diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 68951b0178..ce0102219c 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -188,8 +188,10 @@ jobs: - name: Build Windows 10 signed app package if: matrix.type == 'signed-app' && env.CODESIGN == '1' run: | - $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText - & .\scripts\package\win-package-appx.ps1 -BuildNumber $Env:BUILD_NUMBER -CertificateFile .\codesign.pfx -CertificatePassword $CertPassword + $CertificateFile = ".\codesign.pfx" + $CertificatePassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText + & .\scripts\package\win-package-appx.ps1 -BuildNumber $Env:BUILD_NUMBER ` + -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword Move-Item .\dist\*.msix .\artifacts env: CODESIGN_P12_PASSWORD: ${{ secrets.CODESIGN_P12_PASSWORD }} @@ -198,12 +200,14 @@ jobs: run: | # choco install nsis If ($Env:CODESIGN -eq "1") { - $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText - $Certificate = Get-PfxCertificate -FilePath .\codesign.pfx -Password $CertPassword + $CertificateFile = ".\codesign.pfx" + $CertificatePassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText } Else { - $Certificate = $null + $CertificateFile = $null + $CertificatePassword = $null } - & .\scripts\package\win-package-installer.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate + & .\scripts\package\win-package-installer.ps1 -BuildNumber $Env:BUILD_NUMBER ` + -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword Move-Item .\installer\*.exe .\artifacts dist\picard\fpcalc -version env: @@ -212,12 +216,14 @@ jobs: if: matrix.type == 'portable' run: | If ($Env:CODESIGN -eq "1") { - $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText - $Certificate = Get-PfxCertificate -FilePath .\codesign.pfx -Password $CertPassword + $CertificateFile = ".\codesign.pfx" + $CertificatePassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText } Else { - $Certificate = $null + $CertificateFile = $null + $CertificatePassword = $null } - & .\scripts\package\win-package-portable.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate + & .\scripts\package\win-package-portable.ps1 -BuildNumber $Env:BUILD_NUMBER ` + -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword Move-Item .\dist\*.exe .\artifacts env: CODESIGN_P12_PASSWORD: ${{ secrets.CODESIGN_P12_PASSWORD }} diff --git a/scripts/package/win-common.ps1 b/scripts/package/win-common.ps1 index 1c8cc2b2e6..5add6e69c3 100644 --- a/scripts/package/win-common.ps1 +++ b/scripts/package/win-common.ps1 @@ -1,19 +1,27 @@ # Common functions for Windows packaging scripts Param( - [System.Security.Cryptography.X509Certificates.X509Certificate] - $Certificate + [ValidateScript({ (Test-Path $_ -PathType Leaf) -or (-not $_) })] + [String] + $CertificateFile, + [SecureString] + $CertificatePassword ) +# RFC 3161 timestamp server for code signing +$TimeStampServer = 'http://ts.ssl.com' + Function CodeSignBinary { Param( [ValidateScript({Test-Path $_ -PathType Leaf})] [String] $BinaryPath ) - If ($Certificate) { - Set-AuthenticodeSignature -FilePath $BinaryPath -Certificate $Certificate ` - -ErrorAction Stop + If ($CertificateFile) { + SignTool sign /v /fd SHA256 /tr "$TimeStampServer" /td sha256 ` + /f "$CertificateFile" /p (ConvertFrom-SecureString -AsPlainText $CertificatePassword) ` + $BinaryPath + ThrowOnExeError "SignTool failed" } Else { Write-Output "Skip signing $BinaryPath" } diff --git a/scripts/package/win-package-appx.ps1 b/scripts/package/win-package-appx.ps1 index 7bf0d9d591..a381223257 100644 --- a/scripts/package/win-package-appx.ps1 +++ b/scripts/package/win-package-appx.ps1 @@ -1,9 +1,7 @@ # Build a MSIX app package for Windows 10 Param( - [System.Security.Cryptography.X509Certificates.X509Certificate] - $Certificate, - [ValidateScript({Test-Path $_ -PathType Leaf})] + [ValidateScript({ (Test-Path $_ -PathType Leaf) -or (-not $_) })] [String] $CertificateFile, [SecureString] @@ -25,7 +23,7 @@ If (-Not $Certificate -And $CertificateFile) { } $ScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent -. $ScriptDirectory\win-common.ps1 -Certificate $Certificate +. $ScriptDirectory\win-common.ps1 -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword Write-Output "Building Windows 10 app package..." @@ -70,11 +68,4 @@ If ($CertificateFile -or $Certificate) { MakeAppx pack /o /h SHA256 /d $PackageDir /p $PackageFile ThrowOnExeError "MakeAppx failed" -# Sign package -If ($CertificateFile) { - SignTool sign /fd SHA256 /f "$CertificateFile" /p (ConvertFrom-SecureString -AsPlainText $CertificatePassword) $PackageFile - ThrowOnExeError "SignTool failed" -} ElseIf ($Certificate) { - SignTool sign /fd SHA256 /sha1 $Certificate.Thumbprint $PackageFile - ThrowOnExeError "SignTool failed" -} +CodeSignBinary $PackageFile diff --git a/scripts/package/win-package-installer.ps1 b/scripts/package/win-package-installer.ps1 index 5a075bb971..aa1d989cad 100644 --- a/scripts/package/win-package-installer.ps1 +++ b/scripts/package/win-package-installer.ps1 @@ -1,8 +1,11 @@ # Build a Windows installer Param( - [System.Security.Cryptography.X509Certificates.X509Certificate] - $Certificate, + [ValidateScript({ (Test-Path $_ -PathType Leaf) -or (-not $_) })] + [String] + $CertificateFile, + [SecureString] + $CertificatePassword, [Int] $BuildNumber ) @@ -16,7 +19,7 @@ If (-Not $BuildNumber) { } $ScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent -. $ScriptDirectory\win-common.ps1 -Certificate $Certificate +. $ScriptDirectory\win-common.ps1 -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword Write-Output "Building Windows installer..." diff --git a/scripts/package/win-package-portable.ps1 b/scripts/package/win-package-portable.ps1 index 06345fbfe6..da5dc022ea 100644 --- a/scripts/package/win-package-portable.ps1 +++ b/scripts/package/win-package-portable.ps1 @@ -1,8 +1,11 @@ # Build a portable app Param( - [System.Security.Cryptography.X509Certificates.X509Certificate] - $Certificate, + [ValidateScript({ (Test-Path $_ -PathType Leaf) -or (-not $_) })] + [String] + $CertificateFile, + [SecureString] + $CertificatePassword, [Int] $BuildNumber ) @@ -16,7 +19,7 @@ If (-Not $BuildNumber) { } $ScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent -. $ScriptDirectory\win-common.ps1 -Certificate $Certificate +. $ScriptDirectory\win-common.ps1 -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword Write-Output "Building portable exe..."