chore: codesigning for releases

2025-12-12 10:17:22 +01:00 · 2023-06-29 13:28:32 +02:00 · 2023-06-29 13:28:32 +02:00 · 875ca915b6
commit 875ca915b6
parent 98bdec1e34
2 changed files with 76 additions and 0 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -29,6 +29,11 @@ jobs:
        run: .\build.ps1 compile
      - name: Test Dalamud
        run: .\build.ps1 test
+      - name: Sign Dalamud
+        env:
+          CODESIGN_CERT_PFX: ${{ secrets.CODESIGN_CERT_PFX }}
+          CODESIGN_CERT_PASSWORD: ${{ secrets.CODESIGN_CERT_PASSWORD }}
+        run: .\sign.ps1 .\bin\Release
      - name: Create hashlist
        run: .\CreateHashList.ps1 .\bin\Release
      - name: Upload artifact
--- a/sign.ps1
+++ b/sign.ps1
@ -0,0 +1,71 @@
+# Get the certificate and password from environment variables
+$certificateBase64 = $env:CODESIGN_CERT_PFX
+$certificatePassword = $env:CODESIGN_CERT_PASSWORD
+
+# Write the certificate to a file
+$certificatePath = Join-Path -Path $env:TEMP -ChildPath 'certificate.pfx'
+$certificateBytes = [Convert]::FromBase64String($certificateBase64)
+[System.IO.File]::WriteAllBytes($certificatePath, $certificateBytes)
+
+# Define the function to find the path to signtool.exe
+function Get-SignToolPath {
+    # Array of common installation directories for Windows SDK
+    $sdkInstallationDirs = @(
+        "$env:ProgramFiles (x86)\Windows Kits\10\bin\x64",
+        "$env:ProgramFiles\Windows Kits\10\bin\x64",
+        "$env:ProgramFiles (x86)\Windows Kits\10\App Certification Kit"
+    )
+
+    foreach ($dir in $sdkInstallationDirs) {
+        $path = Join-Path -Path $dir -ChildPath 'signtool.exe'
+        #Write-Host $path
+        if (Test-Path -Path $path) {
+            return $path
+        }
+    }
+
+    throw "Could not find signtool.exe. Make sure the Windows SDK is installed."
+}
+
+# Find the path to signtool.exe
+$signtoolPath = Get-SignToolPath
+
+# Define the function to code-sign a file
+function Sign-File {
+    param (
+        [Parameter(Mandatory=$true)]
+        [String]$FilePath
+    )
+
+    # Check if the file is already code-signed
+    $signature = Get-AuthenticodeSignature -FilePath $FilePath -ErrorAction SilentlyContinue
+    if ($signature.status -ne "NotSigned") {
+        Write-Host "File '$FilePath' is already code-signed. Skipping."
+        return
+    }
+
+    # Code-sign the file using signtool
+    Write-Host "Code-signing file '$FilePath'..."
+    & $signtoolPath sign /tr http://timestamp.digicert.com /td sha256 /v /fd sha256 /f $certificatePath /p $certificatePassword $FilePath
+}
+
+# Define the function to recursively code-sign files in a directory
+function Sign-FilesRecursively {
+    param (
+        [Parameter(Mandatory=$true)]
+        [String]$DirectoryPath
+    )
+
+    Write-Host $DirectoryPath
+
+    # Get all exe and dll files recursively
+    dir $DirectoryPath -recurse | where {$_.extension -in ".exe",".dll"} | ForEach-Object {
+        Sign-File -FilePath $_.FullName
+    }
+}
+
+# Usage: Provide the directory path as an argument to sign files recursively
+Sign-FilesRecursively -DirectoryPath $args[0]
+
+# Remove the temporary certificate file
+Remove-Item -Path $certificatePath