From 96ef7a13f2117a5572288fc9eef10cd54c587c61 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Mon, 4 Jul 2022 00:26:06 +0900 Subject: [PATCH 1/5] =?UTF-8?q?=E3=82=B3=E3=83=BC=E3=83=89=E7=BD=B2?= =?UTF-8?q?=E5=90=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 13 ++++++++++ build_util/codesign.bash | 49 +++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 build_util/codesign.bash diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eedf68621..a91ea575a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,9 @@ on: version: description: "バージョン情報(A.BB.C / A.BB.C-preview.D)" required: true + code_signing: + description: "コード署名する" + type: boolean env: # releaseタグ名か、workflow_dispatchでのバージョン名か、DEBUGが入る @@ -24,6 +27,7 @@ env: jobs: build-cpp-shared: + environment: ${{ github.event.inputs.code_signing && 'code_signing' }} strategy: fail-fast: false matrix: @@ -281,6 +285,15 @@ jobs: cp README.md "artifact/${{ env.ASSET_NAME }}/README.txt" + - name: Code signing (Windows) + if: startsWith(matrix.os, 'windows') && github.event.inputs.code_signing + shell: bash + run: | + bash codesign.bash "core.dll" + env: + CERT_BASE64: ${{ secrets.CERT_BASE64 }} + CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} + # Upload - name: Upload artifact uses: actions/upload-artifact@v2 diff --git a/build_util/codesign.bash b/build_util/codesign.bash new file mode 100644 index 000000000..72ea0f5b5 --- /dev/null +++ b/build_util/codesign.bash @@ -0,0 +1,49 @@ +# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!! + +set -eu + +if [ -v "${CERT_BASE64}" ]; then + echo "CERT_BASE64が未定義です" + exit 1 +fi +if [ -v "${CERT_PASSWORD}" ]; then + echo "CERT_PASSWORDが未定義です" + exit 1 +fi + +if [ $# -ne 1 ]; then + echo "引数の数が一致しません" + exit 1 +fi +target_file_glob="$1" + +# 証明書 +CERT_PATH=cert.pfx +echo -n "$CERT_BASE64" | base64 -d - > $CERT_PATH + +# 指定ファイルに署名する +function codesign() { + TARGET="$1" + SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) + powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $CERT_PATH /p $CERT_PASSWORD '$TARGET'" +} + +# 指定ファイルが署名されているか +function is_signed() { + TARGET="$1" + SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) + powershell "& '$SIGNTOOL' verify /pa '$TARGET'" || return 1 +} + +# 署名されていなければ署名 +ls $target_file_glob | while read target_file; do + if is_signed "$target_file"; then + echo "署名済み: $target_file" + else + echo "署名: $target_file" + codesign "$target_file" + fi +done + +# 証明書を消去 +rm $CERT_PATH From 16b288479fce37ced670d016d38985ea83e943a5 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Mon, 4 Jul 2022 00:42:54 +0900 Subject: [PATCH 2/5] build_util --- .github/workflows/build.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a91ea575a..641ccd402 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ env: jobs: build-cpp-shared: - environment: ${{ github.event.inputs.code_signing && 'code_signing' }} + environment: ${{ github.event.inputs.code_signing && 'code_signing' }} # コード署名用のenvironment strategy: fail-fast: false matrix: @@ -289,11 +289,17 @@ jobs: if: startsWith(matrix.os, 'windows') && github.event.inputs.code_signing shell: bash run: | - bash codesign.bash "core.dll" + bash build_util/codesign.bash "core.dll" env: CERT_BASE64: ${{ secrets.CERT_BASE64 }} CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} + # coreのredirectブランチ戻した? + # coreのredirectブランチ戻した? + # coreのredirectブランチ戻した? + # coreのredirectブランチ戻した? + # coreのredirectブランチ戻した? + # Upload - name: Upload artifact uses: actions/upload-artifact@v2 From 4959b58b7d7bac0e6b6d96922822e981e7ded355 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Mon, 4 Jul 2022 00:52:03 +0900 Subject: [PATCH 3/5] artifact/ --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 641ccd402..5853158e0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -289,7 +289,7 @@ jobs: if: startsWith(matrix.os, 'windows') && github.event.inputs.code_signing shell: bash run: | - bash build_util/codesign.bash "core.dll" + bash build_util/codesign.bash "artifact/core.dll" env: CERT_BASE64: ${{ secrets.CERT_BASE64 }} CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} From ef34db51c6cf54d60b3f55d47c8bb029d86e7b01 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Mon, 4 Jul 2022 01:00:07 +0900 Subject: [PATCH 4/5] a --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5853158e0..660a1aaa3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -289,7 +289,7 @@ jobs: if: startsWith(matrix.os, 'windows') && github.event.inputs.code_signing shell: bash run: | - bash build_util/codesign.bash "artifact/core.dll" + bash build_util/codesign.bash "artifact/${{ env.ASSET_NAME }}/core.dll" env: CERT_BASE64: ${{ secrets.CERT_BASE64 }} CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} From 15b586c4a4e598f49a4e043563985c83eb4e3a94 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Mon, 4 Jul 2022 01:10:29 +0900 Subject: [PATCH 5/5] remove --- .github/workflows/build.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 660a1aaa3..e3bb8f02a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -294,12 +294,6 @@ jobs: CERT_BASE64: ${{ secrets.CERT_BASE64 }} CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} - # coreのredirectブランチ戻した? - # coreのredirectブランチ戻した? - # coreのredirectブランチ戻した? - # coreのredirectブランチ戻した? - # coreのredirectブランチ戻した? - # Upload - name: Upload artifact uses: actions/upload-artifact@v2