Skip to content

Commit

Permalink
build(cmake): add support for base64-encoded signing certificate
Browse files Browse the repository at this point in the history
This is a workaround for GitHub Actions not handling long or multiline
secrets properly.
  • Loading branch information
trollixx committed Sep 19, 2023
1 parent 9e5ddda commit e1c83d0
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ jobs:
if: matrix.config.publishArtifacts
run: cmake --build build --preset ${{ matrix.config.buildPreset }} --target package
env:
CODESIGN_CERTIFICATE: ${{ secrets.CODESIGN_CERTIFICATE }}
CODESIGN_CERTIFICATE_BASE64: ${{ secrets.CODESIGN_CERTIFICATE_BASE64 }}
CODESIGN_PASSWORD: ${{ secrets.CODESIGN_PASSWORD }}

- name: Upload ZIP Artifacts
Expand Down
44 changes: 42 additions & 2 deletions cmake/CodeSign.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -97,8 +97,48 @@ function(codesign)
set(_temp_path $ENV{TEMP})
endif()

set(_certificate_file "${_temp_path}/codesign.pem")
set(_certificate_file "${_temp_path}/codesign.tmp")
file(WRITE ${_certificate_file} $ENV{CODESIGN_CERTIFICATE})
set(_ARG_CERTIFICATE_FILE ${_certificate_file})
elseif(DEFINED ENV{CODESIGN_CERTIFICATE_BASE64})
# Read base64-encoded certificate from environment variable,
# decode with `certutil.exe`, and store in a temporary file
# for signtool to use.
#
# This is useful for GitHub Actions, which cannot handle unencoded
# multiline secrets.

# Determine temporary file location. Try to keep it local to the build.
if(CMAKE_BINARY_DIR)
set(_temp_path ${CMAKE_BINARY_DIR})
elseif(CPACK_TEMPORARY_DIRECTORY)
set(_temp_path ${CPACK_TEMPORARY_DIRECTORY})
else()
set(_temp_path $ENV{TEMP})
endif()

# Save base64-encoded certificate to file.
set(_certificate_file "${_temp_path}/codesign.tmp")
set(_certificate_base64_file "${_certificate_file}.base64")
file(WRITE ${_certificate_base64_file} $ENV{CODESIGN_CERTIFICATE_BASE64})

# Decode certificate.
set(_cmd_certutil_args "-decode" ${_certificate_base64_file} ${_certificate_file})
execute_process(COMMAND "certutil.exe" ${_cmd_certutil_args}
RESULT_VARIABLE _rc
OUTPUT_VARIABLE _stdout
# ERROR_VARIABLE _stderr
)

# Remove temporary file first.
file(REMOVE ${_certificate_base64_file})

if(NOT _rc EQUAL 0)
# For some reason certutil prints errors to stdout.
message(NOTICE "Failed to decode certificate: ${_stdout}")
return()
endif()

set(_ARG_CERTIFICATE_FILE ${_certificate_file})
else()
message(NOTICE "Certificate is not provided, no binaries will be signed.")
Expand Down Expand Up @@ -170,7 +210,7 @@ function(codesign)
)

if(NOT _rc EQUAL 0)
message(NOTICE "Signing failed: ${_stderr}")
message(NOTICE "Failed to sign: ${_stderr}")
endif()

if(NOT _ARG_QUIET)
Expand Down

0 comments on commit e1c83d0

Please sign in to comment.