diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 3b5c4e2..ecd3d8a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -16,8 +16,8 @@ jobs: target: aarch64-apple-darwin - os: ubuntu-latest target: x86_64-unknown-linux-gnu - # - os: windows-2019 - # target: x86_64-pc-windows-msvc + - os: win-signing + target: x86_64-pc-windows-msvc runs-on: ${{ matrix.os }} @@ -45,15 +45,25 @@ jobs: sharedKey: ${{ matrix.target }} - name: Run deploy script shell: bash + # Signing key env is required for signing dll's on windows + env: + TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}} + CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}} + CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}} + READER: ${{secrets.WIN_EV_CSC_READER}} + PASS: ${{secrets.WIN_EV_CSC_PASS}} + CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}} run: sh ci/before_deploy.sh - name: Build Windows Installer shell: bash - env: - WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }} - WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }} - WIN_CSC_DESC: ${{ secrets.WIN_CSC_DESC }} - WIN_CSC_SUBJECTNAME: ${{ secrets.WIN_CSC_SUBJECTNAME }} if: runner.os == 'Windows' + env: + TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}} + CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}} + CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}} + READER: ${{secrets.WIN_EV_CSC_READER}} + PASS: ${{secrets.WIN_EV_CSC_PASS}} + CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}} run: cargo make --cwd wooting-analog-sdk sign-win-installer -- --target $TARGET - name: Build debian package if: startsWith(matrix.os, 'ubuntu') diff --git a/ci/codesign.ps1 b/ci/codesign.ps1 index dfe787b..c2f6a0a 100644 --- a/ci/codesign.ps1 +++ b/ci/codesign.ps1 @@ -11,13 +11,8 @@ $PREV_PATH = $env:PATH $env:PATH += ";C:/Program Files (x86)/Windows Kits/10/bin/$WINDOWS_SDK_VER/x64/" -# $Password = ConvertTo-SecureString -String $Env:WIN_CSC_KEY_PASSWORD -AsPlainText -Force -# Import-PfxCertificate -FilePath cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password - # Passing in $args allows the caller to specify multiple files to be signed at once -signtool.exe sign /tr $env:TimestampServer /td sha256 /fd sha256 /n $Env:WIN_CSC_SUBJECTNAME $args +signtool.exe sign /fd sha256 /td sha256 /tr ${Env:TIMESTAMP}?td=sha256 /f $Env:CERT_FILE /csp "$Env:CRYPT_PROVIDER" /kc "[${Env:READER}{{${Env:PASS}}}]=${Env:CONTAINER}" $args signtool.exe verify /pa $args -# Start-Process -NoNewWindow -Wait 'signtool.exe' -ArgumentList "sign /tr `"$env:TimestampServer`" /td sha256 /fd sha256 /n `"$Env:WIN_CSC_SUBJECTNAME`" `"$File`"" -# Start-Process -NoNewWindow -Wait 'signtool.exe' -ArgumentList "verify /pa `"$File`"" -$env:PATH = $PREV_PATH \ No newline at end of file +$env:PATH = $PREV_PATH diff --git a/ci/codesign.sh b/ci/codesign.sh index 2498798..a3e7f8b 100644 --- a/ci/codesign.sh +++ b/ci/codesign.sh @@ -3,15 +3,10 @@ if [ $RUNNER_OS = Windows ]; then set -e export PATH="C:\Program Files (x86)\Windows Kits\10\bin\x64":$PATH - # TODO: Dynamic installer filename - #export BINARY_FILE="target/wix/wooting_analog_sdk-0.1.0-x86_64.msi" -# choco install -y windows-sdk-10.0 - - # curl -v -L "$WIN_CSC_LINK" --output cert.pfx powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine powershell Get-ExecutionPolicy -List powershell $GITHUB_WORKSPACE/ci/codesign.ps1 $WIN_INSTALLER_PATH -fi \ No newline at end of file +fi