diff --git a/.github/actions/win-sign-action/action.yml b/.github/actions/win-sign-action/action.yml deleted file mode 100644 index a57e8f7b1..000000000 --- a/.github/actions/win-sign-action/action.yml +++ /dev/null @@ -1,145 +0,0 @@ -name: 'Windows Signing' -description: 'Sign files on Windows' -inputs: - base-dir: - description: 'The base directory to search for files' - required: true - file-extensions: - description: 'List of file extensions to sign, separated by comma' - required: true - username: - description: 'Username for signing' - required: true - password: - description: 'Password for signing' - required: true - recursive: - description: 'Whether to search recursively in subdirectories' - required: false - default: 'false' - sign-description: - description: 'Signature description' - required: false - default: 'Cryptomator' - sign-url: - description: 'Signature URL' - required: false - default: 'https://cryptomator.org' - -runs: - using: "composite" - steps: - - name: Download Actalis CodeSigner if not present - id: download-signer - run: | - if (! (Test-Path -Path '${{ env.SIGNER_PATH }}')) { - echo "Downloading Actalis CodeSigner..." - curl --output "${{ env.SIGNER_NAME }}.zip" -L "${{ env.SIGNER_URL }}" - if (!(Get-FileHash -Path "${{ env.SIGNER_NAME }}.zip" -Algorithm SHA256).Hash.ToLower().equals("${{ env.SIGNER_HASH }}")) { - echo "Signer hash mismatch, exiting." - exit 1 - } - Expand-Archive -Path "${{ env.SIGNER_NAME }}.zip" -DestinationPath "${{ env.SIGNER_NAME }}" -Force - } - env: - SIGNER_PATH: ${{ github.workspace }}/actalis-signer/ActalisCodeSigner.exe - SIGNER_NAME: actalis-signer - SIGNER_URL: 'https://static.cryptomator.org/other/CodeSigner-win-x64-latest.zip' - SIGNER_HASH: '44a1e09ab72707d049d3e59656e3e35de92e8cda357eec1cfc367016e45835ab' - shell: pwsh - - name: Generate, mask, and output the input secrets - id: set-secrets - run: | - echo "::add-mask::${{ inputs.username }}" - echo "::add-mask::${{ inputs.password }}" - echo "username=${{ inputs.username }}" >> "$GITHUB_OUTPUT" - echo "password=${{ inputs.password }}" >> "$GITHUB_OUTPUT" - shell: bash - - name: Sign DLLs with Actalis CodeSigner - run: | - $signerPath = '${{ env.SIGNER_PATH }}' - $username = '${{ steps.set-secrets.outputs.username }}' - $password = '${{ steps.set-secrets.outputs.password }}' - $signDescription = '${{ inputs.sign-description }}' - $signUrl = '${{ inputs.sign-url }}' - $extensions = '${{ inputs.file-extensions }}'.split(",") | ForEach-Object { "*.$($_.Trim())" } - $recursive = '${{ inputs.recursive }}' -eq 'true' - $files = Get-ChildItem -Path '${{ inputs.base-dir }}\*' -Include $extensions -Recurse:$recursive - - if($files.Count -eq 0) { - Write-Host "`nāŒ No files found to sign." - exit 1 - } - Write-Host "`nšŸ“ Found $($files.Count) files to sign:" - $files | ForEach-Object { Write-Host " - $($_.FullName)" } - - # Create log directory - $logDir = "~/.Acsi/log" - if (!(Test-Path $logDir)) { - New-Item -Path $logDir -ItemType Directory -Force | Out-Null - } - - $jobs = @() - foreach ($file in $files) { - # Run signing in a job - $job = Start-Job -ScriptBlock { - param($signerPath, $username, $password, $signDescription, $signUrl, $filePath) - - Write-Host "`nšŸ” Signing: $($filePath)" - $logFile = "~/.Acsi/log/$(Split-Path -Leaf $filePath).log" - $arguments = @( - '-ts', - 'http://timestamp.digicert.com', - '-fu', $username, - '-fp', $password, - '-pm', "`"$signDescription`"", - '--program-url', $signUrl, - '-in', "`"$filePath`"" - ) - $process = Start-Process -FilePath "$signerPath" -ArgumentList $arguments -Wait -PassThru -RedirectStandardOutput "$logFile" -NoNewWindow - - return @{ - FilePath = $filePath - ExitCode = $process.ExitCode - LogFile = $logFile - } - } -ArgumentList $signerPath, $username, $password, $signDescription, $signUrl, $file.FullName - $jobs += $job - - # Throttle to max 5 concurrent jobs - if ($jobs.Count -ge 5) { - $completed = $jobs | Wait-Job -Any - $result = $completed | Receive-Job - - # Check result and exit on failure - if ($result.ExitCode -ne 0) { - $jobs | Stop-Job | Remove-Job - Write-Host "āŒ Signing failed for $($result.FilePath) with exit code: $($result.ExitCode)" - exit 1 - } - Write-Host " āœ… Successfully signed $($result.FilePath)" - - $jobs = $jobs | Where-Object { $_.Id -ne $completed.Id } - $completed | Remove-Job - - } - } - # Wait for remaining jobs - $jobs | Wait-Job | Receive-Job | ForEach-Object { - if ($_.ExitCode -ne 0) { - Write-Host "āŒ Signing failed for $($_.FilePath) with exit code: $($_.ExitCode)" - exit 1 - } - Write-Host " āœ… Successfully signed $($_.FilePath)" - } - Write-Host "`nāœ… Successfully signed $($files.Count) files." - env: - SIGNER_PATH: ${{ github.workspace }}/actalis-signer/ActalisCodeSigner.exe - shell: pwsh - - name: Upload log on failure - if: failure() - uses: actions/upload-artifact@v4 - with: - name: signing-log-${{ runner.arch }} - path: | - ~/.Acsi/log/*.log diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index 629cb56be..2045fc6da 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -212,11 +212,13 @@ jobs: Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir" - name: Sign DLLs with Actalis CodeSigner if: inputs.sign || github.event_name == 'release' - uses: ./.github/actions/win-sign-action + uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f with: base-dir: 'appdir' file-extensions: 'dll,exe,ps1' recursive: true + sign-description: 'Cryptomator' + sign-url: 'https://cryptomator.org' username: ${{ secrets.WIN_CODESIGN_USERNAME }} password: ${{ secrets.WIN_CODESIGN_PW }} - name: Replace DLLs inside jars with signed ones @@ -269,11 +271,12 @@ jobs: JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir - name: Sign msi with Actalis CodeSigner if: inputs.sign || github.event_name == 'release' - uses: ./.github/actions/win-sign-action + uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f with: base-dir: 'installer' file-extensions: 'msi' sign-description: 'Cryptomator Installer' + sign-url: 'https://cryptomator.org' username: ${{ secrets.WIN_CODESIGN_USERNAME }} password: ${{ secrets.WIN_CODESIGN_PW }} - name: Add possible alpha/beta tags and architecture to installer name @@ -380,10 +383,12 @@ jobs: wix burn detach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe - name: Sign burn engine with Actalis CodeSigner if: inputs.sign || github.event_name == 'release' - uses: ./.github/actions/win-sign-action + uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f with: base-dir: 'tmp' file-extensions: 'exe' + sign-description: 'Cryptomator Bundle Installer' + sign-url: 'https://cryptomator.org' username: ${{ secrets.WIN_CODESIGN_USERNAME }} password: ${{ secrets.WIN_CODESIGN_PW }} - name: Reattach signed burn engine to installer @@ -391,11 +396,12 @@ jobs: wix burn reattach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe - name: Sign installer with Actalis CodeSigner if: inputs.sign || github.event_name == 'release' - uses: ./.github/actions/win-sign-action + uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f with: base-dir: 'installer' file-extensions: 'exe' sign-description: 'Cryptomator Bundle Installer' + sign-url: 'https://cryptomator.org' username: ${{ secrets.WIN_CODESIGN_USERNAME }} password: ${{ secrets.WIN_CODESIGN_PW }} - name: Add possible alpha/beta tags to installer name