secrets.GLUE_ACCESS_TOKEN }}"
|
||||||
|
|
||||||
- name: Decode code signing cert into an encrypted file
|
- name: Setup Certificate
|
||||||
if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
|
if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
|
||||||
uses: kitek/decode-base64-into-file-action@1.0
|
shell: bash
|
||||||
with:
|
run: |
|
||||||
encoded-value: ${{ secrets.WIN_CODE_SIGN_CERT }}
|
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
|
||||||
destination-file: .\win_code_sign_cert.p12
|
|
||||||
|
- name: Set signing variables
|
||||||
|
if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
|
||||||
|
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
|
||||||
|
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
|
||||||
|
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
|
||||||
|
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
|
||||||
|
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
|
||||||
|
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
|
||||||
|
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
|
||||||
|
|
||||||
|
- name: Setup SSM KSP on windows latest
|
||||||
|
if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
|
||||||
|
shell: cmd
|
||||||
|
run: |
|
||||||
|
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
|
||||||
|
msiexec /i smtools-windows-x64.msi /quiet /qn
|
||||||
|
smksp_registrar.exe list
|
||||||
|
smctl.exe keypair ls
|
||||||
|
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
|
||||||
|
smksp_cert_sync.exe
|
||||||
|
|
||||||
# Create our own venv outside of the git directory JUST for getting the ACTUAL version so that install can't break it
|
# Create our own venv outside of the git directory JUST for getting the ACTUAL version so that install can't break it
|
||||||
- name: Get version number
|
- name: Get version number
|
||||||
@ -230,8 +253,7 @@ jobs:
|
|||||||
- name: Build Windows installer
|
- name: Build Windows installer
|
||||||
env:
|
env:
|
||||||
CHIA_INSTALLER_VERSION: ${{ steps.version_number.outputs.CHIA_INSTALLER_VERSION }}
|
CHIA_INSTALLER_VERSION: ${{ steps.version_number.outputs.CHIA_INSTALLER_VERSION }}
|
||||||
HAS_SECRET: ${{ steps.check_secrets.outputs.HAS_SIGNING_SECRET }}
|
HAS_SIGNING_SECRET: ${{ steps.check_secrets.outputs.HAS_SIGNING_SECRET }}
|
||||||
CSC_KEY_PASSWORD: ${{ secrets.WIN_CODE_SIGN_PASS }}
|
|
||||||
run: |
|
run: |
|
||||||
$env:path="C:\Program` Files` (x86)\Microsoft` Visual` Studio\2019\Enterprise\SDK\ScopeCppSDK\vc15\VC\bin\;$env:path"
|
$env:path="C:\Program` Files` (x86)\Microsoft` Visual` Studio\2019\Enterprise\SDK\ScopeCppSDK\vc15\VC\bin\;$env:path"
|
||||||
$env:path="C:\Program` Files` (x86)\Windows` Kits\10\App` Certification` Kit;$env:path"
|
$env:path="C:\Program` Files` (x86)\Windows` Kits\10\App` Certification` Kit;$env:path"
|
||||||
|
@ -38,9 +38,6 @@ npm ci
|
|||||||
$Env:Path = $(npm bin) + ";" + $Env:Path
|
$Env:Path = $(npm bin) + ";" + $Env:Path
|
||||||
|
|
||||||
Set-Location -Path "..\..\" -PassThru
|
Set-Location -Path "..\..\" -PassThru
|
||||||
If ($env:HAS_SECRET) {
|
|
||||||
$env:CSC_LINK = Join-Path "." "win_code_sign_cert.p12" -Resolve
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Output " ---"
|
Write-Output " ---"
|
||||||
Write-Output "Prepare Electron packager"
|
Write-Output "Prepare Electron packager"
|
||||||
@ -76,12 +73,15 @@ electron-builder build --win --x64 --config.productName="Chia"
|
|||||||
Get-ChildItem dist\win-unpacked\resources
|
Get-ChildItem dist\win-unpacked\resources
|
||||||
Write-Output " ---"
|
Write-Output " ---"
|
||||||
|
|
||||||
If ($env:HAS_SECRET) {
|
If ($env:HAS_SIGNING_SECRET) {
|
||||||
|
Write-Output " ---"
|
||||||
|
Write-Output "Sign App"
|
||||||
|
signtool.exe sign /sha1 $env:SM_CODE_SIGNING_CERT_SHA1_HASH /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 .\dist\ChiaSetup-$packageVersion.exe
|
||||||
Write-Output " ---"
|
Write-Output " ---"
|
||||||
Write-Output "Verify signature"
|
Write-Output "Verify signature"
|
||||||
Write-Output " ---"
|
Write-Output " ---"
|
||||||
signtool.exe verify /v /pa .\dist\ChiaSetup-$packageVersion.exe
|
signtool.exe verify /v /pa .\dist\ChiaSetup-$packageVersion.exe
|
||||||
} Else {
|
} Else {
|
||||||
Write-Output "Skipping verify signatures - no authorization to install certificates"
|
Write-Output "Skipping verify signatures - no authorization to install certificates"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user