@@ -135,10 +135,7 @@ jobs:
135135 runs-on : windows-latest
136136 needs : macos-build
137137 env :
138- JKS_B64 : ${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }}
139- JKS_PASS : ${{ secrets.JARSIGNER_REL_STOREPASS }}
140- ALIAS : ${{ secrets.JARSIGNER_REL_ALIAS }}
141- PFX_PASS : ${{ secrets.JARSIGNER_REL_STOREPASS }}
138+ ARTIFACTS_PATH : extracted/Espressif-IDE
142139 steps :
143140 - uses : actions/checkout@v3
144141
@@ -148,7 +145,6 @@ jobs:
148145 name : espressif-ide-win32
149146 path : artifacts
150147
151-
152148 - name : Verify the downloaded file
153149 shell : pwsh
154150 run : |
@@ -160,97 +156,47 @@ jobs:
160156 Expand-Archive -Path artifacts\*.zip -DestinationPath extracted -Force
161157 ls .\artifacts\*
162158
163- name : Decode base64-encoded JKS
164- run : |
165- # Restore JKS from secret
166- [IO.File]::WriteAllBytes("signing.jks",[Convert]::FromBase64String($env:JKS_B64))
167- if (-not (Test-Path "$PWD\signing.jks")) { throw "signing.jks not created" }
168-
169- name : Verify JKS contains a PrivateKeyEntry (robust)
159+ name : Install .NET 8 SDK and AzureSignTool
170160 shell : pwsh
171161 run : |
172- if (-not $env:ALIAS) { throw "ALIAS secret is empty. It must point to the PrivateKeyEntry alias." }
173-
174- $out = & "${env:JAVA_HOME}\bin\keytool.exe" -list -v `
175- -keystore "$PWD\signing.jks" `
176- -storepass $env:JKS_PASS `
177- -alias "$env:ALIAS" 2>&1
178-
179- if ($LASTEXITCODE -ne 0) {
180- $out | Write-Host
181- throw "Alias '$($env:ALIAS)' not found in keystore (or wrong store password)."
182- }
183- # Show a small excerpt (masking may hide values; that’s fine)
184- $out | Select-String -Pattern 'Alias name:|Entry type:|Certificate chain length' | ForEach-Object { $_.Line } | Write-Host
185- # IMPORTANT: treat output as ONE string before regex testing
186- $outText = ($out | Out-String)
187- if ($outText -notmatch 'Entry type:\s*PrivateKeyEntry') {
188- throw "Alias '$($env:ALIAS)' is not a PrivateKeyEntry (likely a trustedCertEntry)."
189- }
190-
191- name : Convert JKS to PFX
162+ mkdir dotnet
163+ cd dotnet
164+ $dotnet_url="https://download.visualstudio.microsoft.com/download/pr/5af098e1-e433-4fda-84af-3f54fd27c108/6bd1c6e48e64e64871957289023ca590/dotnet-sdk-8.0.302-win-x64.zip"
165+ Invoke-WebRequest -Uri $dotnet_url -OutFile dotnet-sdk-8.0.302-win-x64.zip
166+ Expand-Archive -LiteralPath .\dotnet-sdk-8.0.302-win-x64.zip -DestinationPath .
167+ $Env:DOTNET_ROOT="$($(Get-Location).Path)\dotnet-sdk-8.0.302-win-x64"
168+ $Env:PATH="$Env:DOTNET_ROOT;$Env:PATH"
169+ $Env:DOTNET_SKIP_FIRST_TIME_EXPERIENCE=$true
170+ dotnet tool install --global AzureSignTool
171+ cd ..
172+
173+ name : Sign EXE using AzureSignTool
192174 shell : pwsh
193175 run : |
194- if (($env:JKS_PASS).Length -lt 6) { throw "JKS_PASS must be at least 6 characters." }
195- if (($env:PFX_PASS).Length -lt 6) { throw "PFX_PASS must be at least 6 characters. " }
176+ $exePath = Join-Path $PWD "${{ env.ARTIFACTS_PATH }}\espressif-ide.exe"
177+ if (-not (Test-Path $exePath)) { throw "espressif-ide.exe not found at $exePath " }
196178
197- $kt = Join-Path $env:JAVA_HOME 'bin\keytool.exe'
198-
199- $args = @(
200- '-importkeystore',
201- '-srckeystore', "$PWD\signing.jks",
202- '-srcstorepass', $env:JKS_PASS,
203- '-srcalias', $env:ALIAS,
204- '-srckeypass', $env:JKS_PASS,
205- '-destkeystore', "$PWD\cert.pfx",
206- '-deststoretype','PKCS12',
207- '-deststorepass',$env:PFX_PASS,
208- '-destkeypass', $env:PFX_PASS
209- )
210- & $kt @args
211- if (-not (Test-Path "$PWD\cert.pfx")) { throw "cert.pfx not created" }
212-
213- name : Prove PFX has a private key (fail fast)
214- shell : pwsh
215- run : |
216- $dump = certutil -p $env:PFX_PASS -dump "$PWD\cert.pfx"
217- if ($dump -notmatch 'Private key is present:\s*Yes') {
218- Write-Host $dump
219- throw "Exported PFX lacks a private key. Check alias/passwords; your JKS may be a truststore."
220- }
221-
222- name : Inspect the PFX file
223- shell : pwsh
224- run : |
225- certutil -p $env:PFX_PASS -dump cert.pfx
226-
227-
228- name : Sign Windows Executable
229- shell : pwsh
230- run : |
231- $exe = Get-ChildItem -File -Recurse "$PWD\extracted\Espressif-IDE\espressif-ide.exe" | Select-Object -First 1
232- if (-not $exe) { throw "espressif-ide.exe not found under extracted\Espressif-IDE" }
233-
234- $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits" -Recurse -Filter signtool.exe |
235- Sort-Object FullName | Select-Object -First 1
236- if (-not $signtool) { throw "signtool.exe not found in Windows Kits" }
237-
238- & $signtool.FullName sign `
239- /debug /v `
240- /f "$PWD\cert.pfx" `
241- /p $env:PFX_PASS `
242- /tr http://timestamp.digicert.com `
243- /td sha256 `
244- /fd sha256 `
245- "$($exe.FullName)"
179+ $Env:DOTNET_ROOT="$PWD\dotnet\dotnet-sdk-8.0.302-win-x64"
180+ $Env:PATH="$Env:DOTNET_ROOT;$Env:PATH"
181+
182+ AzureSignTool.exe sign `
183+ -kvu "${{ secrets.AZURE_KEYVAULT_URI }}" `
184+ -kvc "${{ secrets.AZURE_KEYVAULT_CERT_NAME }}" `
185+ -kvi "${{ secrets.AZURE_CLIENT_ID }}" `
186+ -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" `
187+ --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" `
188+ -tr http://timestamp.globalsign.com/tsa/advanced `
189+ -td sha256 `
190+ "$exePath"
246191
247192name : Verify Signature
193+ shell : pwsh
248194 run : |
249- $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\ espressif-ide.exe | Select-Object -First 1
195+ $exePath = Join-Path $PWD "${{ env.ARTIFACTS_PATH }}\ espressif-ide.exe"
250196 $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits" -Recurse -Name "signtool.exe" | Select-Object -First 1
251197 & "C:\Program Files (x86)\Windows Kits\$signtool" verify `
252198 /pa `
253- $exe.FullName
199+ "$exePath"
254200
255201name : Removing original ZIP from extracted folder
256202 run : |
@@ -263,6 +209,7 @@ jobs:
263209 failOnError : false
264210
265211 - name : Upload Signed Windows ZIP
212+ if : ${{ !cancelled() }}
266213 uses : actions/upload-artifact@v4
267214 with :
268215 name : espressif-ide-win32
0 commit comments