Merge remote-tracking branch 'upstream/main' into add-enable-building…

…-voicevox-onnxruntime

.github/workflows/build.yml

@@ -17,6 +17,11 @@ on:
       release:
         description: "リリースするかどうか"
         type: boolean
+      code_signing:
+        description: "コード署名する"
+        type: boolean
+        required: false
+        default: false
 
 env:
   ONNXRUNTIME_NAME:
@@ -239,6 +244,7 @@ jobs:
       ARCH_SUFFIX: "${{ (matrix.linux_cross_arch != '' && '-') || '' }}${{ (matrix.linux_cross_arch != '' && matrix.linux_cross_arch) || '' }}"
 
     runs-on: ${{ matrix.os }}
+    environment: ${{ inputs.code_signing && 'production' || '' }} # コード署名用のenvironment
 
     steps:
       - uses: actions/setup-python@v4
@@ -508,12 +514,12 @@ jobs:
             echo "Unknown target found : ${{ matrix.artifact_name }}"
             return 1
           fi
+          # PDBファイル, Privacy.md, include/は不要なので省く
           if [ ${{ runner.os }} = Windows ]; then
             # https://github.com/microsoft/onnxruntime/blob/v1.16.3/tools/ci_build/github/azure-pipelines/templates/c-api-artifacts-package-and-publish-steps-windows.yml#L34-L72
-            # ただし、ortクレートには.pdbとinclude/は不要なので入れない。
             mkdir -p ./${{ matrix.result_dir }}/${{ matrix.artifact_name }}/lib
             git rev-parse HEAD > ./${{ matrix.result_dir }}/${{ matrix.artifact_name }}/GIT_COMMIT_ID
-            cp ./{docs/Privacy.md,LICENSE,README.md,ThirdPartyNotices.txt,VERSION_NUMBER} \
+            cp ./{LICENSE,README.md,ThirdPartyNotices.txt,VERSION_NUMBER} \
               ./${{ matrix.result_dir }}/${{ matrix.artifact_name }}/
             cp ./${{ matrix.result_dir }}/${{ matrix.release_config }}/"$ONNXRUNTIME_NAME".{dll,lib} \
               ./${{ matrix.result_dir }}/${{ matrix.artifact_name }}/lib/
@@ -529,6 +535,7 @@ jobs:
               -c ${{ matrix.release_config }} \
               -s "$(pwd)" \
               -t "$(git rev-parse HEAD)"
+            rm -r ${{ matrix.result_dir }}/${{ matrix.artifact_name }}/{Privacy.md,include}
           fi
           if [ "$ONNXRUNTIME_NAME" = voicevox_onnxruntime ]; then
             for filename in LICENSE README.md; do
@@ -541,6 +548,14 @@ jobs:
           fi
           mv ${{ matrix.result_dir }}/${{ matrix.artifact_name }} ./artifact/
 
+      - name: Code signing (Windows)
+        if: runner.os == 'Windows' && inputs.code_signing
+        run: find ./${{ matrix.result_dir }}/${{ matrix.artifact_name }}/lib -name '*.dll' -exec ./builder/codesign.bash {} ';'
+        env:
+          ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
+          ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
+          ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
+
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:

.github/workflows/shellcheck.yml

@@ -0,0 +1,22 @@
+name: ShellCheck
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  shellcheck:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Update ShellCheck
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y shellcheck
+          shellcheck -V
+
+      - name: ShellCheck
+        run: git ls-files | grep -E '\.(ba)?sh' | xargs shellcheck

codesign.bash

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!
+
+# eSignerCKAを使ってコード署名する
+
+set -eu
+
+if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名
+    echo "ESIGNERCKA_USERNAMEが未定義です"
+    exit 1
+fi
+if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード
+    echo "ESIGNERCKA_PASSWORDが未定義です"
+    exit 1
+fi
+if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret
+    echo "ESIGNERCKA_TOTP_SECRETが未定義です"
+    exit 1
+fi
+
+if [ $# -ne 1 ]; then
+    echo "引数の数が一致しません"
+    exit 1
+fi
+target_file_glob="$1"
+
+# eSignerCKAのセットアップ
+INSTALL_DIR='..\eSignerCKA'
+if [ ! -d "$INSTALL_DIR" ]; then
+    curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip"
+    unzip -o SSL.COM-eSigner-CKA_1.0.6.zip
+    mv ./*eSigner*CKA_*.exe eSigner_CKA_Installer.exe
+    powershell "
+        & ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR='$INSTALL_DIR' | Out-Null
+        & '$INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$INSTALL_DIR\master.key' -r
+        & '$INSTALL_DIR\eSignerCKATool.exe' unload
+    "
+    rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe
+fi
+
+# 証明書を読み込む
+powershell "& '$INSTALL_DIR\eSignerCKATool.exe' load"
+
+# shellcheck disable=SC2016
+THUMBPRINT=$(
+    powershell '
+        $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
+        echo "$($CodeSigningCert.Thumbprint)"
+    '
+)
+
+# 指定ファイルに署名する
+function codesign() {
+    TARGET="$1"
+    # shellcheck disable=SC2012
+    SIGNTOOL=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない
+    powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /sha1 '$THUMBPRINT' '$TARGET'"
+}
+
+# 指定ファイルが署名されているか
+function is_signed() {
+    TARGET="$1"
+    SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
+    powershell "& '$SIGNTOOL' verify /pa '$TARGET'" >/dev/null 2>&1 || return 1
+}
+
+# 署名されていなければ署名
+# shellcheck disable=SC2012,SC2086
+ls $target_file_glob | while read -r target_file; do
+    if is_signed "$target_file"; then
+        echo "署名済み: $target_file"
+    else
+        echo "署名開始: $target_file"
+        codesign "$target_file"
+    fi
+done
+
+# 証明書を破棄
+powershell "& '$INSTALL_DIR\eSignerCKATool.exe' unload"