Merge pull request #15 from vhspace/p2p-windows

For development/testing:
vhspace · Jan 15, 2025 · 61d0574 · 61d0574
2 parents c7de4c4 + 94b6fe4
commit 61d0574
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
@@ -123,6 +123,45 @@ jobs:
       run: |
         python setup.py bdist_msi
 
+    - name: Create Self-Signed Certificate (Development)
+      if: ${{ !inputs.use_production_signing }}
+      run: |
+        # Create a self-signed certificate for development
+        New-SelfSignedCertificate -Type Custom -Subject "CN=P2PP Development" -KeyUsage DigitalSignature `
+          -FriendlyName "P2PP Development Certificate" -CertStoreLocation "Cert:\CurrentUser\My" `
+          -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}false")
+        
+        # Export certificate info for signing
+        $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.FriendlyName -eq "P2PP Development Certificate"}
+        echo "SIGNING_CERT_THUMBPRINT=$($cert.Thumbprint)" >> $env:GITHUB_ENV
+      shell: pwsh
+
+    - name: Sign MSI (Development)
+      if: ${{ !inputs.use_production_signing }}
+      run: |
+        # Sign with self-signed certificate
+        $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.Thumbprint -eq $env:SIGNING_CERT_THUMBPRINT}
+        Set-AuthenticodeSignature -FilePath "dist\*.msi" -Certificate $cert -TimestampServer "http://timestamp.digicert.com"
+      shell: pwsh
+
+    - name: Sign MSI (Production)
+      if: ${{ inputs.use_production_signing }}
+      env:
+        WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
+        WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+      run: |
+        # Decode and save the certificate
+        $certBytes = [Convert]::FromBase64String($env:WINDOWS_CERTIFICATE)
+        $certPath = "certificate.pfx"
+        [IO.File]::WriteAllBytes($certPath, $certBytes)
+        
+        # Sign the MSI
+        signtool sign /f $certPath /p $env:WINDOWS_CERTIFICATE_PASSWORD /tr http://timestamp.digicert.com /td sha256 /fd sha256 "dist\*.msi"
+        
+        # Clean up
+        Remove-Item $certPath
+      shell: pwsh
+
     - name: Upload to Release
       if: inputs.upload_to_release && startsWith(github.ref, 'refs/tags/')
       uses: softprops/action-gh-release@v1

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,4 +11,4 @@ jobs:
     uses: ./.github/workflows/build-packages.yml
     with:
       upload_to_release: true
-      use_production_signing: ${{ secrets.APPLE_CERTIFICATE != '' }}
+      use_production_signing: ${{ secrets.APPLE_CERTIFICATE != '' && secrets.WINDOWS_CERTIFICATE != '' }}