5050 - name : Install rust target
5151 run : rustup target add ${{ matrix.target }}
5252
53+ - name : Add signtool.exe to PATH
54+ if : ${{ runner.os == 'Windows' }}
55+ shell : pwsh
56+ run : |
57+ $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin"
58+ $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue |
59+ Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } |
60+ Sort-Object FullName -Descending |
61+ Select-Object -First 1
62+
63+ if (-not $signtool) { throw "signtool.exe not found under $root" }
64+
65+ "Found: $($signtool.FullName)"
66+ $dir = Split-Path $signtool.FullName
67+ Add-Content -Path $env:GITHUB_PATH -Value $dir
68+
5369name : Decode DigiCert client auth certificate
5470 if : ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
5571 shell : bash
6581 SM_CLIENT_CERT_FILE : D:\Certificate_pkcs12.p12
6682 SM_CLIENT_CERT_PASSWORD : ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
6783
68- - name : DigiCert healthcheck
69- if : ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
70- shell : bash
71- env :
72- SM_HOST : ${{ vars.SM_HOST }}
73- SM_API_KEY : ${{ secrets.SM_API_KEY }}
74- SM_CLIENT_CERT_FILE : D:\Certificate_pkcs12.p12
75- SM_CLIENT_CERT_PASSWORD : ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
76- run : |
77- echo "SM_HOST length: ${#SM_HOST}"
78- echo "SM_API_KEY length: ${#SM_API_KEY}"
79- echo "SM_CLIENT_CERT_PASSWORD length: ${#SM_CLIENT_CERT_PASSWORD}"
80- echo "SM_CLIENT_CERT_FILE: ${SM_CLIENT_CERT_FILE}"
81- if [ -f /d/Certificate_pkcs12.p12 ]; then
82- echo "Cert file size: $(wc -c < /d/Certificate_pkcs12.p12) bytes"
83- else
84- echo "CERT FILE MISSING"
85- fi
86- smctl healthcheck
87-
8884 - name : Compile
8985 run : |
9086 cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
@@ -93,34 +89,37 @@ jobs:
9389 if : ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
9490 shell : bash
9591 env :
96- SM_HOST : ${{ vars.SM_HOST }}
97- SM_API_KEY : ${{ secrets.SM_API_KEY }}
98- SM_CLIENT_CERT_FILE : D:\Certificate_pkcs12.p12
99- SM_CLIENT_CERT_PASSWORD : ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
10092 DIGICERT_KEYPAIR_ALIAS : ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
10193 run : |
94+ set -e
10295 targetDir="$GITHUB_WORKSPACE/target/x86_64-pc-windows-msvc/release"
96+ failed=0
10397 for exe in spacetimedb-update.exe spacetimedb-cli.exe spacetimedb-standalone.exe; do
10498 echo "Signing $exe..."
105- smctl sign --keypair-alias "$DIGICERT_KEYPAIR_ALIAS" \
106- --input "$targetDir/$exe"
99+ output=$(smctl sign --keypair-alias "$DIGICERT_KEYPAIR_ALIAS" \
100+ --input "$targetDir/$exe" 2>&1) || true
101+ echo "$output"
102+ if echo "$output" | grep -q "FAILED"; then
103+ echo "::error::$exe signing FAILED"
104+ failed=1
105+ else
106+ echo "$exe signed successfully"
107+ fi
107108 done
109+ if [ "$failed" -eq 1 ]; then
110+ exit 1
111+ fi
108112
109113name : Verify signatures
110114 if : ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
111115 shell : pwsh
112116 run : |
113117 $ErrorActionPreference = 'Stop'
114- $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin"
115- $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue |
116- Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } |
117- Sort-Object FullName -Descending |
118- Select-Object -First 1
119- if (-not $signtool) { throw "signtool.exe not found" }
120-
121118 $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
122119 foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
123- & $signtool.FullName verify /v /pa (Join-Path $targetDir $exe)
120+ $path = Join-Path $targetDir $exe
121+ & signtool.exe verify /v /pa $path
122+ if ($LASTEXITCODE -ne 0) { throw "Signature verification failed for $exe" }
124123 }
125124
126125name : Package (unix)
0 commit comments