From 338ae7a70808635a2a9b7d01a9ad97aad177abcf Mon Sep 17 00:00:00 2001 From: Steve Hannah Date: Sun, 25 Feb 2024 07:13:05 -0800 Subject: [PATCH] Added EV windows codesign to release workflow --- .github/workflows/maven.yml | 2 ++ release.sh | 42 +++++++++++++++++++++------------- scripts/windows-ev-codesign.sh | 36 +++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 16 deletions(-) create mode 100644 scripts/windows-ev-codesign.sh diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 7bc75aa..a395a21 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -57,4 +57,6 @@ jobs: JDEPLOY_MAC_DEVELOPER_ID: ${{ secrets.APPLE_ID }} AUTHENTICODE_SPC: ${{ secrets.AUTHENTICODE_SPC }} AUTHENTICODE_KEY: ${{ secrets.AUTHENTICODE_KEY }} + EV_CODESIGN_SUBMITTER_PRIVATE_KEY: ${{ secrets.EV_CODESIGN_SUBMITTER_PRIVATE_KEY }} + EV_CODESIGN_PROCESSOR_PUBLIC_KEY: ${{ secrets.EV_CODESIGN_PROCESSOR_PUBLIC_KEY }} run: bash release.sh diff --git a/release.sh b/release.sh index 3dae0f5..50b0c47 100644 --- a/release.sh +++ b/release.sh @@ -65,22 +65,32 @@ done # jdeploy/bundles/windows/jdeploy-installer.exe -echo "------------------- About to Sign Windows Installer --------------------------" -echo "$AUTHENTICODE_SPC" | base64 --decode > authenticode.spc -echo "$AUTHENTICODE_KEY" | base64 --decode > authenticode.key - -osslsigncode \ - -spc authenticode.spc \ - -key authenticode.key \ - -t http://timestamp.digicert.com \ - -in jdeploy/bundles/windows/jdeploy-installer.exe \ - -out jdeploy/bundles/windows/jdeploy-installer-signed.exe \ - -n "jDeploy Application Installer" \ - -i https://www.jdeploy.com - -mv jdeploy/bundles/windows/jdeploy-installer-signed.exe jdeploy/bundles/windows/jdeploy-installer.exe -rm authenticode.spc -rm authenticode.key +if [ ! -z "$EV_CODESIGN_SUBMITTER_PRIVATE_KEY" ] && [ ! -z "$EV_CODESIGN_PROCESSOR_PUBLIC_KEY" ]; then + mkdir -p ~/.jdeploy-codesigner/private + echo "------------------- About to Sign Windows Installer with EV Cert --------------------------" + echo "$EV_CODESIGN_SUBMITTER_PRIVATE_KEY" > ~/.jdeploy-codesigner/processor-public-key.pem + echo "$EV_CODESIGN_PROCESSOR_PUBLIC_KEY" > ~/.jdeploy-codesigner/private/submitter-private-key.pem + bash $SCRIPTPATH/scripts/windows-ev-codesign.sh jdeploy/bundles/windows/jdeploy-installer.exe jdeploy/bundles/windows/jdeploy-installer-signed.exe + mv jdeploy/bundles/windows/jdeploy-installer-signed.exe jdeploy/bundles/windows/jdeploy-installer.exe + rm -rf ~/.jdeploy-codesigner +else + echo "------------------- About to Sign Windows Installer with OV Cert --------------------------" + echo "$AUTHENTICODE_SPC" | base64 --decode > authenticode.spc + echo "$AUTHENTICODE_KEY" | base64 --decode > authenticode.key + + osslsigncode \ + -spc authenticode.spc \ + -key authenticode.key \ + -t http://timestamp.digicert.com \ + -in jdeploy/bundles/windows/jdeploy-installer.exe \ + -out jdeploy/bundles/windows/jdeploy-installer-signed.exe \ + -n "jDeploy Application Installer" \ + -i https://www.jdeploy.com + + mv jdeploy/bundles/windows/jdeploy-installer-signed.exe jdeploy/bundles/windows/jdeploy-installer.exe + rm authenticode.spc + rm authenticode.key +fi echo "------------------- About to Make Installer Templates --------------------------" diff --git a/scripts/windows-ev-codesign.sh b/scripts/windows-ev-codesign.sh new file mode 100644 index 0000000..7e0ea59 --- /dev/null +++ b/scripts/windows-ev-codesign.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Define the URL of the .tgz file +TAR_URL="https://github.com/shannah/winevcodesign-releases/releases/download/master/winevcodesign-0.0.0-master.tgz" +# Define the name of the downloaded file +TAR_FILE="winevcodesign-0.0.0-master.tgz" +# Define the extraction directory +EXTRACT_DIR="winevcodesign" + +INPUT_FILE="$1" + +OUTPUT_FILE="$2" + +# Download the .tgz file using curl. You can use wget if you prefer. +curl -o "$TAR_FILE" "$TAR_URL" + +# Alternatively, if you prefer wget, uncomment the following line and comment out the curl command above. +# wget -O "$TAR_FILE" "$TAR_URL" + +# Create the extraction directory +mkdir -p "$EXTRACT_DIR" + +# Extract the .tgz file +tar -xvzf "$TAR_FILE" -C "$EXTRACT_DIR" + +# Navigate to the directory containing the JAR file +cd "$EXTRACT_DIR/package/jdeploy-bundle" + +# Run the Java application +$JAVA_HOME/bin/java -jar winevcodesign-1.0-SNAPSHOT.jar \ + sign "$INPUT_FILE" "$OUTPUT_FILE" + +# Clean up by removing the downloaded and extracted files +cd ../../.. +rm -rf "$EXTRACT_DIR" +rm "$TAR_FILE"