From 746aedab75e5a5aa87ec47fc214a0ca65a126f65 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Tue, 11 Feb 2025 09:30:35 +0000 Subject: [PATCH] Test windows signing in CI (#2131) * Test windows signing in CI Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Of course powershell is special Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Iterate Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_windows.yaml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index 1224ee67..1802beff 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -3,6 +3,8 @@ # the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch. # Windows GHA runner by default uses the pwsh shell which breaks codeSigningCert in the workflow +# We always sign using eSignerCKA to ensure it keeps working, but aside from release & nightlies we use demo credentials +# which do not yield trusted signatures. defaults: run: shell: powershell @@ -116,7 +118,6 @@ jobs: yarn build:native --target ${{ steps.config.outputs.target }} - name: Install and configure eSigner CKA - if: inputs.sign run: | Set-StrictMode -Version 'Latest' @@ -134,8 +135,13 @@ jobs: $LogConfig[0] = '' $LogConfig | Set-Content -Path ${{ env.INSTALL_DIR }}/log4net.config - # Configure - ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode product -user "${{ secrets.ESIGNER_USER_NAME }}" -pass "${{ secrets.ESIGNER_USER_PASSWORD }}" -totp "${{ secrets.ESIGNER_USER_TOTP }}" -key "${{ env.MASTER_KEY_FILE }}" -r + # Configure - default credentials from https://www.ssl.com/guide/esigner-demo-credentials-and-certificates/ + ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config ` + -mode ${{ vars.ESIGNER_MODE || 'sandbox' }} ` + -user "${{ secrets.ESIGNER_USER_NAME || 'esigner_demo' }}" ` + -pass "${{ secrets.ESIGNER_USER_PASSWORD || 'esignerDemo#1' }}" ` + -totp "${{ secrets.ESIGNER_USER_TOTP || 'RDXYgV9qju+6/7GnMf1vCbKexXVJmUVr+86Wq/8aIGg=' }}" ` + -key "${{ env.MASTER_KEY_FILE }}" -r ${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload ${{ env.INSTALL_DIR }}/eSignerCKATool.exe load @@ -169,7 +175,7 @@ jobs: yarn electron-builder --publish never -w ${{ steps.config.outputs.build-args }} - name: Check app was signed successfully - if: inputs.sign != '' + if: inputs.sign run: | . "$env:SIGNTOOL_PATH" verify /pa (get-item ./dist/squirrel-windows*/*.exe)