Add certificate to sign files

2023-07-12 17:38:55 +02:00 · 2023-07-12 17:38:55 +02:00 · 747b509a0c
commit 747b509a0c
parent 8916b0c348
6 changed files with 49 additions and 4 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -13,6 +13,7 @@ jobs:
    env:
      solution: AmagnoVirtualPrinter.sln
      configuration: Release
+      certificatepassword: ${{ secrets.CERTIFICATEPASSWORD }}
    steps:
    - name: Checkout
      uses: actions/checkout@v3
@ -24,8 +25,11 @@ jobs:
      run: msbuild $env:solution /m /t:Restore /p:Configuration=$env:configuration
    - name: Build solution
      run: msbuild $env:solution /m /t:Rebuild /p:Configuration=$env:configuration
-    - name: Create msi from PowerShell Script
+    - name: Create msi with PowerShell Script
      run: pwsh -command ".\$GITHUB_WORKSPACE\create_msi.ps1"
+    - name: Sign msi with PowerShell Script
+      shell: powershell
+      run: .\$GITHUB_WORKSPACE\sign_files.ps1 -Path .\$GITHUB_WORKSPACE\Files -CertPath .\$GITHUB_WORKSPACE\codeSigningCert.pfx -CertPwd $env:SUPER_SECRET
    - name: Upload files artifact
      uses: actions/upload-artifact@v3
      with:
--- a/.gitignore
+++ b/.gitignore
@ -236,7 +236,6 @@ ClientBin/
 *.dbmdl
 *.dbproj.schemaview
 *.jfm
-*.pfx
 *.publishsettings
 orleans.codegen.cs

--- a/codeSigningCert.pfx
+++ b/codeSigningCert.pfx
--- a/create_msi.ps1
+++ b/create_msi.ps1
@ -1,5 +1,5 @@
 Set-Location $PSScriptRoot

-$args = "/MSBUILD:$PSScriptRoot\Installer\AmagnoVirtualPrinter.WixSharpInstaller", "/p:$PSScriptRoot"
+$arguments = "/MSBUILD:$PSScriptRoot\Installer\AmagnoVirtualPrinter.WixSharpInstaller", "/p:$PSScriptRoot"
 Remove-Item -Path "$PSScriptRoot\Files\*" -Filter '*.pdb' -Force
-Start-Process -FilePath "$PSScriptRoot\Files\AmagnoPrinterInstaller.exe" -ArgumentList $args -wait
+Start-Process -FilePath "$PSScriptRoot\Files\AmagnoPrinterInstaller.exe" -ArgumentList $arguments -wait
--- a/sign_files.ps1
+++ b/sign_files.ps1
@ -0,0 +1,26 @@
+[CmdletBinding()]
+param (
+    [Parameter(Mandatory=$true)]
+    [String]
+    $path,
+    [Parameter(Mandatory=$true)]
+    [String]
+    $certPath,
+    [Parameter(Mandatory=$true)]
+    [String]
+    $certPwd
+)
+
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath, $certPwd)
+
+$files = Get-ChildItem -Path $path | 
+    Where-Object { $_.Extension -in '.dll', '.exe' } |
+    Select-Object -ExpandProperty FullName | 
+    Get-AuthenticodeSignature | 
+    Where-Object { $_.Status -eq "NotSigned" } | 
+    Select-Object -ExpandProperty Path
+
+foreach($file in $files){
+    Write-Host "Signing... $file"
+    Set-AuthenticodeSignature $file -Certificate $cert -TimestampServer "http://timestamp.digicert.com"
+}
--- a/sign_setup.ps1
+++ b/sign_setup.ps1
@ -0,0 +1,16 @@
+[CmdletBinding()]
+param (
+    [Parameter(Mandatory=$true)]
+    [String]
+    $certPath,
+    [Parameter(Mandatory=$true)]
+    [String]
+    $certPwd
+)
+
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath, $certPwd)
+
+$file = "AmagnoPrinterInstaller.msi"
+
+Write-Host "Signing... $file"
+Set-AuthenticodeSignature $file -Certificate $cert -TimestampServer "http://timestamp.digicert.com"