@@ -81,43 +81,10 @@ jobs:
8181 SM_CLIENT_CERT_FILE : D:\Certificate_pkcs12.p12
8282 SM_CLIENT_CERT_PASSWORD : ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
8383
84- - name : Sync DigiCert certificate to local store and verify
85- if : ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
86- shell : pwsh
87- env :
88- SM_HOST : ${{ vars.SM_HOST }}
89- SM_API_KEY : ${{ secrets.SM_API_KEY }}
90- SM_CLIENT_CERT_FILE : D:\Certificate_pkcs12.p12
91- SM_CLIENT_CERT_PASSWORD : ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
92- run : |
93- $ErrorActionPreference = 'Stop'
94- # Sync certificates from DigiCert cloud to local Windows certificate store
95- # This is required so signtool can find the certificate
96- Write-Host "Syncing certificates from DigiCert cloud..."
97- smctl windows certsync --verbose
98- # Run healthcheck to confirm everything is connected
99- smctl healthcheck
100-
10184 - name : Compile
10285 run : |
10386 cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
10487
105- name : List synced certificates (diagnostic)
106- if : ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
107- shell : pwsh
108- env :
109- SM_HOST : ${{ vars.SM_HOST }}
110- SM_API_KEY : ${{ secrets.SM_API_KEY }}
111- SM_CLIENT_CERT_FILE : D:\Certificate_pkcs12.p12
112- SM_CLIENT_CERT_PASSWORD : ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
113- run : |
114- Write-Host "=== Certificates in CurrentUser\My ==="
115- Get-ChildItem Cert:\CurrentUser\My | Format-Table Subject, Thumbprint, NotAfter -AutoSize
116- Write-Host "=== Certificates in LocalMachine\My ==="
117- Get-ChildItem Cert:\LocalMachine\My | Format-Table Subject, Thumbprint, NotAfter -AutoSize
118- Write-Host "=== smctl keypair list ==="
119- smctl keypair ls
120-
12188name : Sign binaries for Windows
12289 if : ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
12390 shell : pwsh
@@ -130,33 +97,12 @@ jobs:
13097 run : |
13198 $ErrorActionPreference = 'Stop'
13299 $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
133-
134- # Check if certsync placed a code signing certificate in the store
135- $cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert -ErrorAction SilentlyContinue | Select-Object -First 1
136- if (-not $cert) {
137- $cert = Get-ChildItem Cert:\LocalMachine\My -CodeSigningCert -ErrorAction SilentlyContinue | Select-Object -First 1
138- }
139-
140- if ($cert) {
141- $thumbprint = $cert.Thumbprint
142- Write-Host "Found certificate: $($cert.Subject) [$thumbprint]"
143- Write-Host "Signing with signtool /sha1..."
144- foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
145- $path = Join-Path $targetDir $exe
146- Write-Host "Signing $exe..."
147- & signtool.exe sign /sha1 $thumbprint /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $path
148- if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" }
149- Write-Host "$exe signed successfully"
150- }
151- } else {
152- Write-Host "No cert in store, using smctl sign with keypair alias..."
153- foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
154- $path = Join-Path $targetDir $exe
155- Write-Host "Signing $exe..."
156- & smctl sign --verbose --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path
157- if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" }
158- Write-Host "$exe signed successfully"
159- }
100+ foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
101+ $path = Join-Path $targetDir $exe
102+ Write-Host "Signing $exe..."
103+ & smctl sign --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path
104+ if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" }
105+ Write-Host "$exe signed successfully"
160106 }
161107
162108name : Verify signatures
0 commit comments