Sign all binaries (exe) on Windows when we do a release

2024-09-02 17:37:30 +02:00 · 2024-09-02 17:37:30 +02:00 · 263ce4c87d
parent 49b15d12b7
commit 263ce4c87d
1 changed files with 25 additions and 0 deletions
--- a/.github/scripts/common.py
+++ b/.github/scripts/common.py
@ -456,6 +456,25 @@ def get_postfix(project):
    return postfix


+def sign_binary(path):
+    # We assume here that signtool and certificate are properly configured.
+    # Env var `SIGNTOOL_THUMBPRINT` must contain thumbprint of the certificate to use.
+    command = [
+        os.getenv("SIGNTOOL_PATH", "signtool.exe"),
+        "sign",
+        "/fd",
+        "sha256",
+        "/tr",
+        "http://ts.ssl.com",
+        "/td",
+        "sha256",
+        "/sha1",
+        os.environ["SIGNTOOL_THUMBPRINT"],
+        str(path),
+    ]
+    subprocess.run(command, check=True)
+
+
 def make_archive(project, make_release):
    platform_name = get_platform_name()
    if not platform_name:
@ -477,6 +496,12 @@ def make_archive(project, make_release):
    files_to_archive = []
    for export_file in export_files:
        files_to_archive.extend(base_dir.glob(export_file))
+
+    if make_release and platform.system() == "Windows":
+        for file in files_to_archive:
+            if str(file).endswith(".exe"):
+                sign_binary(file)
+
    if platform_name == "win-i686" or platform.system() == "Windows":
        open_archive = lambda a: zipfile.ZipFile(
            str(a), "w", compression=zipfile.ZIP_DEFLATED