mirror of https://github.com/OpenTTD/OpenTTD.git
Feature: Sign Windows builds
This commit is contained in:
parent
c96945fa2b
commit
3ce7e31f64
|
@ -746,6 +746,21 @@ jobs:
|
|||
with:
|
||||
arch: ${{ matrix.host }}
|
||||
|
||||
- name: Import code signing certificate
|
||||
shell: powershell
|
||||
# If this is run on a fork, there may not be a certificate set up - continue in this case
|
||||
continue-on-error: true
|
||||
run: |
|
||||
$tempFile = [System.IO.Path]::GetTempFileName()
|
||||
$bytes = [System.Convert]::FromBase64String($env:WINDOWS_CERTIFICATE_P12)
|
||||
[IO.File]::WriteAllBytes($tempFile, $bytes)
|
||||
$pwd = ConvertTo-SecureString $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force
|
||||
Import-PfxCertificate -FilePath $tempFile -CertStoreLocation Cert:\CurrentUser\My -Password $pwd
|
||||
Remove-Item $tempFile
|
||||
env:
|
||||
WINDOWS_CERTIFICATE_P12: ${{ secrets.WINDOWS_CERTIFICATE_P12 }}
|
||||
WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
||||
|
||||
- name: Build (with installer)
|
||||
if: needs.source.outputs.is_tag == 'true'
|
||||
shell: bash
|
||||
|
@ -761,12 +776,15 @@ jobs:
|
|||
-DOPTION_USE_NSIS=ON \
|
||||
-DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
|
||||
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
|
||||
-DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \
|
||||
# EOF
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Build"
|
||||
cmake --build .
|
||||
echo "::endgroup::"
|
||||
env:
|
||||
WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
|
||||
|
||||
- name: Build (without installer)
|
||||
if: needs.source.outputs.is_tag != 'true'
|
||||
|
@ -782,12 +800,15 @@ jobs:
|
|||
-DCMAKE_TOOLCHAIN_FILE="c:\vcpkg\scripts\buildsystems\vcpkg.cmake" \
|
||||
-DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
|
||||
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
|
||||
-DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \
|
||||
# EOF
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Build"
|
||||
cmake --build .
|
||||
echo "::endgroup::"
|
||||
env:
|
||||
WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
|
||||
|
||||
- name: Create bundles
|
||||
shell: bash
|
||||
|
@ -809,6 +830,17 @@ jobs:
|
|||
rm -f bundles/*.sha256
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Sign installer
|
||||
if: needs.source.outputs.is_tag == 'true'
|
||||
shell: bash
|
||||
# If this is run on a fork, there may not be a certificate set up - continue in this case
|
||||
continue-on-error: true
|
||||
run: |
|
||||
cd ${GITHUB_WORKSPACE}/build/bundles
|
||||
../../os/windows/sign.bat *.exe "${WINDOWS_CERTIFICATE_COMMON_NAME}"
|
||||
env:
|
||||
WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
|
||||
|
||||
- name: Store bundles
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
|
|
|
@ -138,6 +138,13 @@ elseif(WIN32)
|
|||
endif()
|
||||
|
||||
set(CPACK_PACKAGE_FILE_NAME "openttd-#CPACK_PACKAGE_VERSION#-windows-${CPACK_SYSTEM_NAME}")
|
||||
|
||||
if(WINDOWS_CERTIFICATE_COMMON_NAME)
|
||||
add_custom_command(TARGET openttd
|
||||
POST_BUILD
|
||||
COMMAND "${CMAKE_SOURCE_DIR}/os/windows/sign.bat" "$<TARGET_FILE:openttd>" "${WINDOWS_CERTIFICATE_COMMON_NAME}"
|
||||
)
|
||||
endif()
|
||||
elseif(UNIX)
|
||||
# With FHS, we can create deb/rpm/... Without it, they would be horribly broken
|
||||
# and not work. The other way around is also true; with FHS they are not
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
@echo off
|
||||
REM Signing script
|
||||
REM Arguments: sign.bat exe_to_sign certificate_subject_name
|
||||
|
||||
REM This is a loose wrapper around the Microsoft signtool application (included in the Windows SDK).
|
||||
REM See https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe for more details.
|
||||
|
||||
REM Path to signtool.exe
|
||||
IF NOT DEFINED SIGNTOOL_PATH (SET SIGNTOOL_PATH=signtool)
|
||||
|
||||
REM URL of the timestamp server
|
||||
IF NOT DEFINED SIGNTOOL_TIMESTAMP_URL (SET SIGNTOOL_TIMESTAMP_URL=http://timestamp.digicert.com)
|
||||
|
||||
REM Sign with SHA-1 for Windows 7 and below
|
||||
"%SIGNTOOL_PATH%" sign -v -n %2 -t %SIGNTOOL_TIMESTAMP_URL% %1
|
||||
|
||||
REM Sign with SHA-256 for Windows 8 and above
|
||||
"%SIGNTOOL_PATH%" sign -v -n %2 -tr %SIGNTOOL_TIMESTAMP_URL% -fd sha256 -td sha256 -as %1
|
Loading…
Reference in New Issue