Sign Installer #31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sign Installer | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| sign-installer: | |
| runs-on: windows-2022 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # - name: Set up OpenSSL | |
| # run: sudo apt-get install openssl | |
| - name: Write multiline secrets to pem files | |
| shell: pwsh | |
| run: | | |
| Set-Content -Path code_sign_cert.pem -Value "${{ secrets.CODE_SIGN_CERT }}" | |
| Set-Content -Path code_sign_private_key.pem -Value "${{ secrets.CODE_SIGN_PRIVATE_KEY }}" | |
| Set-Content -Path code_ca_bundle_cert.pem -Value "${{ secrets.CODE_CA_BUNDLE_CERT }}" | |
| - name: Sign installer | |
| shell: pwsh | |
| run: | | |
| # Download the installer from the given URL | |
| Invoke-WebRequest -Uri "https://storage.googleapis.com/github-release-files-storage/latest/windows-installer-latest.exe" -OutFile "windows-installer-latest.exe" | |
| # Verify the certificate | |
| openssl verify -verbose -CAfile code_ca_bundle_cert.pem code_sign_cert.pem | |
| # Sign the installer | |
| openssl smime -sign -in windows-installer-latest.exe -out windows-installer-latest.signed.exe -inkey code_sign_private_key.pem -signer code_sign_cert.pem -outform DER -nodetach | |
| # - name: Sign installer | |
| # run: | | |
| # REM download the installer from the given URL | |
| # curl -L -o windows-installer-latest.exe https://storage.googleapis.com/github-release-files-storage/latest/windows-installer-latest.exe | |
| # REM verify | |
| # openssl verify -verbose -CAfile code_ca_bundle_cert.pem code_sign_cert.pem | |
| # REM sign | |
| # openssl smime -sign -in windows-installer-latest.exe -out windows-installer-latest.signed.exe -inkey code_sign_private_key.pem -signer code_sign_cert.pem -outform DER -nodetach | |
| # - name: Write multiline secret to txt file | |
| # shell: pwsh | |
| # run: | | |
| # Set-Content -Path myfile.txt -Value "${{ secrets.MULTILINE_SECRET_DEBUG }}" | |
| # Get-Content myfile.txt | |
| # - name: Write multiline secret to txt file | |
| # shell: cmd | |
| # run: | | |
| # @echo off | |
| # setlocal EnableDelayedExpansion | |
| # echo ${{ secrets.MULTILINE_SECRET_DEBUG }} > myfile.txt | |
| # type myfile.txt | |
| # - name: write multiline secret to txt file | |
| # shell: cmd | |
| # run: | | |
| # printf "%s" "${{ secrets.MULTILINE_SECRET_DEBUG }}" > myfile.txt | |
| # cat myfile.txt | |
| # - name: Sign installer | |
| # shell: cmd | |
| # run: | | |
| # REM Download the installer from the given URL | |
| # curl -L -o windows-installer-latest.exe https://storage.googleapis.com/github-release-files-storage/latest/windows-installer-latest.exe | |
| # REM (for /f "delims=" %%A in ("${{ secrets.CODE_SIGN_CERT }}") do @echo %%A) > 2.pem | |
| # REM cat 2.pem | |
| # REM echo "${{ secrets.CODE_SIGN_CERT }}" > code_sign_cert.pem | |
| # REM REM Decode the private key and certificate chain from secrets | |
| # REM powershell -command "$env:CODE_SIGN_CERT='${{ secrets.CODE_SIGN_CERT }}'; Set-Content -Path code_sign_cert.pem -Value $env:CODE_SIGN_CERT" | |
| # REM powershell -command "$env:CODE_SIGN_PRIVATE_KEY='${{ secrets.CODE_SIGN_PRIVATE_KEY }}'; Set-Content -Path code_sign_private_key.pem -Value $env:CODE_SIGN_PRIVATE_KEY" | |
| # REM powershell -command "$env:CODE_CA_BUNDLE_CERT='${{ secrets.CODE_CA_BUNDLE_CERT }}'; Set-Content -Path code_ca_bundle_cert.pem -Value $env:CODE_CA_BUNDLE_CERT" | |
| # REM REM Verify the certificate chain | |
| # REM openssl verify -verbose -CAfile code_ca_bundle_cert.pem code_sign_cert.pem | |
| # REM openssl verify -verbose -CAfile ${{ secrets.CODE_CA_BUNDLE_CERT }} ${{ secrets.CODE_SIGN_CERT }} | |
| # REM REM Sign the installer | |
| # REM openssl smime -sign -in windows-installer-latest.exe -out windows-installer-latest.signed.exe -inkey code_sign_private_key.pem -signer code_sign_cert.pem -outform DER -nodetach | |
| # printf "%s" "${{ secrets.CODE_CA_BUNDLE_CERT }}" > myfile.txt | |
| # cat myfile.txt | |
| # - name: Authenticate with Google Cloud | |
| # uses: google-github-actions/auth@v1 | |
| # with: | |
| # credentials_json: ${{ secrets.GOOGLE_STORAGE_UPLOAD_KEY }} | |
| # - name: Set up Google Cloud | |
| # uses: google-github-actions/setup-gcloud@v1 | |
| # with: | |
| # project_id: github-file-storage | |
| # # - name: Upload program files to Google Cloud | |
| # # run: | | |
| # # cd "$HOME" | |
| # # # init vars | |
| # # BUCKET_NAME="${{ env.BUCKET_NAME }}" | |
| # # PINNED_FOLDER_NAME="${{ env.RELEASE_VERSION }}" | |
| # # LATEST_FOLDER_NAME="latest" | |
| # # PINNED_FILE_NAME="macos-${{ env.RELEASE_VERSION }}.tar.xz" | |
| # # LATEST_FILE_NAME="macos-latest.tar.xz" | |
| # # # # upload release pinned version | |
| # # # # feb 2025 - disabled to save sapce on github and reduce monthly costs | |
| # # # gsutil cp -r $PINNED_FILE_NAME gs://$BUCKET_NAME/$PINNED_FOLDER_NAME/$PINNED_FILE_NAME | |
| # # # upload latest release version | |
| # # gsutil cp -r $PINNED_FILE_NAME gs://$BUCKET_NAME/$LATEST_FOLDER_NAME/$LATEST_FILE_NAME | |
| # - name: Upload installer to Google Cloud | |
| # run: | | |
| # INSTALLER="AddaxAI-${{ env.RELEASE_VERSION }}-installer.zip" | |
| # gsutil cp -r windows-installer-latest.signed.exe gs://github-release-files-storage-beta-versions/latest/windows-installer-latest.signed.exe | |