@@ -467,15 +467,24 @@ jobs:
467467
468468name : " [Package] Sign Code"
469469 shell : pwsh
470- run : |
471- $SignCert = "build/bin/signcert.pfx"
472- [IO.File]::WriteAllBytes($SignCert, [Convert]::FromBase64String("${{ secrets.SIGNCERT }}"))
473- $FileList = Get-ChildItem -Path "build/bin/release" -Recurse -Include *.exe, *.dll | Where-Object { $_.Name -ne "D3DX9_43.dll" }
474- $signtool = (Get-ChildItem -Recurse "${ENV:ProgramFiles(x86)}\Windows Kits" -Filter signtool.exe | Where-Object { $_.FullName -notmatch 'arm' } | Sort-Object LastWriteTime | Select-Object -last 1).FullName
470+ env :
471+ KMS_KEY : projects/code-signing-rg/locations/global/keyRings/redkeys/cryptoKeys/rgkey/cryptoKeyVersions/1
472+ run : |
473+ $CertFile = "${{ github.workspace }}\build\bin\user.crt"
474+ $KeyFile = "${{ github.workspace }}\build\bin\gcp-sa.json"
475+ [IO.File]::WriteAllBytes($CertFile, [Convert]::FromBase64String("${{ secrets.SIGNING_CERT }}"))
476+ [IO.File]::WriteAllText($KeyFile, "${{ secrets.GCP_SA_KEY }}")
477+ $env:GOOGLE_APPLICATION_CREDENTIALS = $KeyFile
478+ $FileList = Get-ChildItem -Path "build/bin/release" -Recurse -Include *.exe, *.dll |
479+ Where-Object { $_.Name -ne "D3DX9_43.dll" }
480+ $signtool = (Get-ChildItem -Recurse "${ENV:ProgramFiles(x86)}\Windows Kits" -Filter signtool.exe |
481+ Where-Object { $_.FullName -notmatch 'arm' } | Sort-Object LastWriteTime | Select-Object -last 1).FullName
475482 ForEach ($file in $FileList) {
476- & $signtool sign /fd SHA256 /f "$SignCert" /p "${{ secrets.SIGNCERT_PASS }}" /t http://timestamp.digicert.com "$file" | Out-Null
483+ & $signtool sign /fd SHA256 /f $CertFile /csp "Google Cloud KMS Provider" /kc $env:KMS_KEY `
484+ /tr http://timestamp.digicert.com /td sha256 "$file"
485+ if ($LASTEXITCODE -ne 0) { throw "Signing failed for $file" }
477486 }
478- Remove-Item -Force build/bin/signcert.pfx
487+ Remove-Item -Force $CertFile, $KeyFile
479488
480489name : " [Package] Create MacroQuest Archive"
481490 shell : pwsh
0 commit comments