From 2d98d7873ca1e609d029377ee3360129277a2dba Mon Sep 17 00:00:00 2001 From: Petr Gadorek Date: Fri, 28 Nov 2025 07:31:29 +0100 Subject: [PATCH 1/2] reenabling the windows binaries signing process in the CI pipeline --- .github/workflows/build.yaml | 104 +++++++++++++++++------------------ 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ebeb4929..200a1b2f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -360,24 +360,24 @@ jobs: zip -r eim.zip eim shell: bash - # - name: Sign Windows Binary - # if: runner.os == 'Windows' - # env: - # WINDOWS_PFX_FILE: ${{ secrets.WIN_CERTIFICATE }} - # WINDOWS_PFX_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PWD }} - # run: | - # echo $env:WINDOWS_PFX_FILE | Out-File -FilePath cert.b64 -Encoding ASCII - # certutil -decode cert.b64 cert.pfx - # Remove-Item cert.b64 - # $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe | - # Sort-Object FullName -Descending | - # Select-Object -First 1 - - # if (-not $signtool) { - # Write-Error "signtool.exe not found on the runner" - # exit 1 - # } - # & $signtool.FullName sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 release_cli/${{ matrix.package_name }}/eim.exe + - name: Sign Windows Binary + if: runner.os == 'Windows' + env: + WINDOWS_PFX_FILE: ${{ secrets.GLOBALSIGN_PFX_BASE64 }} + WINDOWS_PFX_PASSWORD: ${{ secrets.GLOBALSIGN_PFX_PASSWORD }} + run: | + echo $env:WINDOWS_PFX_FILE | Out-File -FilePath cert.b64 -Encoding ASCII + certutil -decode cert.b64 cert.pfx + Remove-Item cert.b64 + $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe | + Sort-Object FullName -Descending | + Select-Object -First 1 + + if (-not $signtool) { + Write-Error "signtool.exe not found on the runner" + exit 1 + } + & $signtool.FullName sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 release_cli/${{ matrix.package_name }}/eim.exe - name: Codesign macOS Binary if: startsWith(matrix.os, 'macos') @@ -477,21 +477,21 @@ jobs: zip -r offline_installer_builder.zip offline_installer_builder shell: bash - # - name: Sign Windows offline_installer_builder Binary - # if: runner.os == 'Windows' - # env: - # WINDOWS_PFX_FILE: ${{ secrets.WIN_CERTIFICATE }} - # WINDOWS_PFX_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PWD }} - # run: | - # $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe | - # Sort-Object FullName -Descending | - # Select-Object -First 1 - - # if (-not $signtool) { - # Write-Error "signtool.exe not found on the runner" - # exit 1 - # } - # & $signtool.FullName sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 release_cli/${{ matrix.package_name }}/offline_installer_builder.exe + - name: Sign Windows offline_installer_builder Binary + if: runner.os == 'Windows' + env: + WINDOWS_PFX_FILE: ${{ secrets.GLOBALSIGN_PFX_BASE64 }} + WINDOWS_PFX_PASSWORD: ${{ secrets.GLOBALSIGN_PFX_PASSWORD }} + run: | + $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe | + Sort-Object FullName -Descending | + Select-Object -First 1 + + if (-not $signtool) { + Write-Error "signtool.exe not found on the runner" + exit 1 + } + & $signtool.FullName sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 release_cli/${{ matrix.package_name }}/offline_installer_builder.exe - name: Codesign macOS offline_installer_builder Binary if: startsWith(matrix.os, 'macos') @@ -657,25 +657,25 @@ jobs: APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.APP_INSIGHTS_CONNECTION_STRING }} run: yarn tauri build - # - name: Sign Windows Binary - # if: runner.os == 'Windows' - # env: - # WINDOWS_PFX_FILE: ${{ secrets.WIN_CERTIFICATE }} - # WINDOWS_PFX_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PWD }} - # run: | - # echo $env:WINDOWS_PFX_FILE | Out-File -FilePath cert.b64 -Encoding ASCII - # certutil -decode cert.b64 cert.pfx - # Remove-Item cert.b64 - # $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe | - # Sort-Object FullName -Descending | - # Select-Object -First 1 - - # if (-not $signtool) { - # Write-Error "signtool.exe not found on the runner" - # exit 1 - # } - - # & $signtool.FullName sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 .\src-tauri\target\release\eim.exe + - name: Sign Windows Binary + if: runner.os == 'Windows' + env: + WINDOWS_PFX_FILE: ${{ secrets.GLOBALSIGN_PFX_BASE64 }} + WINDOWS_PFX_PASSWORD: ${{ secrets.GLOBALSIGN_PFX_PASSWORD }} + run: | + echo $env:WINDOWS_PFX_FILE | Out-File -FilePath cert.b64 -Encoding ASCII + certutil -decode cert.b64 cert.pfx + Remove-Item cert.b64 + $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe | + Sort-Object FullName -Descending | + Select-Object -First 1 + + if (-not $signtool) { + Write-Error "signtool.exe not found on the runner" + exit 1 + } + + & $signtool.FullName sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 .\src-tauri\target\release\eim.exe - name: Handle Linux artifacts if: startsWith(matrix.os, 'ubuntu') From 7344fa26fcebc33c704d237f4b7580539c998e3e Mon Sep 17 00:00:00 2001 From: Petr Gadorek Date: Fri, 28 Nov 2025 07:56:14 +0100 Subject: [PATCH 2/2] removed password --- .github/workflows/build.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 200a1b2f..804daf7f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -364,7 +364,7 @@ jobs: if: runner.os == 'Windows' env: WINDOWS_PFX_FILE: ${{ secrets.GLOBALSIGN_PFX_BASE64 }} - WINDOWS_PFX_PASSWORD: ${{ secrets.GLOBALSIGN_PFX_PASSWORD }} + WINDOWS_PFX_PASSWORD: "" run: | echo $env:WINDOWS_PFX_FILE | Out-File -FilePath cert.b64 -Encoding ASCII certutil -decode cert.b64 cert.pfx @@ -377,7 +377,7 @@ jobs: Write-Error "signtool.exe not found on the runner" exit 1 } - & $signtool.FullName sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 release_cli/${{ matrix.package_name }}/eim.exe + & $signtool.FullName sign /f cert.pfx /tr http://timestamp.digicert.com /td sha256 /fd sha256 release_cli/${{ matrix.package_name }}/eim.exe - name: Codesign macOS Binary if: startsWith(matrix.os, 'macos') @@ -481,7 +481,7 @@ jobs: if: runner.os == 'Windows' env: WINDOWS_PFX_FILE: ${{ secrets.GLOBALSIGN_PFX_BASE64 }} - WINDOWS_PFX_PASSWORD: ${{ secrets.GLOBALSIGN_PFX_PASSWORD }} + WINDOWS_PFX_PASSWORD: "" run: | $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe | Sort-Object FullName -Descending | @@ -491,7 +491,7 @@ jobs: Write-Error "signtool.exe not found on the runner" exit 1 } - & $signtool.FullName sign /f cert.pfx /p $env:WINDOWS_PFX_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 release_cli/${{ matrix.package_name }}/offline_installer_builder.exe + & $signtool.FullName sign /f cert.pfx /tr http://timestamp.digicert.com /td sha256 /fd sha256 release_cli/${{ matrix.package_name }}/offline_installer_builder.exe - name: Codesign macOS offline_installer_builder Binary if: startsWith(matrix.os, 'macos') @@ -661,7 +661,7 @@ jobs: if: runner.os == 'Windows' env: WINDOWS_PFX_FILE: ${{ secrets.GLOBALSIGN_PFX_BASE64 }} - WINDOWS_PFX_PASSWORD: ${{ secrets.GLOBALSIGN_PFX_PASSWORD }} + WINDOWS_PFX_PASSWORD: "" run: | echo $env:WINDOWS_PFX_FILE | Out-File -FilePath cert.b64 -Encoding ASCII certutil -decode cert.b64 cert.pfx