-
-
Notifications
You must be signed in to change notification settings - Fork 795
/
Copy pathsign.ps1
135 lines (108 loc) · 5.21 KB
/
sign.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
param(
[string][Parameter(Mandatory=$true)]$SignIdentity,
[string][Parameter(Mandatory=$true)]$GithubRunId
)
$ErrorActionPreference = "Stop"
echo "Preparing environment"
mkdir windsign-temp -ErrorAction SilentlyContinue
# Download in parallel
#show output too
#Start-Job -Name "DownloadGitObjectsRepo" -ScriptBlock {
# param($PWD)
# echo "Downloading git objects repo to $PWD\windsign-temp\windows-binaries"
# git clone https://github.com/zen-browser/windows-binaries.git $PWD\windsign-temp\windows-binaries
# echo "Downloaded git objects repo to"
#} -Verbose -ArgumentList $PWD -Debug
gh run download $GithubRunId --name windows-x64-obj-arm64 -D windsign-temp\windows-x64-obj-arm64
echo "Downloaded arm64 artifacts"
gh run download $GithubRunId --name windows-x64-obj-x86_64 -D windsign-temp\windows-x64-obj-x86_64
echo "Downloaded x86_64 artifacts"
#Wait-Job -Name "DownloadGitObjectsRepo"
mkdir engine\obj-x86_64-pc-windows-msvc\ -ErrorAction SilentlyContinue
surfer -- ci --brand release
function SignAndPackage($name) {
echo "Executing on $name"
rmdir .\dist -Recurse -ErrorAction SilentlyContinue
rmdir engine\obj-x86_64-pc-windows-msvc\ -Recurse -ErrorAction SilentlyContinue
cp windsign-temp\windows-x64-obj-$name engine\obj-x86_64-pc-windows-msvc\ -Recurse
echo "Signing $name"
# Collect all .exe and .dll files into a list
$files = Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.exe
$files += Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.dll
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
echo "Packaging $name"
$env:SURFER_SIGNING_MODE="sign"
$env:MAR="..\\build\\winsign\\mar.exe"
if ($name -eq "arm64") {
$env:SURFER_COMPAT="aarch64"
} else {
$env:SURFER_COMPAT="x86_64"
}
echo "Compat Mode? $env:SURFER_COMPAT"
npm run package -- --verbose
# In the release script, we do the following:
# tar -xvf .github/workflows/object/windows-x64-signed-x86_64.tar.gz -C windows-x64-signed-x86_64
# We need to create a tar with the same structure and no top-level directory
# Inside, we need:
# - update_manifest/*
# - windows.mar
# - zen.installer.exe
# - zen.win-x86_64.zip
echo "Creating tar for $name"
rm .\windsign-temp\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
mkdir windsign-temp\windows-x64-signed-$name
# Move the MAR, add the `-arm64` suffix if needed
echo "Moving MAR for $name"
if ($name -eq "arm64") {
mv .\dist\output.mar windsign-temp\windows-x64-signed-$name\windows-$name.mar
} else {
mv .\dist\output.mar windsign-temp\windows-x64-signed-$name\windows.mar
}
# Move the installer
echo "Moving installer for $name"
if ($name -eq "arm64") {
mv .\dist\zen.installer.exe windsign-temp\windows-x64-signed-$name\zen.installer-$name.exe
} else {
mv .\dist\zen.installer.exe windsign-temp\windows-x64-signed-$name\zen.installer.exe
}
# Move the zip
echo "Moving zip for $name"
if ($name -eq "arm64") {
mv (Get-Item .\dist\*.en-US.win64-aarch64.zip) windsign-temp\windows-x64-signed-$name\zen.win-arm64.zip
} else {
mv (Get-Item .\dist\*.en-US.win64.zip) windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
}
# Extract the zip, sign everything inside, and repackage it
#Expand-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name.zip -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name
#rm windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
#$files = Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.exe
#$files += Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.dll
#signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
#Compress-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
rmdir windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -ErrorAction SilentlyContinue
# Move the manifest
mv .\dist\update\. windsign-temp\windows-x64-signed-$name\update_manifest
echo "Invoking tar for $name"
# note: We need to sign it into a parent folder, called windows-x64-signed-$name
rmdir .\windsign-temp\windows-binaries\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
mv windsign-temp\windows-x64-signed-$name .\windsign-temp\windows-binaries -Force
echo "Finished $name"
}
SignAndPackage arm64
SignAndPackage x86_64
echo "All artifacts signed and packaged, ready for release!"
echo "Committing the changes to the repository"
cd windsign-temp\windows-binaries
git add .
git commit -m "Sign and package windows artifacts"
git push
cd ..\..
# Cleaning up
echo "All done!"
echo "All the artifacts (x86_64 and arm46) are signed and packaged, get a rest now!"
Read-Host "Press Enter to continue"
echo "Cleaning up"
rmdir windsign-temp\windows-x64-obj-x86_64 -Recurse -ErrorAction SilentlyContinue
rmdir windsign-temp\windows-x64-obj-arm64 -Recurse -ErrorAction SilentlyContinue
echo "Opening visual studio code"
code .