diff options
author | RJ Ryan <rryan@mixxx.org> | 2020-07-08 23:08:25 -0700 |
---|---|---|
committer | Be <be@mixxx.org> | 2020-08-01 18:33:31 -0500 |
commit | 07f46bd72f8fb71760908c88e668524c06a933ce (patch) | |
tree | 5f7a665177c95a2272bea30015e85d6df9961fd8 /appveyor.yml | |
parent | 0cf2ee06970022f14b3a76b7c354191840c67415 (diff) |
Add a PKCS12 Windows code signing certificate and sign exe/msi artifacts.
This certificate is encrypted with AppVeyor's "secure files" tool:
https://www.appveyor.com/docs/how-to/secure-files/
The secret, salt and password in appveyor.yml are encrypted with
AppVeyor's repository-specific public key. During AppVeyor builds, the
environment variables are set to the decrypted value of the secret,
salt, and password which allows us to decrypt the PKCS12 file and then
decrypt the private key within the PKCS12 file.
The private key in the PKCS12 file itself is encrypted with
PBE-SHA1-3DES, since apparently Windows does not support AES.
Diffstat (limited to 'appveyor.yml')
-rw-r--r-- | appveyor.yml | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/appveyor.yml b/appveyor.yml index abdd789c35..d6bc12c1bb 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -165,7 +165,13 @@ for: ENVIRONMENTS_PATH: C:\mixxx-buildserver MSVC_PATH: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Community" PATH: 'C:\Python37-x64;C:\Python37-x64\Scripts;%PATH%' - + CODESIGN_CERTIFICATE_PATH: build\certificates\windows_sectigo_codesign_certificate.pfx + CODESIGN_CERTIFICATE_SECURE_FILE_SECRET: + secure: 1xzNVbLop/5/ySSgZxPzyOz5cm8nVMLEIEW4x0XOJjI= + CODESIGN_CERTIFICATE_SECURE_FILE_SALT: + secure: tw+bg3qfia7+WQdBdXtC301Z9Dv7yQ6SwpWcFJav9YC4zwyyGztev6pAbGE93sln4VO0WRCJ+4/KTviBMPXvXQ== + CODESIGN_CERTIFICATE_PASSWORD: + secure: EiAsLAgrsS+N3rr71AAkXPCrxIe2vLvlOvCipnTw6pg= install: - set /P ENVIRONMENT_NAME=<build/windows/golden_environment @@ -183,6 +189,13 @@ for: ) - choco install ninja - python -m pip install git+https://github.com/frerich/clcache.git + # Decrypt the code signing certificate. + - ps: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1')) + - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] ( + appveyor-tools\secure-file -decrypt %CODESIGN_CERTIFICATE_PATH%.enc -secret %CODESIGN_CERTIFICATE_SECURE_FILE_SECRET% -salt %CODESIGN_CERTIFICATE_SECURE_FILE_SALT% + ) else ( + echo "Skipping certificate decryption because we are in a pull request." + ) before_build: - FOR /D %%G IN (%WINLIB_PATH%\Qt-*) DO SET QT_PATH=%%G @@ -235,8 +248,18 @@ for: .. - cmake --build . - cmake --build . --target install + - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] ( + signtool sign /f ..\%CODESIGN_CERTIFICATE_PATH% /p %CODESIGN_CERTIFICATE_PASSWORD% *.exe + ) else ( + echo "Skipping codesigning *.exe because we are in a pull request." + ) # Generate WIX installer - cpack -G "WIX" + - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] ( + signtool sign /f ..\%CODESIGN_CERTIFICATE_PATH% /p %CODESIGN_CERTIFICATE_PASSWORD% *.msi + ) else ( + echo "Skipping codesigning *.msi because we are in a pull request." + ) test_script: # Calling mixxx-test under bash to have standard output and use stdbuf to |