Skip to content

Commit e56c78a

Browse files
author
nate smith
committed
Sign Windows .exes in a post-build hook
1 parent fbda658 commit e56c78a

3 files changed

Lines changed: 36 additions & 1 deletion

File tree

.github/workflows/releases.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ jobs:
3333
env:
3434
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
3535
GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
36+
GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
37+
DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
3638
- name: Checkout documentation site
3739
uses: actions/checkout@v2
3840
with:
@@ -61,7 +63,6 @@ jobs:
6163
api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
6264
done
6365
echo "moved ${#cards[@]} cards to the Done column"
64-
6566
- name: Install packaging dependencies
6667
run: sudo apt-get install -y rpm reprepro
6768
- name: Set up GPG

.goreleaser.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,12 @@ builds:
3232
id: windows
3333
goos: [windows]
3434
goarch: [386, amd64]
35+
hooks:
36+
post:
37+
- cmd: ./script/sign-windows-executable.sh {{ .Path }}
38+
env:
39+
- GITHUB_CERT_PASSWORD={{ .Env.GITHUB_CERT_PASSWORD }}
40+
- DESKTOP_CERT_TOKEN={{ .Env.DESKTOP_CERT_TOKEN }}
3541

3642
archives:
3743
- id: nix

script/sign-windows-executable.sh

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
#!/bin/bash
2+
set -e
3+
4+
EXECUTABLE_PATH=$1
5+
6+
curl \
7+
-H "Authorization: token $DESKTOP_CERT_TOKEN" \
8+
-H "Accept: application/vnd.github.v3.raw" \
9+
--output windows-certificate.pfx \
10+
https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
11+
12+
PROGRAM_NAME="GitHub CLI"
13+
14+
# Convert private key to the expected format
15+
openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem -passin pass:${GITHUB_CERT_PASSWORD}
16+
openssl rsa -in private-key.pem -outform PVK -pvk-none -out private-key.pvk
17+
18+
# Convert certificate chain into the expected format
19+
openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
20+
openssl crl2pkcs7 -nocrl -certfile certificate.pem -outform DER -out certificate.spc
21+
22+
signcode \
23+
-spc certificate.spc \
24+
-v private-key.pvk \
25+
-n $PROGRAM_NAME \
26+
-t http://timestamp.digicert.com \
27+
-a sha256 \
28+
$EXECUTABLE_PATH

0 commit comments

Comments
 (0)