diff --git a/.github/scripts/build_definition.py b/.github/scripts/build_definition.py index 89692fa9..a87f2ac7 100644 --- a/.github/scripts/build_definition.py +++ b/.github/scripts/build_definition.py @@ -24,7 +24,7 @@ # On Windows, we build only libzim for now. And only native_mixed as xapian doesn't compile as dll | windows | native_static | Bd | d | d | d | | win-x86_64 | win-x86_64-static | | windows | native_dyn | Bd | | | | | win-x86_64 | win-x86_64-dyn | - | windows | native_mixed | BPd | d | | | Bd | win-x86_64 | win-x86_64-mixed | + | windows | native_mixed | BPd | d | | | BPd | win-x86_64 | win-x86_64-mixed | ---------------------------------------------------------------------------------------------------------------------------------------------- # Osx builds, build binaries on native_dyn and native_static. On anyother things, build only the libraries | macos | native_dyn | d | d | dB | B | | | macos-x86_64-dyn | diff --git a/.github/workflows/releaseNigthly.yml b/.github/workflows/releaseNigthly.yml index 4181dc57..8d1f2872 100644 --- a/.github/workflows/releaseNigthly.yml +++ b/.github/workflows/releaseNigthly.yml @@ -52,6 +52,37 @@ jobs: echo "${{secrets.ssh_key}}" > $SSH_KEY env: SSH_KEY: ${{ runner.temp }}/id_rsa + - name: Install and configure eSigner CKA and Windows SDK + if: github.event_name == 'push' + env: + ESIGNER_URL: https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.7/SSL.COM-eSigner-CKA_1.0.7.zip + run: | + Set-StrictMode -Version 'Latest' + + # Download and Unzip eSignerCKA Setup + Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip "$env:ESIGNER_URL" + Expand-Archive -Force eSigner_CKA_Setup.zip + Remove-Item eSigner_CKA_Setup.zip + Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe” + + # Install eSignerCKA + New-Item -ItemType Directory -Force -Path "C:\esigner" + ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\esigner” /TYPE=automatic | Out-Null + Remove-Item "eSigner_CKA_Installer.exe" + + # Configure the CKA with SSL.com credentials + C:\esigner\eSignerCKATool.exe config -mode product -user "${{ secrets.ESIGNER_USERNAME }}" -pass "${{ secrets.ESIGNER_PASSWORD }}" -totp "${{ secrets.ESIGNER_TOTP_SECRET }}" -key "C:\esigner\master.key" -r + C:\esigner\eSignerCKATool.exe unload + C:\esigner\eSignerCKATool.exe load + + # Find certificate + $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 + echo Certificate: $CodeSigningCert + + # Extract thumbprint and subject name + $Thumbprint = $CodeSigningCert.Thumbprint + echo "SIGNTOOL_THUMBPRINT=$Thumbprint" >> $env:GITHUB_ENV + - name: Ensure base deps run: | python .github\\scripts\\ensure_base_deps.py @@ -61,6 +92,7 @@ jobs: run: | python .github\\scripts\\build_release_nightly.py env: + SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe" SSH_KEY: ${{ runner.temp }}/id_rsa - name: Upload failure logs if: failure() diff --git a/scripts/package_kiwix-desktop_windows.py b/scripts/package_kiwix-desktop_windows.py index 0c4ceb8d..3da393b6 100644 --- a/scripts/package_kiwix-desktop_windows.py +++ b/scripts/package_kiwix-desktop_windows.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -import sys, subprocess, shutil, argparse +import sys, subprocess, shutil, argparse, os from pathlib import Path parser = argparse.ArgumentParser() @@ -48,9 +48,23 @@ shutil.copy2(ssl_directory / "libcrypto-1_1-x64.dll", out_dir) shutil.copy2(ssl_directory / "libssl-1_1-x64.dll", out_dir) -# [TODO] Sign binary if args.sign: - pass + # We assume here that signtool and certificate are properly configured. + # Env var `SIGNTOOL_THUMBPRINT` must contain thumbprint of the certificate to use. + command = [ + os.getenv("SIGNTOOL_PATH", "signtool.exe"), + "sign", + "/fd", + "sha256", + "/tr", + "http://ts.ssl.com", + "/td", + "sha256", + "/sha1", + os.environ["SIGNTOOL_THUMBPRINT"], + str(out_dir / "kiwix-desktop.exe"), + ] + subprocess.run(command, check=True) print( f"""Create archive