From e24e5846cc57d449b054903314919aa65828cfae Mon Sep 17 00:00:00 2001
From: Alibek Omarov <a1ba.omarov@gmail.com>
Date: Sun, 18 Aug 2024 13:13:41 +0300
Subject: [PATCH] gha: first attempt at signing binaries

---
 .github/workflows/c-cpp.yml |  2 ++
 scripts/gha/build_win32.sh  | 11 ++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index c70ca283e..df7424ef5 100644
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -60,6 +60,8 @@ jobs:
     - name: Install dependencies
       run: bash scripts/gha/deps_${{ matrix.targetos }}.sh
     - name: Build engine
+      env:
+        FWGS_PFX_PASSWORD: ${{ secrets.FWGS_PFX_PASSWORD }}
       run: bash scripts/gha/build_${{ matrix.targetos }}.sh
     - name: Upload engine (artifacts)
       uses: actions/upload-artifact@v4
diff --git a/scripts/gha/build_win32.sh b/scripts/gha/build_win32.sh
index 44dc8fcfa..ccf735325 100755
--- a/scripts/gha/build_win32.sh
+++ b/scripts/gha/build_win32.sh
@@ -17,13 +17,22 @@ fi
 
 if [ "$ARCH" = "i386" ]; then
 	cp SDL2_VC/lib/x86/SDL2.dll . # Install SDL2
-	cp 3rdparty/vgui_support/vgui-dev/lib/win32_vc6/vgui.dll .
 elif [ "$ARCH" = "amd64" ]; then
 	cp SDL2_VC/lib/x64/SDL2.dll .
 else
 	die
 fi
 
+WINSDK_LATEST=$(ls -1 "C:/Program Files (x86)/Windows Kits/10/bin" | grep -E '^10' | sort -rV | head -n1)
+echo "Latest installed Windows SDK is $WINSDK_LATEST"
+
+"C:/Program (x86)/Windows Kits/10/bin/$WINSDK_LATEST/x64/signtool.exe" \
+	/f scripts/fwgs.pfx /fd SHA256 /p "$FWGS_PFX_PASSWORD" *.dll *.exe
+
+if [ "$ARCH" = "i386" ]; then # VGUI is already signed
+	cp 3rdparty/vgui_support/vgui-dev/lib/win32_vc6/vgui.dll .
+fi
+
 mkdir -p artifacts/
 7z a -t7z artifacts/xash3d-fwgs-win32-$ARCH.7z -m0=lzma2 -mx=9 -mfb=64 -md=32m -ms=on \
 	*.dll *.exe *.pdb activities.txt \