Skip to content

Commit

Permalink
Sign all binaries (exe) on Windows when we do a release
Browse files Browse the repository at this point in the history
  • Loading branch information
mgautierfr authored and rgaudin committed Sep 10, 2024
1 parent 49b15d1 commit 263ce4c
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions .github/scripts/common.py
Original file line number Diff line number Diff line change
Expand Up @@ -456,6 +456,25 @@ def get_postfix(project):
return postfix


def sign_binary(path):
# We assume here that signtool and certificate are properly configured.
# Env var `SIGNTOOL_THUMBPRINT` must contain thumbprint of the certificate to use.
command = [
os.getenv("SIGNTOOL_PATH", "signtool.exe"),
"sign",
"/fd",
"sha256",
"/tr",
"http://ts.ssl.com",
"/td",
"sha256",
"/sha1",
os.environ["SIGNTOOL_THUMBPRINT"],
str(path),
]
subprocess.run(command, check=True)


def make_archive(project, make_release):
platform_name = get_platform_name()
if not platform_name:
Expand All @@ -477,6 +496,12 @@ def make_archive(project, make_release):
files_to_archive = []
for export_file in export_files:
files_to_archive.extend(base_dir.glob(export_file))

if make_release and platform.system() == "Windows":
for file in files_to_archive:
if str(file).endswith(".exe"):
sign_binary(file)

if platform_name == "win-i686" or platform.system() == "Windows":
open_archive = lambda a: zipfile.ZipFile(
str(a), "w", compression=zipfile.ZIP_DEFLATED
Expand Down

0 comments on commit 263ce4c

Please sign in to comment.