From 263ce4c87d0effc62ea9c57a929d7f93393b3c6b Mon Sep 17 00:00:00 2001 From: Matthieu Gautier Date: Mon, 2 Sep 2024 17:37:30 +0200 Subject: [PATCH] Sign all binaries (exe) on Windows when we do a release --- .github/scripts/common.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.github/scripts/common.py b/.github/scripts/common.py index a8c5103a..78548b4e 100644 --- a/.github/scripts/common.py +++ b/.github/scripts/common.py @@ -456,6 +456,25 @@ def get_postfix(project): return postfix +def sign_binary(path): + # We assume here that signtool and certificate are properly configured. + # Env var `SIGNTOOL_THUMBPRINT` must contain thumbprint of the certificate to use. + command = [ + os.getenv("SIGNTOOL_PATH", "signtool.exe"), + "sign", + "/fd", + "sha256", + "/tr", + "http://ts.ssl.com", + "/td", + "sha256", + "/sha1", + os.environ["SIGNTOOL_THUMBPRINT"], + str(path), + ] + subprocess.run(command, check=True) + + def make_archive(project, make_release): platform_name = get_platform_name() if not platform_name: @@ -477,6 +496,12 @@ def make_archive(project, make_release): files_to_archive = [] for export_file in export_files: files_to_archive.extend(base_dir.glob(export_file)) + + if make_release and platform.system() == "Windows": + for file in files_to_archive: + if str(file).endswith(".exe"): + sign_binary(file) + if platform_name == "win-i686" or platform.system() == "Windows": open_archive = lambda a: zipfile.ZipFile( str(a), "w", compression=zipfile.ZIP_DEFLATED