mirror of https://github.com/OpenTTD/OpenTTD.git
Change: [CI] Use Azure Code Signing for Windows build
This commit is contained in:
parent
3a3d8f3b53
commit
d4a6ee9554
|
@ -100,21 +100,6 @@ jobs:
|
||||||
with:
|
with:
|
||||||
arch: ${{ matrix.host }}
|
arch: ${{ matrix.host }}
|
||||||
|
|
||||||
- name: Import code signing certificate
|
|
||||||
shell: powershell
|
|
||||||
# If this is run on a fork, there may not be a certificate set up - continue in this case
|
|
||||||
continue-on-error: true
|
|
||||||
run: |
|
|
||||||
$tempFile = [System.IO.Path]::GetTempFileName()
|
|
||||||
$bytes = [System.Convert]::FromBase64String($env:WINDOWS_CERTIFICATE_P12)
|
|
||||||
[IO.File]::WriteAllBytes($tempFile, $bytes)
|
|
||||||
$pwd = ConvertTo-SecureString $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force
|
|
||||||
Import-PfxCertificate -FilePath $tempFile -CertStoreLocation Cert:\CurrentUser\My -Password $pwd
|
|
||||||
Remove-Item $tempFile
|
|
||||||
env:
|
|
||||||
WINDOWS_CERTIFICATE_P12: ${{ secrets.WINDOWS_CERTIFICATE_P12 }}
|
|
||||||
WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
|
||||||
|
|
||||||
- name: Build (with installer)
|
- name: Build (with installer)
|
||||||
if: inputs.is_tag == 'true'
|
if: inputs.is_tag == 'true'
|
||||||
shell: bash
|
shell: bash
|
||||||
|
@ -131,7 +116,6 @@ jobs:
|
||||||
-DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
|
-DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
|
||||||
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
|
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
|
||||||
-DOPTION_SURVEY_KEY=${{ inputs.survey_key }} \
|
-DOPTION_SURVEY_KEY=${{ inputs.survey_key }} \
|
||||||
-DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \
|
|
||||||
# EOF
|
# EOF
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
|
@ -139,7 +123,12 @@ jobs:
|
||||||
cmake --build . --target openttd
|
cmake --build . --target openttd
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
env:
|
env:
|
||||||
WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
|
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
|
||||||
|
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
|
||||||
|
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
|
||||||
|
AZURE_CODESIGN_ACCOUNT_NAME: ${{ secrets.AZURE_CODESIGN_ACCOUNT_NAME }}
|
||||||
|
AZURE_CODESIGN_ENDPOINT: ${{ secrets.AZURE_CODESIGN_ENDPOINT }}
|
||||||
|
AZURE_CODESIGN_PROFILE_NAME: ${{ secrets.AZURE_CODESIGN_PROFILE_NAME }}
|
||||||
|
|
||||||
- name: Build (without installer)
|
- name: Build (without installer)
|
||||||
if: inputs.is_tag != 'true'
|
if: inputs.is_tag != 'true'
|
||||||
|
@ -156,7 +145,6 @@ jobs:
|
||||||
-DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
|
-DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
|
||||||
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
|
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
|
||||||
-DOPTION_SURVEY_KEY=${{ inputs.survey_key }} \
|
-DOPTION_SURVEY_KEY=${{ inputs.survey_key }} \
|
||||||
-DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \
|
|
||||||
# EOF
|
# EOF
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
|
@ -164,7 +152,12 @@ jobs:
|
||||||
cmake --build . --target openttd
|
cmake --build . --target openttd
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
env:
|
env:
|
||||||
WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
|
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
|
||||||
|
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
|
||||||
|
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
|
||||||
|
AZURE_CODESIGN_ACCOUNT_NAME: ${{ secrets.AZURE_CODESIGN_ACCOUNT_NAME }}
|
||||||
|
AZURE_CODESIGN_ENDPOINT: ${{ secrets.AZURE_CODESIGN_ENDPOINT }}
|
||||||
|
AZURE_CODESIGN_PROFILE_NAME: ${{ secrets.AZURE_CODESIGN_PROFILE_NAME }}
|
||||||
|
|
||||||
- name: Create breakpad symbols
|
- name: Create breakpad symbols
|
||||||
shell: bash
|
shell: bash
|
||||||
|
@ -198,13 +191,15 @@ jobs:
|
||||||
- name: Sign installer
|
- name: Sign installer
|
||||||
if: inputs.is_tag == 'true'
|
if: inputs.is_tag == 'true'
|
||||||
shell: bash
|
shell: bash
|
||||||
# If this is run on a fork, there may not be a certificate set up - continue in this case
|
|
||||||
continue-on-error: true
|
|
||||||
run: |
|
run: |
