feat(ci): add Windows codesigning

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
2023-02-14 11:10:29 +01:00 · 2023-02-14 11:10:29 +01:00 · 89c945ecc8
commit 89c945ecc8
parent c15962c6c1
3 changed files with 31 additions and 1 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -15,6 +15,12 @@ on:
      SPARKLE_ED25519_KEY:
        description: Private key for signing Sparkle updates
        required: false
+      WINDOWS_CODESIGN_CERT:
+        description: Certificate for signing Windows builds
+        required: false
+      WINDOWS_CODESIGN_PASSWORD:
+        description: Password for signing Windows builds
+        required: false
      CACHIX_AUTH_TOKEN:
        description: Private token for authenticating against Cachix cache
        required: false
@ -40,6 +46,7 @@ jobs:
          - os: windows-2022
            name: "Windows-MinGW-w64"
            msystem: clang64
+            vcvars_arch: 'amd64_x86'

          - os: windows-2022
            name: "Windows-MSVC-Legacy"
@ -225,7 +232,7 @@ jobs:
           cache: ${{ inputs.is_qt_cached }}

      - name: Install MSVC (Windows MSVC)
-        if: runner.os == 'Windows' && matrix.msystem == ''
+        if: runner.os == 'Windows'  # We want this for MinGW builds as well, as we need SignTool
        uses: ilammy/msvc-dev-cmd@v1
        with:
          vsversion: 2022
@ -377,6 +384,19 @@ jobs:
            Copy-Item D:/a/PrismLauncher/Qt/Tools/OpenSSL/Win_x86/bin/libssl-1_1.dll -Destination libssl-1_1.dll
          }

+      - name: Fetch codesign certificate (Windows)
+        if: runner.os == 'Windows'
+        shell: bash  # yes, we are not using MSYS2 or PowerShell here
+        run: |
+          echo '${{ secrets.WINDOWS_CODESIGN_CERT }}' | base64 --decode > codesign.pfx
+
+      - name: Sign executable (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          cd ${{ env.INSTALL_DIR }}
+          # We ship the exact same executable for portable and non-portable editions, so signing just once is fine
+          SignTool sign /fd sha256 /td sha256 /f ../codesign.pfx /p '${{ secrets.WINDOWS_CODESIGN_PASSWORD }}' /tr http://timestamp.digicert.com prismlauncher.exe
+
      - name: Package (Windows MinGW-w64, portable)
        if: runner.os == 'Windows' && matrix.msystem != ''
        shell: msys2 {0}
@ -396,6 +416,11 @@ jobs:
          cd ${{ env.INSTALL_DIR }}
          makensis -NOCD "${{ github.workspace }}/${{ env.BUILD_DIR }}/program_info/win_install.nsi"

+      - name: Sign installer (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          SignTool sign /fd sha256 /td sha256 /f codesign.pfx /p '${{ secrets.WINDOWS_CODESIGN_PASSWORD }}' /tr http://timestamp.digicert.com PrismLauncher-Setup.exe
+
      - name: Package (Linux)
        if: runner.os == 'Linux'
        run: |
--- a/.github/workflows/trigger_builds.yml
+++ b/.github/workflows/trigger_builds.yml
@ -31,4 +31,6 @@ jobs:
      is_qt_cached: true
    secrets:
      SPARKLE_ED25519_KEY: ${{ secrets.SPARKLE_ED25519_KEY }}
+      WINDOWS_CODESIGN_CERT: ${{ secrets.WINDOWS_CODESIGN_CERT }}
+      WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }}
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
--- a/.github/workflows/trigger_release.yml
+++ b/.github/workflows/trigger_release.yml
@ -15,6 +15,9 @@ jobs:
      is_qt_cached: false
    secrets:
      SPARKLE_ED25519_KEY: ${{ secrets.SPARKLE_ED25519_KEY }}
+      WINDOWS_CODESIGN_CERT: ${{ secrets.WINDOWS_CODESIGN_CERT }}
+      WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

  create_release:
    needs: build_release