From 73a621fdaed4d923a37c6577d1b8c3a24c5b0ebd Mon Sep 17 00:00:00 2001
From: Hiroshiba <hihokaruta@gmail.com>
Date: Mon, 4 Jul 2022 16:49:32 +0900
Subject: [PATCH] =?UTF-8?q?=E3=82=B3=E3=83=BC=E3=83=89=E7=BD=B2=E5=90=8D?=
 =?UTF-8?q?=E3=81=A7=E3=81=8D=E3=82=8B=E3=82=88=E3=81=86=E3=81=AB=E3=81=99?=
 =?UTF-8?q?=E3=82=8B=20(#164)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* コード署名

* build_util

* artifact/

* a

* remove
---
 .github/workflows/build.yml | 13 ++++++++++
 build_util/codesign.bash    | 49 +++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 build_util/codesign.bash

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index eedf68621..e3bb8f02a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,6 +13,9 @@ on:
       version:
         description: "バージョン情報（A.BB.C / A.BB.C-preview.D）"
         required: true
+      code_signing:
+        description: "コード署名する"
+        type: boolean
 
 env:
   # releaseタグ名か、workflow_dispatchでのバージョン名か、DEBUGが入る
@@ -24,6 +27,7 @@ env:
 
 jobs:
   build-cpp-shared:
+    environment: ${{ github.event.inputs.code_signing && 'code_signing' }} # コード署名用のenvironment
     strategy:
       fail-fast: false
       matrix:
@@ -281,6 +285,15 @@ jobs:
 
           cp README.md "artifact/${{ env.ASSET_NAME }}/README.txt"
 
+      - name: Code signing (Windows)
+        if: startsWith(matrix.os, 'windows') && github.event.inputs.code_signing
+        shell: bash
+        run: |
+          bash build_util/codesign.bash "artifact/${{ env.ASSET_NAME }}/core.dll"
+        env:
+          CERT_BASE64: ${{ secrets.CERT_BASE64 }}
+          CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }}
+
       # Upload
       - name: Upload artifact
         uses: actions/upload-artifact@v2
diff --git a/build_util/codesign.bash b/build_util/codesign.bash
new file mode 100644
index 000000000..72ea0f5b5
--- /dev/null
+++ b/build_util/codesign.bash
@@ -0,0 +1,49 @@
+# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!
+
+set -eu
+
+if [ -v "${CERT_BASE64}" ]; then
+    echo "CERT_BASE64が未定義です"
+    exit 1
+fi
+if [ -v "${CERT_PASSWORD}" ]; then
+    echo "CERT_PASSWORDが未定義です"
+    exit 1
+fi
+
+if [ $# -ne 1 ]; then
+    echo "引数の数が一致しません"
+    exit 1
+fi
+target_file_glob="$1"
+
+# 証明書
+CERT_PATH=cert.pfx
+echo -n "$CERT_BASE64" | base64 -d - > $CERT_PATH
+
+# 指定ファイルに署名する
+function codesign() {
+    TARGET="$1"
+    SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
+    powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $CERT_PATH /p $CERT_PASSWORD '$TARGET'"
+}
+
+# 指定ファイルが署名されているか
+function is_signed() {
+    TARGET="$1"
+    SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
+    powershell "& '$SIGNTOOL' verify /pa '$TARGET'" || return 1
+}
+
+# 署名されていなければ署名
+ls $target_file_glob | while read target_file; do
+    if is_signed "$target_file"; then
+        echo "署名済み: $target_file"
+    else
+        echo "署名: $target_file"
+        codesign "$target_file"
+    fi
+done
+
+# 証明書を消去
+rm $CERT_PATH