GitHub Actions: Add support for windows codesigning

mixxxdj · Nov 25, 2020 · b121053 · b121053
1 parent 7e52cb8
commit b121053
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -92,6 +92,8 @@ jobs:
       APPLE_CODESIGN_IDENTITY: 2C2B5D3EDCE82BA55E22E9A67F16F8D03E390870
       MACOS_CODESIGN_OPENSSL_PASSWORD: ${{ secrets.MACOS_CODESIGN_OPENSSL_PASSWORD }}
       MACOS_CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CODESIGN_CERTIFICATE_PASSWORD }}
+      WINDOWS_CODESIGN_CERTIFICATE_SECURE_FILE_SALT: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE_SECURE_FILE_SALT }}
+      WINDOWS_CODESIGN_CERTIFICATE_SECURE_FILE_SECRET: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE_SECURE_FILE_SECRET }}
 
     runs-on: ${{ matrix.os }}
     name: ${{ matrix.name }}
@@ -140,9 +142,18 @@ jobs:
         security set-key-partition-list -S "apple-tool:,apple:" -k mixxx Mixxx.keychain
         # Add keychain to search list
         security list-keychains -s Mixxx.keychain
+        echo "CMAKE_ARGS_EXTRA=${CMAKE_ARGS_EXTRA} -DAPPLE_CODESIGN_IDENTITY=${APPLE_CODESIGN_IDENTITY}" >> "${GITHUB_ENV}"
 
-        CMAKE_ARGS="-DAPPLE_CODESIGN_IDENTITY=${APPLE_CODESIGN_IDENTITY}"
-        echo "::set-output name=cmake_args::${CMAKE_ARGS}"
+    - name: "[Windows] Set up Windows code signing"
+      if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_CERTIFICATE_SECURE_FILE_SALT != null && env.WINDOWS_CODESIGN_CERTIFICATE_SECURE_FILE_SECRET != null
+      run: |
+        iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1'))
+        appveyor-tools/secure-file -decrypt "%WINDOWS_CODESIGN_CERTIFICATE_PATH%" -secret "%WINDOWS_CODESIGN_CERTIFICATE_SECURE_FILE_SECRET%" -salt "%WINDOWS_CODESIGN_CERTIFICATE_SECURE_FILE_SALT%"
+        Add-Content -Path "%GITHUB_ENV%" -Value "WINDOWS_CODESIGN_ARGS=/f %WINDOWS_CODESIGN_CERTIFICATE_PATH% /p %WINDOWS_CODESIGN_CERTIFICATE_PASSWORD%"
+        Add-Content -Path "%GITHUB_ENV%" -Value "CMAKE_ARGS_EXTRA=%CMAKE_ARGS_EXTRA% -DWINDOWS_CODESIGN=ON -DWINDOWS_CODESIGN_ARGS=%WINDOWS_CODESIGN_ARGS%"
+      env:
+        WINDOWS_CODESIGN_CERTIFICATE_PATH: ${{ github.workspace }}\mixxx.pfx
+        WINDOWS_CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE_PASSWORD }}
 
     - name: "Set up build environment"
       id: buildenv
@@ -179,7 +190,7 @@ jobs:
         -DCMAKE_BUILD_TYPE=Release
         "-DCMAKE_PREFIX_PATH=${{ env.CMAKE_PREFIX_PATH }}"
         -DDEBUG_ASSERTIONS_FATAL=ON
-        -DQt5_DIR=${{ env.QT_PATH }} ${{ matrix.cmake_args }} ${{ steps.apple_codesign.outputs.cmake_args }}
+        -DQt5_DIR=${{ env.QT_PATH }} ${{ matrix.cmake_args }} ${{ env.CMAKE_ARGS_EXTRA }}
         -DBATTERY=ON
         -DBROADCAST=ON
         -DBULK=ON
@@ -243,6 +254,11 @@ jobs:
       run: codesign --verbose=4 --options runtime --sign "${APPLE_CODESIGN_IDENTITY}" --entitlements ../build/osx/entitlements.plist *.dmg
       working-directory: cmake_build
 
+    - name: "[Windows] Sign Package"
+      if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_CERTIFICATE_PATH != null && env.WINDOWS_CODESIGN_CERTIFICATE_PASSWORD != null
+      run: signtool sign %WINDOWS_CODESIGN_ARGS% *.msi
+      working-directory: cmake_build
+
     - name: "[macOS] Upload build to downloads.mixxx.org"
       # skip deploying Ubuntu builds to downloads.mixxx.org because these are deployed to the PPA
       if: runner.os == 'macOS' && env.DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD != null