Sign Installer #21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sign Installer | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| sign-installer: | |
| runs-on: windows-2022 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # - name: Set up OpenSSL | |
| # run: sudo apt-get install openssl | |
| # - name: Sign installer | |
| # run: | | |
| # # download the installer from the given URL | |
| # curl -L -o windows-installer-latest.exe https://storage.googleapis.com/github-release-files-storage/latest/windows-installer-latest.exe | |
| # # decode the private key and certificate chain from secrets | |
| # echo "${{ secrets.CODE_SIGN_CERT }}" > code_sign_cert.pem | |
| # echo "${{ secrets.CODE_SIGN_PRIVATE_KEY }}" > code_sign_private_key.pem | |
| # echo "${{ secrets.CODE_CA_BUNDLE_CERT }}" > code_ca_bundle_cert.pem | |
| # # verify | |
| # openssl verify -verbose -CAfile code_ca_bundle_cert.pem code_sign_cert.pem | |
| # # sign | |
| # openssl smime -sign -in windows-installer-latest.exe -out windows-installer-latest.signed.exe -inkey code_sign_private_key.pem -signer code_sign_cert.pem -outform DER -nodetach | |
| - name: Sign installer | |
| shell: cmd | |
| run: | | |
| REM Download the installer from the given URL | |
| curl -L -o windows-installer-latest.exe https://storage.googleapis.com/github-release-files-storage/latest/windows-installer-latest.exe | |
| (for /f "delims=" %%A in ("${{ secrets.CODE_SIGN_CERT }}") do @echo %%A) > 2.pem | |
| cat 2.pem | |
| REM echo "${{ secrets.CODE_SIGN_CERT }}" > code_sign_cert.pem | |
| REM REM Decode the private key and certificate chain from secrets | |
| REM powershell -command "$env:CODE_SIGN_CERT='${{ secrets.CODE_SIGN_CERT }}'; Set-Content -Path code_sign_cert.pem -Value $env:CODE_SIGN_CERT" | |
| REM powershell -command "$env:CODE_SIGN_PRIVATE_KEY='${{ secrets.CODE_SIGN_PRIVATE_KEY }}'; Set-Content -Path code_sign_private_key.pem -Value $env:CODE_SIGN_PRIVATE_KEY" | |
| REM powershell -command "$env:CODE_CA_BUNDLE_CERT='${{ secrets.CODE_CA_BUNDLE_CERT }}'; Set-Content -Path code_ca_bundle_cert.pem -Value $env:CODE_CA_BUNDLE_CERT" | |
| REM REM Verify the certificate chain | |
| REM openssl verify -verbose -CAfile code_ca_bundle_cert.pem code_sign_cert.pem | |
| REM REM Sign the installer | |
| REM openssl smime -sign -in windows-installer-latest.exe -out windows-installer-latest.signed.exe -inkey code_sign_private_key.pem -signer code_sign_cert.pem -outform DER -nodetach | |
| # - name: Authenticate with Google Cloud | |
| # uses: google-github-actions/auth@v1 | |
| # with: | |
| # credentials_json: ${{ secrets.GOOGLE_STORAGE_UPLOAD_KEY }} | |
| # - name: Set up Google Cloud | |
| # uses: google-github-actions/setup-gcloud@v1 | |
| # with: | |
| # project_id: github-file-storage | |
| # # - name: Upload program files to Google Cloud | |
| # # run: | | |
| # # cd "$HOME" | |
| # # # init vars | |
| # # BUCKET_NAME="${{ env.BUCKET_NAME }}" | |
| # # PINNED_FOLDER_NAME="${{ env.RELEASE_VERSION }}" | |
| # # LATEST_FOLDER_NAME="latest" | |
| # # PINNED_FILE_NAME="macos-${{ env.RELEASE_VERSION }}.tar.xz" | |
| # # LATEST_FILE_NAME="macos-latest.tar.xz" | |
| # # # # upload release pinned version | |
| # # # # feb 2025 - disabled to save sapce on github and reduce monthly costs | |
| # # # gsutil cp -r $PINNED_FILE_NAME gs://$BUCKET_NAME/$PINNED_FOLDER_NAME/$PINNED_FILE_NAME | |
| # # # upload latest release version | |
| # # gsutil cp -r $PINNED_FILE_NAME gs://$BUCKET_NAME/$LATEST_FOLDER_NAME/$LATEST_FILE_NAME | |
| # - name: Upload installer to Google Cloud | |
| # run: | | |
| # INSTALLER="AddaxAI-${{ env.RELEASE_VERSION }}-installer.zip" | |
| # gsutil cp -r windows-installer-latest.signed.exe gs://github-release-files-storage-beta-versions/latest/windows-installer-latest.signed.exe | |