Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/release-0.14' into buffer-0.14
Browse files Browse the repository at this point in the history
  • Loading branch information
Hiroshiba committed Oct 7, 2023
2 parents ad2a3e9 + 1895ab5 commit e7ee5eb
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 15 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/build_and_deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -306,8 +306,9 @@ jobs:
run: |
bash build_util/codesign.bash "artifact/${{ env.ASSET_NAME }}/voicevox_core.dll"
env:
CERT_BASE64: ${{ secrets.CERT_BASE64 }}
CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }}
ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
- name: Upload artifact to build XCFramework
if: contains(matrix.target, 'ios')
uses: actions/upload-artifact@v2
Expand Down
54 changes: 41 additions & 13 deletions build_util/codesign.bash
Original file line number Diff line number Diff line change
@@ -1,14 +1,20 @@
#!/usr/bin/env bash
# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!

# eSignerCKAを使ってコード署名する

set -eu

if [ ! -v CERT_BASE64 ]; then
echo "CERT_BASE64が未定義です"
if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名
echo "ESIGNERCKA_USERNAMEが未定義です"
exit 1
fi
if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード
echo "ESIGNERCKA_PASSWORDが未定義です"
exit 1
fi
if [ ! -v CERT_PASSWORD ]; then
echo "CERT_PASSWORDが未定義です"
if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret
echo "ESIGNERCKA_TOTP_SECRETが未定義です"
exit 1
fi

Expand All @@ -18,22 +24,44 @@ if [ $# -ne 1 ]; then
fi
target_file_glob="$1"

# 証明書
CERT_PATH=cert.pfx
echo -n "$CERT_BASE64" | base64 -d - > $CERT_PATH
# eSignerCKAのセットアップ
INSTALL_DIR='..\eSignerCKA'
if [ ! -d "$INSTALL_DIR" ]; then
curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip"
unzip -o SSL.COM-eSigner-CKA_1.0.6.zip
mv ./*eSigner*CKA_*.exe eSigner_CKA_Installer.exe
powershell "
& ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR='$INSTALL_DIR' | Out-Null
& '$INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$INSTALL_DIR\master.key' -r
& '$INSTALL_DIR\eSignerCKATool.exe' unload
"
rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe
fi

# 証明書を読み込む
powershell "& '$INSTALL_DIR\eSignerCKATool.exe' load"

# shellcheck disable=SC2016
THUMBPRINT=$(
powershell '
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
echo "$($CodeSigningCert.Thumbprint)"
'
)

# 指定ファイルに署名する
function codesign() {
TARGET="$1"
SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $CERT_PATH /p $CERT_PASSWORD '$TARGET'"
# shellcheck disable=SC2012
SIGNTOOL=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない
powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /sha1 '$THUMBPRINT' '$TARGET'"
}

# 指定ファイルが署名されているか
function is_signed() {
TARGET="$1"
SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
powershell "& '$SIGNTOOL' verify /pa '$TARGET'" || return 1
powershell "& '$SIGNTOOL' verify /pa '$TARGET'" >/dev/null 2>&1 || return 1
}

# 署名されていなければ署名
Expand All @@ -42,10 +70,10 @@ ls $target_file_glob | while read -r target_file; do
if is_signed "$target_file"; then
echo "署名済み: $target_file"
else
echo "署名: $target_file"
echo "署名開始: $target_file"
codesign "$target_file"
fi
done

# 証明書を消去
rm $CERT_PATH
# 証明書を破棄
powershell "& '$INSTALL_DIR\eSignerCKATool.exe' unload"

0 comments on commit e7ee5eb

Please sign in to comment.