|
53 | 53 | Write-Host "Built: dist/$arch/checkin.exe" |
54 | 54 | } |
55 | 55 |
|
56 | | - - name: Import signing certificate |
57 | | - id: cert |
58 | | - if: env.CODE_SIGNING_CERT_BASE64 != '' |
59 | | - shell: pwsh |
60 | | - env: |
61 | | - CODE_SIGNING_CERT_BASE64: ${{ secrets.CODE_SIGNING_CERT_BASE64 }} |
62 | | - CODE_SIGNING_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }} |
63 | | - run: | |
64 | | - $pfxBytes = [Convert]::FromBase64String($env:CODE_SIGNING_CERT_BASE64) |
65 | | - $pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx" |
66 | | - [IO.File]::WriteAllBytes($pfxPath, $pfxBytes) |
67 | | - $securePassword = ConvertTo-SecureString $env:CODE_SIGNING_CERT_PASSWORD -AsPlainText -Force |
68 | | - $cert = Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation Cert:\CurrentUser\My -Password $securePassword |
69 | | - echo "thumbprint=$($cert.Thumbprint)" >> $env:GITHUB_OUTPUT |
70 | | - Remove-Item $pfxPath -Force |
71 | | - Write-Host "Certificate imported: $($cert.Subject)" |
72 | | -
|
73 | | - - name: Locate signtool |
74 | | - id: signtool |
75 | | - if: steps.cert.outputs.thumbprint != '' |
76 | | - shell: pwsh |
77 | | - run: | |
78 | | - $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" -ErrorAction SilentlyContinue | |
79 | | - Sort-Object FullName -Descending | Select-Object -First 1 |
80 | | - if ($signtool) { |
81 | | - echo "path=$($signtool.FullName)" >> $env:GITHUB_OUTPUT |
82 | | - Write-Host "Found signtool: $($signtool.FullName)" |
83 | | - } else { |
84 | | - Write-Host "::warning::signtool.exe not found on runner" |
85 | | - } |
86 | | -
|
87 | | - - name: Sign binaries |
88 | | - if: steps.cert.outputs.thumbprint != '' && steps.signtool.outputs.path != '' |
89 | | - shell: pwsh |
90 | | - run: | |
91 | | - $signtool = "${{ steps.signtool.outputs.path }}" |
92 | | - $thumbprint = "${{ steps.cert.outputs.thumbprint }}" |
93 | | - $tsas = @('http://timestamp.digicert.com', 'http://timestamp.sectigo.com') |
94 | | -
|
95 | | - foreach ($arch in @("x64", "arm64")) { |
96 | | - $exe = "dist/$arch/checkin.exe" |
97 | | - $signed = $false |
98 | | - foreach ($tsa in $tsas) { |
99 | | - & $signtool sign /fd SHA256 /tr $tsa /td SHA256 /sha1 $thumbprint $exe 2>&1 |
100 | | - if ($LASTEXITCODE -eq 0) { |
101 | | - Write-Host "Signed: $exe" |
102 | | - $signed = $true |
103 | | - break |
104 | | - } |
105 | | - Write-Host "::warning::Timestamp server $tsa failed, trying next..." |
106 | | - } |
107 | | - if (-not $signed) { |
108 | | - Write-Host "::error::Failed to sign $exe" |
109 | | - exit 1 |
110 | | - } |
111 | | - } |
112 | | -
|
113 | 56 | - name: Download cimipkg |
114 | 57 | shell: pwsh |
115 | 58 | env: |
@@ -169,31 +112,6 @@ jobs: |
169 | 112 | } |
170 | 113 | } |
171 | 114 |
|
172 | | - - name: Sign MSI packages |
173 | | - if: steps.cert.outputs.thumbprint != '' && steps.signtool.outputs.path != '' |
174 | | - shell: pwsh |
175 | | - run: | |
176 | | - $signtool = "${{ steps.signtool.outputs.path }}" |
177 | | - $thumbprint = "${{ steps.cert.outputs.thumbprint }}" |
178 | | - $tsas = @('http://timestamp.digicert.com', 'http://timestamp.sectigo.com') |
179 | | -
|
180 | | - foreach ($msi in Get-ChildItem release/*.msi) { |
181 | | - $signed = $false |
182 | | - foreach ($tsa in $tsas) { |
183 | | - & $signtool sign /fd SHA256 /tr $tsa /td SHA256 /sha1 $thumbprint $msi.FullName 2>&1 |
184 | | - if ($LASTEXITCODE -eq 0) { |
185 | | - Write-Host "Signed: $($msi.Name)" |
186 | | - $signed = $true |
187 | | - break |
188 | | - } |
189 | | - Write-Host "::warning::Timestamp server $tsa failed, trying next..." |
190 | | - } |
191 | | - if (-not $signed) { |
192 | | - Write-Host "::error::Failed to sign $($msi.Name)" |
193 | | - exit 1 |
194 | | - } |
195 | | - } |
196 | | -
|
197 | 115 | - name: Build NuGet packages |
198 | 116 | shell: pwsh |
199 | 117 | run: | |
@@ -253,3 +171,15 @@ jobs: |
253 | 171 | name: Crypt ${{ needs.build.outputs.version }} |
254 | 172 | generate_release_notes: true |
255 | 173 | files: release/* |
| 174 | + body: | |
| 175 | + ## Crypt ${{ needs.build.outputs.version }} |
| 176 | +
|
| 177 | + Binaries and MSI packages are provided **unsigned**. For enterprise deployment, sign them with your organization's code signing certificate before distribution: |
| 178 | +
|
| 179 | + ```powershell |
| 180 | + # Sign binaries |
| 181 | + signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /n "Your Certificate Name" checkin.exe |
| 182 | +
|
| 183 | + # Sign MSI packages |
| 184 | + signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /n "Your Certificate Name" Crypt-x64-${{ needs.build.outputs.version }}.msi |
| 185 | + ``` |
0 commit comments