|
||||||
cd ${GITHUB_WORKSPACE}/build/bundles
|
${GITHUB_WORKSPACE}/os/windows/sign.bat "${GITHUB_WORKSPACE}/build/bundles"
|
||||||
../../os/windows/sign.bat *.exe "${WINDOWS_CERTIFICATE_COMMON_NAME}"
|
|
||||||
env:
|
env:
|
||||||
WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
|
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
|
||||||
|
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
|
||||||
|
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
|
||||||
|
AZURE_CODESIGN_ACCOUNT_NAME: ${{ secrets.AZURE_CODESIGN_ACCOUNT_NAME }}
|
||||||
|
AZURE_CODESIGN_ENDPOINT: ${{ secrets.AZURE_CODESIGN_ENDPOINT }}
|
||||||
|
AZURE_CODESIGN_PROFILE_NAME: ${{ secrets.AZURE_CODESIGN_PROFILE_NAME }}
|
||||||
|
|
||||||
- name: Store bundles
|
- name: Store bundles
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@v4
|
||||||
|
|
|
@ -172,10 +172,10 @@ elseif(WIN32)
|
||||||
|
|
||||||
set(CPACK_PACKAGE_FILE_NAME "openttd-#CPACK_PACKAGE_VERSION#-windows-${CPACK_SYSTEM_NAME}")
|
set(CPACK_PACKAGE_FILE_NAME "openttd-#CPACK_PACKAGE_VERSION#-windows-${CPACK_SYSTEM_NAME}")
|
||||||
|
|
||||||
if(WINDOWS_CERTIFICATE_COMMON_NAME)
|
if(DEFINED ENV{AZURE_CODESIGN_PROFILE_NAME})
|
||||||
add_custom_command(TARGET openttd
|
add_custom_command(TARGET openttd
|
||||||
POST_BUILD
|
POST_BUILD
|
||||||
COMMAND "${CMAKE_SOURCE_DIR}/os/windows/sign.bat" "$<TARGET_FILE:openttd>" "${WINDOWS_CERTIFICATE_COMMON_NAME}"
|
COMMAND "${CMAKE_SOURCE_DIR}/os/windows/sign.bat" "${BINARY_DESTINATION_DIR}"
|
||||||
)
|
)
|
||||||
endif()
|
endif()
|
||||||
elseif(UNIX)
|
elseif(UNIX)
|
||||||
|
|
|
@ -1,18 +1,2 @@
|
||||||
@echo off
|
@echo off
|
||||||
REM Signing script
|
pwsh -File "%~dp0sign_azure.ps1" %1
|
||||||
REM Arguments: sign.bat exe_to_sign certificate_subject_name
|
|
||||||
|
|
||||||
REM This is a loose wrapper around the Microsoft signtool application (included in the Windows SDK).
|
|
||||||
REM See https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe for more details.
|
|
||||||
|
|
||||||
REM Path to signtool.exe
|
|
||||||
IF NOT DEFINED SIGNTOOL_PATH (SET SIGNTOOL_PATH=signtool)
|
|
||||||
|
|
||||||
REM URL of the timestamp server
|
|
||||||
IF NOT DEFINED SIGNTOOL_TIMESTAMP_URL (SET SIGNTOOL_TIMESTAMP_URL=http://timestamp.digicert.com)
|
|
||||||
|
|
||||||
REM Sign with SHA-1 for Windows 7 and below
|
|
||||||
"%SIGNTOOL_PATH%" sign -v -n %2 -t %SIGNTOOL_TIMESTAMP_URL% -fd sha1 %1
|
|
||||||
|
|
||||||
REM Sign with SHA-256 for Windows 8 and above
|
|
||||||
"%SIGNTOOL_PATH%" sign -v -n %2 -tr %SIGNTOOL_TIMESTAMP_URL% -fd sha256 -td sha256 -as %1
|
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Signing script for Azure Code Signing
|
||||||
|
# Arguments: sign_azure.ps1 path_to_sign
|
||||||
|
#
|
||||||
|
# Environment variables must be set up before use:
|
||||||
|
#
|
||||||
|
# AZURE_TENANT_ID
|
||||||
|
# AZURE_CLIENT_ID
|
||||||
|
# AZURE_CLIENT_SECRET
|
||||||
|
# AZURE_CODESIGN_ACCOUNT_NAME
|
||||||
|
# AZURE_CODESIGN_ENDPOINT
|
||||||
|
# AZURE_CODESIGN_PROFILE_NAME
|
||||||
|
|
||||||
|
Param
|
||||||
|
(
|
||||||
|
# Files folder
|
||||||
|
[Parameter(Mandatory=$true, Position=0)]
|
||||||
|
$FilesFolder
|
||||||
|
)
|
||||||
|
|
||||||
|
if (!$Env:AZURE_CODESIGN_ENDPOINT -or !$Env:AZURE_CODESIGN_ACCOUNT_NAME -or !$Env:AZURE_CODESIGN_PROFILE_NAME -or
|
||||||
|
!$Env:AZURE_TENANT_ID -or !$Env:AZURE_CLIENT_ID -or !$Env:AZURE_CLIENT_SECRET)
|
||||||
|
{
|
||||||
|
"Code signing variables not found; most likely running in a fork. Skipping signing."
|
||||||
|
exit
|
||||||
|
}
|
||||||
|
|
||||||
|
Install-Module -Name AzureCodeSigning -Scope CurrentUser -RequiredVersion 0.3.0 -Force -Repository PSGallery
|
||||||
|
|
||||||
|
$params = @{}
|
||||||
|
|
||||||
|
$params["Endpoint"] = $Env:AZURE_CODESIGN_ENDPOINT
|
||||||
|
$params["CodeSigningAccountName"] = $Env:AZURE_CODESIGN_ACCOUNT_NAME
|
||||||
|
$params["CertificateProfileName"] = $Env:AZURE_CODESIGN_PROFILE_NAME
|
||||||
|
$params["FilesFolder"] = $FilesFolder
|
||||||
|
$params["FilesFolderFilter"] = "exe"
|
||||||
|
$params["FileDigest"] = "SHA256"
|
||||||
|
$params["TimestampRfc3161"] = "http://timestamp.acs.microsoft.com"
|
||||||
|
$params["TimestampDigest"] = "SHA256"
|
||||||
|
|
||||||
|
Invoke-AzureCodeSigning @params
|
Loading…
Reference in New Issue