diff options
-rw-r--r-- | .github/workflows/release.yml | 32 | ||||
-rw-r--r-- | cmake/InstallAndPackage.cmake | 7 | ||||
-rw-r--r-- | os/windows/sign.bat | 18 |
3 files changed, 57 insertions, 0 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 894e9b9eb..447b165f9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -746,6 +746,21 @@ jobs: with: arch: ${{ matrix.host }} + - name: Import code signing certificate + shell: powershell + # If this is run on a fork, there may not be a certificate set up - continue in this case + continue-on-error: true + run: | + $tempFile = [System.IO.Path]::GetTempFileName() + $bytes = [System.Convert]::FromBase64String($env:WINDOWS_CERTIFICATE_P12) + [IO.File]::WriteAllBytes($tempFile, $bytes) + $pwd = ConvertTo-SecureString $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force + Import-PfxCertificate -FilePath $tempFile -CertStoreLocation Cert:\CurrentUser\My -Password $pwd + Remove-Item $tempFile + env: + WINDOWS_CERTIFICATE_P12: ${{ secrets.WINDOWS_CERTIFICATE_P12 }} + WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }} + - name: Build (with installer) if: needs.source.outputs.is_tag == 'true' shell: bash @@ -761,12 +776,15 @@ jobs: -DOPTION_USE_NSIS=ON \ -DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \ -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \ # EOF echo "::endgroup::" echo "::group::Build" cmake --build . echo "::endgroup::" + env: + WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }} - name: Build (without installer) if: needs.source.outputs.is_tag != 'true' @@ -782,12 +800,15 @@ jobs: -DCMAKE_TOOLCHAIN_FILE="c:\vcpkg\scripts\buildsystems\vcpkg.cmake" \ -DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \ -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \ # EOF echo "::endgroup::" echo "::group::Build" cmake --build . echo "::endgroup::" + env: + WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }} - name: Create bundles shell: bash @@ -809,6 +830,17 @@ jobs: rm -f bundles/*.sha256 echo "::endgroup::" + - name: Sign installer + if: needs.source.outputs.is_tag == 'true' + shell: bash + # If this is run on a fork, there may not be a certificate set up - continue in this case + continue-on-error: true + run: | + cd ${GITHUB_WORKSPACE}/build/bundles + ../../os/windows/sign.bat *.exe "${WINDOWS_CERTIFICATE_COMMON_NAME}" + env: + WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }} + - name: Store bundles uses: actions/upload-artifact@v2 with: diff --git a/cmake/InstallAndPackage.cmake b/cmake/InstallAndPackage.cmake index 9b7d65788..057f0934f 100644 --- a/cmake/InstallAndPackage.cmake +++ b/cmake/InstallAndPackage.cmake @@ -138,6 +138,13 @@ elseif(WIN32) endif() set(CPACK_PACKAGE_FILE_NAME "openttd-#CPACK_PACKAGE_VERSION#-windows-${CPACK_SYSTEM_NAME}") + + if(WINDOWS_CERTIFICATE_COMMON_NAME) + add_custom_command(TARGET openttd + POST_BUILD + COMMAND "${CMAKE_SOURCE_DIR}/os/windows/sign.bat" "$<TARGET_FILE:openttd>" "${WINDOWS_CERTIFICATE_COMMON_NAME}" + ) + endif() elseif(UNIX) # With FHS, we can create deb/rpm/... Without it, they would be horribly broken # and not work. The other way around is also true; with FHS they are not diff --git a/os/windows/sign.bat b/os/windows/sign.bat new file mode 100644 index 000000000..0e4291f9b --- /dev/null +++ b/os/windows/sign.bat @@ -0,0 +1,18 @@ +@echo off +REM Signing script +REM Arguments: sign.bat exe_to_sign certificate_subject_name + +REM This is a loose wrapper around the Microsoft signtool application (included in the Windows SDK). +REM See https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe for more details. + +REM Path to signtool.exe +IF NOT DEFINED SIGNTOOL_PATH (SET SIGNTOOL_PATH=signtool) + +REM URL of the timestamp server +IF NOT DEFINED SIGNTOOL_TIMESTAMP_URL (SET SIGNTOOL_TIMESTAMP_URL=http://timestamp.digicert.com) + +REM Sign with SHA-1 for Windows 7 and below +"%SIGNTOOL_PATH%" sign -v -n %2 -t %SIGNTOOL_TIMESTAMP_URL% %1 + +REM Sign with SHA-256 for Windows 8 and above +"%SIGNTOOL_PATH%" sign -v -n %2 -tr %SIGNTOOL_TIMESTAMP_URL% -fd sha256 -td sha256 -as %1 |