diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index 1994a34e0..8ca54ca82 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -306,8 +306,9 @@ jobs: run: | bash build_util/codesign.bash "artifact/${{ env.ASSET_NAME }}/voicevox_core.dll" env: - CERT_BASE64: ${{ secrets.CERT_BASE64 }} - CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} + ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }} + ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }} + ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }} - name: Upload artifact to build XCFramework if: contains(matrix.target, 'ios') uses: actions/upload-artifact@v2 diff --git a/build_util/codesign.bash b/build_util/codesign.bash index 8bf3ac8be..5c80cf55f 100755 --- a/build_util/codesign.bash +++ b/build_util/codesign.bash @@ -1,14 +1,20 @@ #!/usr/bin/env bash # !!! コードサイニング証明書を取り扱うので取り扱い注意 !!! +# eSignerCKAを使ってコード署名する + set -eu -if [ ! -v CERT_BASE64 ]; then - echo "CERT_BASE64が未定義です" +if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名 + echo "ESIGNERCKA_USERNAMEが未定義です" + exit 1 +fi +if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード + echo "ESIGNERCKA_PASSWORDが未定義です" exit 1 fi -if [ ! -v CERT_PASSWORD ]; then - echo "CERT_PASSWORDが未定義です" +if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret + echo "ESIGNERCKA_TOTP_SECRETが未定義です" exit 1 fi @@ -18,22 +24,44 @@ if [ $# -ne 1 ]; then fi target_file_glob="$1" -# 証明書 -CERT_PATH=cert.pfx -echo -n "$CERT_BASE64" | base64 -d - > $CERT_PATH +# eSignerCKAのセットアップ +INSTALL_DIR='..\eSignerCKA' +if [ ! -d "$INSTALL_DIR" ]; then + curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip" + unzip -o SSL.COM-eSigner-CKA_1.0.6.zip + mv ./*eSigner*CKA_*.exe eSigner_CKA_Installer.exe + powershell " + & ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR='$INSTALL_DIR' | Out-Null + & '$INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$INSTALL_DIR\master.key' -r + & '$INSTALL_DIR\eSignerCKATool.exe' unload + " + rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe +fi + +# 証明書を読み込む +powershell "& '$INSTALL_DIR\eSignerCKATool.exe' load" + +# shellcheck disable=SC2016 +THUMBPRINT=$( + powershell ' + $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 + echo "$($CodeSigningCert.Thumbprint)" + ' +) # 指定ファイルに署名する function codesign() { TARGET="$1" - SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) - powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $CERT_PATH /p $CERT_PASSWORD '$TARGET'" + # shellcheck disable=SC2012 + SIGNTOOL=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない + powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /sha1 '$THUMBPRINT' '$TARGET'" } # 指定ファイルが署名されているか function is_signed() { TARGET="$1" SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) - powershell "& '$SIGNTOOL' verify /pa '$TARGET'" || return 1 + powershell "& '$SIGNTOOL' verify /pa '$TARGET'" >/dev/null 2>&1 || return 1 } # 署名されていなければ署名 @@ -42,10 +70,10 @@ ls $target_file_glob | while read -r target_file; do if is_signed "$target_file"; then echo "署名済み: $target_file" else - echo "署名: $target_file" + echo "署名開始: $target_file" codesign "$target_file" fi done -# 証明書を消去 -rm $CERT_PATH +# 証明書を破棄 +powershell "& '$INSTALL_DIR\eSignerCKATool.exe' unload"