From 370cf2de58465fa62a1a641e6b1f286ed18d73be Mon Sep 17 00:00:00 2001 From: Colin Date: Tue, 17 Sep 2024 21:16:38 -0400 Subject: [PATCH] [skip ci] Use CodeSignTool in the github action --- .github/workflows/release.yml | 6 +---- products/jbrowse-desktop/sign.js | 44 ++++++++++++++++++++------------ 2 files changed, 29 insertions(+), 21 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a68e232575..c99b89a61a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,15 +73,11 @@ jobs: cd products/jbrowse-desktop/code_signer wget https://www.ssl.com/download/codesigntool-for-linux-and-macos -O out.zip unzip out.zip + chmod +x CodeSignTool.sh cd ../../../ - name: Build app env: - # NOTE: must explicitly pass in even the parameters that - # esigner-codesign says are optional since we're not using the action - # directly, but rather passing the params in as env vars: - # xref https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1994110062 - CODE_SIGN_SCRIPT_PATH: 'code_signer' WINDOWS_SIGN_USER_NAME: ${{ secrets.WINDOWS_SIGN_USER_NAME }} WINDOWS_SIGN_USER_PASSWORD: ${{ secrets.WINDOWS_SIGN_USER_PASSWORD }} WINDOWS_SIGN_CREDENTIAL_ID: ${{ secrets.WINDOWS_SIGN_CREDENTIAL_ID }} diff --git a/products/jbrowse-desktop/sign.js b/products/jbrowse-desktop/sign.js index bc490920de..b645b5154f 100644 --- a/products/jbrowse-desktop/sign.js +++ b/products/jbrowse-desktop/sign.js @@ -1,6 +1,5 @@ -// this script taken from +// this script adapted from // https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-899798533 -// see our shared google drive -> developer folder for more info on this const path = require('path') const fs = require('fs') const childProcess = require('child_process') @@ -13,22 +12,35 @@ if (!fs.existsSync(TEMP_DIR)) { function sign(configuration) { console.log(`Signing ${configuration.path}`) - const { name, dir } = path.parse(configuration.path) - // CodeSignTool can't sign in place without verifying the overwrite with a - // y/m interaction so we are creating a new file in a temp directory and - // then replacing the original file with the signed file. + // we move signed files to a file named tmp.exe because our product name + // contains a space, meaning our .exe contains a space, which CodeSignTool + // balks at even with attempted backslash escaping, so we rename to tmp.exe + const tmpExe = `tmp-${Math.random()}.exe` + + // note: CodeSignTool can't sign in place without verifying the overwrite + // with a y/m interaction so we are creating a new file in a temp directory + // and then replacing the original file with the signed file. const signFile = [ - 'codesigner/CodeSignTool.sh sign', - `-input_file_path="${configuration.path}"`, - `-output_dir_path="${TEMP_DIR}"`, - `-credential_id="${process.env.WINDOWS_SIGN_CREDENTIAL_ID}"`, - `-username="${process.env.WINDOWS_SIGN_USER_NAME}"`, - `-password="${process.env.WINDOWS_SIGN_USER_PASSWORD}"`, - `-totp_secret="${process.env.WINDOWS_SIGN_USER_TOTP}"`, + // code_signer is directory containing the CodeSignTool script in + // products/jbrowse-desktop that is created by .github/workflows/release.sh + // on windows + 'CODE_SIGN_TOOL_PATH=code_signer bash code_signer/CodeSignTool.sh sign', + `-input_file_path='${tmpExe}'`, + `-output_dir_path='${TEMP_DIR}'`, + `-credential_id='${process.env.WINDOWS_SIGN_CREDENTIAL_ID}'`, + `-username='${process.env.WINDOWS_SIGN_USER_NAME}'`, + `-password='${process.env.WINDOWS_SIGN_USER_PASSWORD}'`, + `-totp_secret='${process.env.WINDOWS_SIGN_USER_TOTP}'`, ].join(' ') - - const moveFile = `mv "${path.join(TEMP_DIR, name)}" "${dir}"` - childProcess.execSync(`${setDir} && ${signFile} && ${moveFile}`, { + const preMoveFile = `cp "${configuration.path}" "${tmpExe}"` + const postMoveFile = `cp "${path.join(TEMP_DIR, tmpExe)}" "${configuration.path}"` + childProcess.execSync(`${preMoveFile}`, { + stdio: 'inherit', + }) + childProcess.execSync(`${signFile}`, { + stdio: 'inherit', + }) + childProcess.execSync(`${postMoveFile}`, { stdio: 'inherit', }) }