Merge pull request #326 from autonomys/sign-both-msi-and-bundle

Sign both outer bundle and inner installer on Windows
autonomys · Nov 10, 2024 · bd3468f · bd3468f
2 parents a13d3f7 + 6f28fc6
commit bd3468f
Showing 1 changed file with 27 additions and 8 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -321,24 +321,43 @@ jobs:
 
           # TODO: Ideally something like this would have worked and we wouldn't need to hardcode stuff in `space-acres.wxs`: https://github.com/volks73/cargo-wix/issues/271
           # & "C:\Program Files (x86)\WiX Toolset v3.11\bin\heat.exe" dir target\wix\gtk4 -gg -sfrag -template:fragment -out target\wix\gtk4.wxs -cg GTK -dr GTK
-          
+
           cargo wix --target ${{ matrix.build.target }} --profile production --no-build --nocapture
-          # Create bundle with Microsoft Visual C++ Redistributable in it
-          Remove-Item target\wix\space-acres.wixobj -Confirm:$false
-          cargo wix --profile release --no-build --nocapture --include res\windows\wix\bundle.wxs -C -ext -C WixBalExtension
 
           Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue
         if: runner.os == 'Windows'
 
-      - name: Sign Application (Windows)
+      - name: Sign installer (Windows)
         run: |
           $ErrorActionPreference = "Stop"
-          
+
           dotnet tool install --global AzureSignTool
 
-          (Get-ChildItem -Path target\wix -Include space-acres-*.exe -Recurse) | ForEach-Object {
+          (Get-ChildItem -Path target\wix -Include space-acres-*.msi) | ForEach-Object {
             Write("Signing $($_)");
-          
+
+            AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
+          }
+        # Allow code signing to fail on non-release builds and in non-autonomys repos (forks)
+        continue-on-error: ${{ github.repository_owner != 'autonomys' || github.event_name != 'push' || github.ref_type != 'tag' }}
+        if: runner.os == 'Windows'
+
+      - name: Create bundle (Windows)
+        run: |
+          # Create a bundle with Microsoft Visual C++ Redistributable in it
+          Remove-Item target\wix\space-acres.wixobj -Confirm:$false
+          cargo wix --profile release --no-build --nocapture --include res\windows\wix\bundle.wxs -C -ext -C WixBalExtension
+        if: runner.os == 'Windows'
+
+      - name: Sign bundle (Windows)
+        run: |
+          $ErrorActionPreference = "Stop"
+
+          dotnet tool install --global AzureSignTool
+
+          (Get-ChildItem -Path target\wix -Include space-acres-*.exe) | ForEach-Object {
+            Write("Signing $($_)");
+
             AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
           }
         # Allow code signing to fail on non-release builds and in non-autonomys repos (forks)