Skip to content

Commit

Permalink
Merge pull request #746 from Backblaze/windows-sign
Browse files Browse the repository at this point in the history 
Sign Windows bundle
  • Loading branch information
@mlech-reef
mlech-reef committed Sep 14, 2021
2 parents 2cf782e + 7a1dd7a commit 3f85ff5
Show file tree
Hide file tree
Showing 3 changed files with 84 additions and 27 deletions.
20 changes: 16 additions & 4 deletions .github/workflows/cd.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ jobs:
B2_OSX_CODE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.B2_OSX_CODE_SIGNING_CERTIFICATE_PASSWORD }}
B2_OSX_NOTARY_NAME: ${{ secrets.B2_OSX_NOTARY_NAME }}
B2_OSX_NOTARY_PASSWORD: ${{ secrets.B2_OSX_NOTARY_PASSWORD }}
B2_WINDOWS_CODE_SIGNING_CERTIFICATE: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE }}
B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
Expand All @@ -82,23 +84,33 @@ jobs:
- name: Bundle the distribution
id: bundle
run: nox -vs bundle
- name: Import certificate
- name: (macOS) Import certificate
if: ${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE != '' && runner.os == 'macOS' }}
uses: apple-actions/import-codesign-certs@v1
with:
p12-file-base64: ${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE }}
p12-password: ${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE_PASSWORD }}
- name: Sign the bundle
- name: (macOS) Sign the bundle
if: ${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE != '' && runner.os == 'macOS' }}
run: nox -vs sign -- --sign '${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE_NAME }}'
- name: Notarize the bundle
run: nox -vs sign -- '${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE_NAME }}'
- name: (macOS) Notarize the bundle
if: ${{ env.B2_OSX_NOTARY_NAME != '' && runner.os == 'macOS' }}
uses: devbotsxyz/xcode-notarize@v1
with:
product-path: ${{ steps.bundle.outputs.asset_path }}
appstore-connect-username: ${{ env.B2_OSX_NOTARY_NAME }}
appstore-connect-password: ${{ env.B2_OSX_NOTARY_PASSWORD }}
primary-bundle-id: com.backblaze.b2
- name: (Windows) Import certificate
id: windows_import_cert
if: ${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE != '' && runner.os == 'Windows' }}
uses: timheuer/base64-to-file@v1
with:
fileName: 'cert.pfx'
encodedString: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE }}
- name: (Windows) Sign the bundle
if: ${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE != '' && runner.os == 'Windows' }}
run: nox -vs sign -- '${{ steps.windows_import_cert.outputs.filePath }}' '${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD }}'
- name: Upload the distribution to GitHub
uses: actions/upload-release-asset@v1
with:
Expand Down
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added
* Sign Windows binary

### Changed
* Download instruction in README.md (wording suggested by https://github.com/philh7456)
* Make Linux binary statically linked
Expand Down
88 changes: 65 additions & 23 deletions noxfile.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@
OSX_BUNDLE_IDENTIFIER = 'com.backblaze.b2'
OSX_BUNDLE_ENTITLEMENTS = 'contrib/macos/entitlements.plist'

WINDOWS_TIMESTAMP_SERVER = 'http://timestamp.digicert.com'
WINDOWS_SIGNTOOL_PATH = 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe'

nox.options.reuse_existing_virtualenvs = True
nox.options.sessions = [
'lint',
Expand Down Expand Up @@ -207,30 +210,69 @@ def bundle(session):

@nox.session(python=False)
def sign(session):
"""Sign the bundled distribution (OSX only)."""
system = platform.system().lower()

if system != 'darwin':
session.skip('signing process is for OSX only')
"""Sign the bundled distribution (macOS and Windows only)."""

def sign_darwin(cert_name):
session.run('security', 'find-identity', external=True)
session.run(
'codesign',
'--deep',
'--force',
'--verbose',
'--timestamp',
'--identifier',
OSX_BUNDLE_IDENTIFIER,
'--entitlements',
OSX_BUNDLE_ENTITLEMENTS,
'--options',
'runtime',
'--sign',
cert_name,
'dist/b2',
external=True
)
session.run('codesign', '--verify', '--verbose', 'dist/b2', external=True)

def sign_windows(cert_file, cert_password):
session.run('certutil', '-f', '-p', cert_password, '-importpfx', cert_file)
session.run(
WINDOWS_SIGNTOOL_PATH,
'sign',
'/f',
cert_file,
'/p',
cert_password,
'/tr',
WINDOWS_TIMESTAMP_SERVER,
'/td',
'sha256',
'/fd',
'sha256',
'dist/b2.exe',
external=True
)
session.run(WINDOWS_SIGNTOOL_PATH, 'verify', '/pa', '/all', 'dist/b2.exe', external=True)

session.run('security', 'find-identity', external=True)
session.run(
'codesign',
'--deep',
'--force',
'--verbose',
'--timestamp',
'--identifier',
OSX_BUNDLE_IDENTIFIER,
'--entitlements',
OSX_BUNDLE_ENTITLEMENTS,
'--options',
'runtime',
*session.posargs,
'dist/b2',
external=True
)
session.run('codesign', '--verify', '--verbose', 'dist/b2', external=True)
if SYSTEM == 'darwin':
try:
certificate_name, = session.posargs
except ValueError:
session.error('pass the certificate name as a positional argument')
return

sign_darwin(certificate_name)
elif SYSTEM == 'windows':
try:
certificate_file, certificate_password = session.posargs
except ValueError:
session.error('pass the certificate file and the password as positional arguments')
return

sign_windows(certificate_file, certificate_password)
elif SYSTEM == 'linux':
session.skip('signing is not supported for Linux')
else:
session.error('unrecognized platform: {}'.format(SYSTEM))


@nox.session(python=PYTHON_DEFAULT_VERSION)
Expand Down

0 comments on commit 3f85ff5

Please sign in to comment.