Skip to content

Commit

Permalink
ci: use key locker to sign neuron for windows (#2913)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Keith-CY
Keith-CY authored Oct 30, 2023
1 parent f3cc18a commit ba66f8d
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 15 deletions.
35 changes: 33 additions & 2 deletions .github/workflows/package.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,39 @@ jobs:
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: "true"

- name: Setup Certificate
if: matrix.os == 'windows-2019'
run: |
echo "${{ secrets.SM_CLIENT_CERT_FILE_BASE64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
shell: bash

- name: Set variables
if: matrix.os == 'windows-2019'
run: |
echo "SM_KEYPAIR_NAME=${{ secrets.SM_KEYPAIR_ALIAS }}" >> "$GITHUB_ENV"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
shell: bash

- name: Setting up the client tools
if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }}
run: |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
msiexec /i smtools-windows-x64.msi /quiet /qn
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
shell: cmd

- name: Certificates Sync
if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }}
run: |
smctl windows certsync
shell: cmd

- name: Install libudev
if: matrix.os == 'ubuntu-20.04'
run: |
Expand Down Expand Up @@ -88,8 +121,6 @@ jobs:
bash ./scripts/release.sh win
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CSC_LINK: ${{ secrets.WIN_CERTIFICATE_BASE64 }}
CSC_KEY_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PASSWORD }}

- name: Package for Linux
if: matrix.os == 'ubuntu-20.04'
Expand Down
47 changes: 34 additions & 13 deletions .github/workflows/package_for_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,39 @@ jobs:
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: "true"

- name: Setup Certificate
if: matrix.os == 'windows-2019'
run: |
echo "${{ secrets.SM_CLIENT_CERT_FILE_BASE64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
shell: bash

- name: Set variables
if: matrix.os == 'windows-2019'
run: |
echo "SM_KEYPAIR_NAME=${{ secrets.SM_KEYPAIR_ALIAS }}" >> "$GITHUB_ENV"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
shell: bash

- name: Setting up the client tools
if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }}
run: |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
msiexec /i smtools-windows-x64.msi /quiet /qn
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
shell: cmd

- name: Certificates Sync
if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }}
run: |
smctl windows certsync
shell: cmd

- name: Install libudev
if: matrix.os == 'ubuntu-20.04'
run: |
Expand Down Expand Up @@ -101,19 +134,7 @@ jobs:
SKIP_NOTARIZE: true

- name: Package for Windows
if: ${{ matrix.os == 'windows-2019' && env.WIN_CERTIFICATE_BASE64 != '' }}
run: |
bash ./scripts/download-ckb.sh win
yarn build
bash ./scripts/copy-ui-files.sh
bash ./scripts/package-for-test.sh win
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CSC_LINK: ${{ secrets.WIN_CERTIFICATE_BASE64 }}
CSC_KEY_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PASSWORD }}

- name: Package for Windows for skip code sign
if: ${{ matrix.os == 'windows-2019' && env.WIN_CERTIFICATE_BASE64 == '' }}
if: matrix.os == 'windows-2019'
run: |
bash ./scripts/download-ckb.sh win
yarn build
Expand Down
3 changes: 3 additions & 0 deletions packages/neuron-wallet/electron-builder.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ win:
- target: nsis
arch:
- x64
sign: scripts/customSign.js
signingHashAlgorithms:
- sha256

mac:
artifactName: "${productName}-v${version}-${os}-${arch}.${ext}"
Expand Down
16 changes: 16 additions & 0 deletions packages/neuron-wallet/scripts/customSign.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
const { execSync } = require('node:child_process')

exports.default = async configuration => {
if (!process.env.SM_API_KEY) {
console.info(`Skip signing because SM_API_KEY and not configured`)
return
}

if (!configuration.path) {
throw new Error(`Path of application is not found`)
}

execSync(`smctl sign --keypair-alias="${process.env.SM_KEYPAIR_NAME}" --input "${String(configuration.path)}"`, {
stdio: 'inherit',
})
}

1 comment on commit ba66f8d

@github-actions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Packaging for test is done in 6687114167

Please sign in to comment.