integrate code from test script into github workflow

2026-05-18 02:31:27 +00:00 · 2023-09-26 17:30:56 +02:00
parent fadd6b761f
commit 29fedcd390
1 changed files with 40 additions and 6 deletions
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -143,9 +143,47 @@ jobs:
      - name: Fix permissions
        run: attrib -r appdir/Cryptomator/Cryptomator.exe
        shell: pwsh
-      - name: Extract integrations DLL for code signing
+      - name: Codesign binaries inside jars
+        run: |
+          $certificate = '${{ secrets.WIN_CODESIGN_P12_BASE64 }}'
+          $password = '${{ secrets.WIN_CODESIGN_P12_PW }}'
+          $certificateSHA1 = '5FC94CE149E5B511E621F53A060AC67CBD446B3A'
+          $description = 'Cryptomator'
+          $timestampUrl = 'http://timestamp.digicert.com'
+          $folder = ".\appdir\Cryptomator\app"
+          $tmpDir = ".\extract"
+          $signtool = $(Get-ChildItem 'C:\Program Files (x86)\Windows Kits\10\bin\' -Recurse -File signtool.exe | Where-Object { $_.Directory.ToString().EndsWith('x64') } | Select-Object -Last 1).FullName
+
+          # preps
+          Install-Module -Name Microsoft.PowerShell.TextUtility -Force -Confirm:$False
+
+          # import certificate
+          $bytes = ConvertFrom-Base64 -EncodedText $certificate -AsByteArray
+          Set-Content -Path ".\certFile" -AsByteStream -Value $bytes
+          & certutil -f -p $password -importpfx ".\certFile"
+
+          # create directory to extract every jar to
+          New-Item -Path $tmpDir -ItemType Directory
+          # iterate over all jars
+          Get-ChildItem -Path $folder -Recurse -File *.jar | ForEach-Object {
+              $jar = Copy-Item $_ -Destination $tmpDir -PassThru
+              Set-Location -Path $tmpDir
+              jar --file=$($_.FullName) --extract
+              Get-ChildItem -Path "." -Recurse -File "*.dll" | ForEach-Object {
+                  # sign
+                  & $signtool sign /sm /tr ${timestampUrl} /td SHA256 /fd SHA256 /d $description /sha1 $certificateSHA1 $_.FullName
+                  # update jar with signed dll
+                  jar --file=$($jar.FullName) --update $(Resolve-Path -Relative -Path $_)
+              }
+              # replace old jar with its update
+              Move-Item -Path $($jar.FullName) -Destination $_ -Force
+              # clear extraction dir
+              Remove-Item -Path ".\*" -Force -Recurse
+              Set-Location -Path ".."
+          }
+          # clean up
+          Remove-Item -Path $tmpDir
        shell: pwsh
-        run: gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --extract integrations.dll }
      - name: Codesign
        uses: skymatic/code-sign-action@v2
        with:
@@ -156,10 +194,6 @@ jobs:
          timestampUrl: 'http://timestamp.digicert.com'
          folder: appdir/Cryptomator
          recursive: true
-      - name: Repack signed DLL into jar
-        shell: pwsh
-        run: |
-          gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --update integrations.dll; Remove-Item integrations.dll}
      - name: Generate license for MSI
        run: >
          mvn -B license:add-third-party