diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 2580d098000..75be770d754 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -66,41 +66,55 @@ jobs: $dir = Split-Path $signtool.FullName Add-Content -Path $env:GITHUB_PATH -Value $dir - - name: Write certificate file for signing - if: ${{ runner.os == 'Windows' }} - shell: powershell - env: - DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }} + - name: Decode DigiCert client auth certificate + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: bash run: | - [IO.File]::WriteAllBytes("digicert.pfx", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) + echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 + + - name: Setup DigiCert Software Trust Manager + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + uses: digicert/code-signing-software-trust-action@v1 + env: + SM_HOST: ${{ vars.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} - name: Compile run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - name: Sign binaries for Windows - # Disabled for now since the current flow isn't working. - if: false - #if: ${{ runner.os == 'Windows' }} - shell: powershell + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: pwsh env: + SM_HOST: ${{ vars.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12 + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} run: | $ErrorActionPreference = 'Stop' $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' - $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.pfx' - - $signtool = Get-Command signtool.exe -ErrorAction Stop - - $files = @( - (Join-Path $targetDir 'spacetimedb-update.exe'), - (Join-Path $targetDir 'spacetimedb-cli.exe'), - (Join-Path $targetDir 'spacetimedb-standalone.exe') - ) + foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { + $path = Join-Path $targetDir $exe + Write-Host "Signing $exe..." + & smctl sign --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path + if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" } + Write-Host "$exe signed successfully" + } - foreach ($file in $files) { - & $signtool.Path sign /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file - & $signtool.Path verify /v /pa $file + - name: Verify signatures + if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }} + shell: pwsh + run: | + $ErrorActionPreference = 'Stop' + $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' + foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) { + $path = Join-Path $targetDir $exe + & signtool.exe verify /v /pa $path + if ($LASTEXITCODE -ne 0) { throw "Signature verification failed for $exe" } } - name: Package (unix)