Update codesign logic to be promptless + update deploy flow for new e…

…nv & win-signing
WootingKb · Oct 21, 2024 · a01c802 · a01c802
1 parent 3932ba2
commit a01c802
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 20 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -16,8 +16,8 @@ jobs:
             target: aarch64-apple-darwin
           - os: ubuntu-latest
             target: x86_64-unknown-linux-gnu
-          # - os: windows-2019
-          #   target: x86_64-pc-windows-msvc
+          - os: win-signing
+            target: x86_64-pc-windows-msvc
 
     runs-on: ${{ matrix.os }}
 
@@ -45,15 +45,25 @@ jobs:
           sharedKey: ${{ matrix.target }}
       - name: Run deploy script
         shell: bash
+        # Signing key env is required for signing dll's on windows
+        env:
+          TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}}
+          CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}}
+          CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}}
+          READER: ${{secrets.WIN_EV_CSC_READER}}
+          PASS: ${{secrets.WIN_EV_CSC_PASS}}
+          CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}}
         run: sh ci/before_deploy.sh
       - name: Build Windows Installer
         shell: bash
-        env:
-          WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
-          WIN_CSC_DESC: ${{ secrets.WIN_CSC_DESC }}
-          WIN_CSC_SUBJECTNAME: ${{ secrets.WIN_CSC_SUBJECTNAME }}
         if: runner.os == 'Windows'
+        env:
+          TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}}
+          CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}}
+          CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}}
+          READER: ${{secrets.WIN_EV_CSC_READER}}
+          PASS: ${{secrets.WIN_EV_CSC_PASS}}
+          CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}}
         run: cargo make --cwd wooting-analog-sdk sign-win-installer -- --target $TARGET
       - name: Build debian package
         if: startsWith(matrix.os, 'ubuntu')

diff --git a/ci/codesign.ps1 b/ci/codesign.ps1
@@ -11,13 +11,8 @@ $PREV_PATH = $env:PATH
 
 $env:PATH += ";C:/Program Files (x86)/Windows Kits/10/bin/$WINDOWS_SDK_VER/x64/"
 
-# $Password = ConvertTo-SecureString -String $Env:WIN_CSC_KEY_PASSWORD -AsPlainText -Force
-# Import-PfxCertificate -FilePath cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password
-
 # Passing in $args allows the caller to specify multiple files to be signed at once
-signtool.exe sign /tr $env:TimestampServer /td sha256 /fd sha256 /n $Env:WIN_CSC_SUBJECTNAME $args
+signtool.exe sign /fd sha256 /td sha256 /tr ${Env:TIMESTAMP}?td=sha256 /f $Env:CERT_FILE /csp "$Env:CRYPT_PROVIDER" /kc "[${Env:READER}{{${Env:PASS}}}]=${Env:CONTAINER}" $args
 signtool.exe verify /pa $args
-# Start-Process -NoNewWindow -Wait 'signtool.exe' -ArgumentList "sign /tr `"$env:TimestampServer`" /td sha256 /fd sha256 /n `"$Env:WIN_CSC_SUBJECTNAME`" `"$File`""
-# Start-Process -NoNewWindow -Wait 'signtool.exe' -ArgumentList "verify /pa `"$File`""
 
-$env:PATH = $PREV_PATH
+$env:PATH = $PREV_PATH
diff --git a/ci/codesign.sh b/ci/codesign.sh
@@ -3,15 +3,10 @@ if [ $RUNNER_OS = Windows ]; then
   set -e
 
   export PATH="C:\Program Files (x86)\Windows Kits\10\bin\x64":$PATH
-  # TODO: Dynamic installer filename
-  #export BINARY_FILE="target/wix/wooting_analog_sdk-0.1.0-x86_64.msi"
 
-#  choco install -y windows-sdk-10.0
-
-  # curl -v -L "$WIN_CSC_LINK" --output cert.pfx
 
   powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine
   powershell Get-ExecutionPolicy -List
 
   powershell $GITHUB_WORKSPACE/ci/codesign.ps1 $WIN_INSTALLER_PATH
-fi
+fi