Skip to content

Commit

Permalink
コード署名できるようにする (#164)
Browse files Browse the repository at this point in the history
* コード署名

* build_util

* artifact/

* a

* remove
  • Loading branch information
Hiroshiba authored Jul 4, 2022
1 parent c47d055 commit 73a621f
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 0 deletions.
13 changes: 13 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
version:
description: "バージョン情報(A.BB.C / A.BB.C-preview.D)"
required: true
code_signing:
description: "コード署名する"
type: boolean

env:
# releaseタグ名か、workflow_dispatchでのバージョン名か、DEBUGが入る
Expand All @@ -24,6 +27,7 @@ env:

jobs:
build-cpp-shared:
environment: ${{ github.event.inputs.code_signing && 'code_signing' }} # コード署名用のenvironment
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -281,6 +285,15 @@ jobs:
cp README.md "artifact/${{ env.ASSET_NAME }}/README.txt"
- name: Code signing (Windows)
if: startsWith(matrix.os, 'windows') && github.event.inputs.code_signing
shell: bash
run: |
bash build_util/codesign.bash "artifact/${{ env.ASSET_NAME }}/core.dll"
env:
CERT_BASE64: ${{ secrets.CERT_BASE64 }}
CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }}

# Upload
- name: Upload artifact
uses: actions/upload-artifact@v2
Expand Down
49 changes: 49 additions & 0 deletions build_util/codesign.bash
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!

set -eu

if [ -v "${CERT_BASE64}" ]; then
echo "CERT_BASE64が未定義です"
exit 1
fi
if [ -v "${CERT_PASSWORD}" ]; then
echo "CERT_PASSWORDが未定義です"
exit 1
fi

if [ $# -ne 1 ]; then
echo "引数の数が一致しません"
exit 1
fi
target_file_glob="$1"

# 証明書
CERT_PATH=cert.pfx
echo -n "$CERT_BASE64" | base64 -d - > $CERT_PATH

# 指定ファイルに署名する
function codesign() {
TARGET="$1"
SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $CERT_PATH /p $CERT_PASSWORD '$TARGET'"
}

# 指定ファイルが署名されているか
function is_signed() {
TARGET="$1"
SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
powershell "& '$SIGNTOOL' verify /pa '$TARGET'" || return 1
}

# 署名されていなければ署名
ls $target_file_glob | while read target_file; do
if is_signed "$target_file"; then
echo "署名済み: $target_file"
else
echo "署名: $target_file"
codesign "$target_file"
fi
done

# 証明書を消去
rm $CERT_PATH

0 comments on commit 73a621f

Please sign in to comment.