Skip to content

Commit 6fc1548

Browse files
Remove CI signing, add unsigned notice to release notes
1 parent 56a3140 commit 6fc1548

1 file changed

Lines changed: 12 additions & 82 deletions

File tree

.github/workflows/ci.yml

Lines changed: 12 additions & 82 deletions
Original file line numberDiff line numberDiff line change
@@ -53,63 +53,6 @@ jobs:
5353
Write-Host "Built: dist/$arch/checkin.exe"
5454
}
5555
56-
- name: Import signing certificate
57-
id: cert
58-
if: env.CODE_SIGNING_CERT_BASE64 != ''
59-
shell: pwsh
60-
env:
61-
CODE_SIGNING_CERT_BASE64: ${{ secrets.CODE_SIGNING_CERT_BASE64 }}
62-
CODE_SIGNING_CERT_PASSWORD: ${{ secrets.CODE_SIGNING_CERT_PASSWORD }}
63-
run: |
64-
$pfxBytes = [Convert]::FromBase64String($env:CODE_SIGNING_CERT_BASE64)
65-
$pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
66-
[IO.File]::WriteAllBytes($pfxPath, $pfxBytes)
67-
$securePassword = ConvertTo-SecureString $env:CODE_SIGNING_CERT_PASSWORD -AsPlainText -Force
68-
$cert = Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation Cert:\CurrentUser\My -Password $securePassword
69-
echo "thumbprint=$($cert.Thumbprint)" >> $env:GITHUB_OUTPUT
70-
Remove-Item $pfxPath -Force
71-
Write-Host "Certificate imported: $($cert.Subject)"
72-
73-
- name: Locate signtool
74-
id: signtool
75-
if: steps.cert.outputs.thumbprint != ''
76-
shell: pwsh
77-
run: |
78-
$signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" -ErrorAction SilentlyContinue |
79-
Sort-Object FullName -Descending | Select-Object -First 1
80-
if ($signtool) {
81-
echo "path=$($signtool.FullName)" >> $env:GITHUB_OUTPUT
82-
Write-Host "Found signtool: $($signtool.FullName)"
83-
} else {
84-
Write-Host "::warning::signtool.exe not found on runner"
85-
}
86-
87-
- name: Sign binaries
88-
if: steps.cert.outputs.thumbprint != '' && steps.signtool.outputs.path != ''
89-
shell: pwsh
90-
run: |
91-
$signtool = "${{ steps.signtool.outputs.path }}"
92-
$thumbprint = "${{ steps.cert.outputs.thumbprint }}"
93-
$tsas = @('http://timestamp.digicert.com', 'http://timestamp.sectigo.com')
94-
95-
foreach ($arch in @("x64", "arm64")) {
96-
$exe = "dist/$arch/checkin.exe"
97-
$signed = $false
98-
foreach ($tsa in $tsas) {
99-
& $signtool sign /fd SHA256 /tr $tsa /td SHA256 /sha1 $thumbprint $exe 2>&1
100-
if ($LASTEXITCODE -eq 0) {
101-
Write-Host "Signed: $exe"
102-
$signed = $true
103-
break
104-
}
105-
Write-Host "::warning::Timestamp server $tsa failed, trying next..."
106-
}
107-
if (-not $signed) {
108-
Write-Host "::error::Failed to sign $exe"
109-
exit 1
110-
}
111-
}
112-
11356
- name: Download cimipkg
11457
shell: pwsh
11558
env:
@@ -169,31 +112,6 @@ jobs:
169112
}
170113
}
171114
172-
- name: Sign MSI packages
173-
if: steps.cert.outputs.thumbprint != '' && steps.signtool.outputs.path != ''
174-
shell: pwsh
175-
run: |
176-
$signtool = "${{ steps.signtool.outputs.path }}"
177-
$thumbprint = "${{ steps.cert.outputs.thumbprint }}"
178-
$tsas = @('http://timestamp.digicert.com', 'http://timestamp.sectigo.com')
179-
180-
foreach ($msi in Get-ChildItem release/*.msi) {
181-
$signed = $false
182-
foreach ($tsa in $tsas) {
183-
& $signtool sign /fd SHA256 /tr $tsa /td SHA256 /sha1 $thumbprint $msi.FullName 2>&1
184-
if ($LASTEXITCODE -eq 0) {
185-
Write-Host "Signed: $($msi.Name)"
186-
$signed = $true
187-
break
188-
}
189-
Write-Host "::warning::Timestamp server $tsa failed, trying next..."
190-
}
191-
if (-not $signed) {
192-
Write-Host "::error::Failed to sign $($msi.Name)"
193-
exit 1
194-
}
195-
}
196-
197115
- name: Build NuGet packages
198116
shell: pwsh
199117
run: |
@@ -253,3 +171,15 @@ jobs:
253171
name: Crypt ${{ needs.build.outputs.version }}
254172
generate_release_notes: true
255173
files: release/*
174+
body: |
175+
## Crypt ${{ needs.build.outputs.version }}
176+
177+
Binaries and MSI packages are provided **unsigned**. For enterprise deployment, sign them with your organization's code signing certificate before distribution:
178+
179+
```powershell
180+
# Sign binaries
181+
signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /n "Your Certificate Name" checkin.exe
182+
183+
# Sign MSI packages
184+
signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /n "Your Certificate Name" Crypt-x64-${{ needs.build.outputs.version }}.msi
185+
```

0 commit comments

Comments
 (0)