MrSphay/Modrinth-plus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Align Windows signing with MrTrust contract
Some checks failed
Codex Template Compliance / template-compliance (push) Successful in 8s
Details
Build / build-windows (push) Failing after 8m43s
Details

Browse Source
This commit is contained in:
MrSphay
2026-05-16 04:34:34 +02:00
parent e66aa3d128
commit 6e9c53db2d
5 changed files with 84 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
.gitea/workflows/build.yml
View File

@@ -19,13 +19,12 @@ jobs:
MODRINTH_SOCKET_URL: wss://api.modrinth.com/
MODRINTH_LAUNCHER_META_URL: https://launcher-meta.modrinth.com/
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
MRTRUST_CODE_SIGNING_PFX_BASE64: ${{ secrets.MRTRUST_CODE_SIGNING_PFX_BASE64 }}
MRTRUST_PFX_PASSWORD: ${{ secrets.MRTRUST_PFX_PASSWORD }}
MRTRUST_CODESIGN_PFX_BASE64: ${{ secrets.MRTRUST_CODESIGN_PFX_BASE64 }}
MRTRUST_CODESIGN_PFX_PASSWORD: ${{ secrets.MRTRUST_CODESIGN_PFX_PASSWORD }}
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
TAURI_SIGNING_PUBLIC_KEY: ${{ secrets.TAURI_SIGNING_PUBLIC_KEY }}
XWIN_CACHE_DIR: .xwin-cache
JSIGN_VERSION: "7.4"
steps:
- name: Checkout
uses: actions/checkout@v4
@@ -58,7 +57,8 @@ jobs:
clang \
lld \
llvm \
nsis
nsis \
osslsigncode
- name: Install cargo-xwin
run: cargo install --locked cargo-xwin
@@ -72,21 +72,11 @@ jobs:
- name: Prepare MrTrust Windows code signing
shell: bash
run: |
if [ -z "${MRTRUST_CODE_SIGNING_PFX_BASE64}" ] || [ -z "${MRTRUST_PFX_PASSWORD}" ]; then
echo "::error::MRTRUST_CODE_SIGNING_PFX_BASE64 and MRTRUST_PFX_PASSWORD are required so MrTrust-installed users can trust Modrinth Plus."
if [ -z "${MRTRUST_CODESIGN_PFX_BASE64}" ] || [ -z "${MRTRUST_CODESIGN_PFX_PASSWORD}" ]; then
echo "::error::MRTRUST_CODESIGN_PFX_BASE64 and MRTRUST_CODESIGN_PFX_PASSWORD are required so MrTrust-installed users can trust Modrinth Plus."
exit 1
fi
mkdir -p .signing
printf '%s' "${MRTRUST_CODE_SIGNING_PFX_BASE64}" | base64 --decode > .signing/MrSphay-CodeSigning.pfx
chmod 600 .signing/MrSphay-CodeSigning.pfx
curl --fail-with-body --location \
--output .signing/jsign.jar \
"https://github.com/ebourg/jsign/releases/download/${JSIGN_VERSION}/jsign-${JSIGN_VERSION}.jar"
echo "MRTRUST_PFX_PATH=${GITHUB_WORKSPACE}/.signing/MrSphay-CodeSigning.pfx" >> "${GITHUB_ENV}"
echo "JSIGN_JAR=${GITHUB_WORKSPACE}/.signing/jsign.jar" >> "${GITHUB_ENV}"
command -v osslsigncode
- name: Prepare Modrinth Plus update metadata
shell: bash
@@ -95,13 +85,15 @@ jobs:
node -e "const fs=require('fs'); const path='apps/app-frontend/package.json'; const pkg=JSON.parse(fs.readFileSync(path,'utf8')); pkg.version=process.argv[1]; fs.writeFileSync(path, JSON.stringify(pkg,null,'\\t')+'\\n');" "${build_version}"
if [ -n "${TAURI_SIGNING_PRIVATE_KEY}" ] && [ -n "${TAURI_SIGNING_PUBLIC_KEY}" ]; then
node -e "const fs=require('fs'); const path='apps/app/tauri-release.conf.json'; const config=JSON.parse(fs.readFileSync(path,'utf8')); config.plugins.updater.pubkey=process.env.TAURI_SIGNING_PUBLIC_KEY; fs.writeFileSync(path, JSON.stringify(config,null,'\\t')+'\\n');"
echo "TAURI_BUNDLES=nsis,updater" >> "${GITHUB_ENV}"
else
echo "::error::TAURI_SIGNING_PRIVATE_KEY and TAURI_SIGNING_PUBLIC_KEY are required for release/update builds."
exit 1
echo "::warning::TAURI_SIGNING_PRIVATE_KEY and TAURI_SIGNING_PUBLIC_KEY are not set. Building the MrTrust-signed installer without publishing Tauri self-update metadata."
node -e "const fs=require('fs'); const path='apps/app/tauri-release.conf.json'; const config=JSON.parse(fs.readFileSync(path,'utf8')); config.bundle.createUpdaterArtifacts=false; config.plugins.updater.pubkey='dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDIwMzM5QkE0M0FCOERBMzkKUldRNTJyZzZwSnN6SUdPRGdZREtUUGxMblZqeG9OVHYxRUlRTzJBc2U3MUNJaDMvZDQ1UytZZmYK'; fs.writeFileSync(path, JSON.stringify(config,null,'\\t')+'\\n');"
echo "TAURI_BUNDLES=nsis" >> "${GITHUB_ENV}"
fi
- name: Build Windows desktop client
run: pnpm --filter @modrinth/app exec tauri build --config tauri-release.conf.json --runner cargo-xwin --target x86_64-pc-windows-msvc --bundles "nsis,updater"
run: pnpm --filter @modrinth/app exec tauri build --config tauri-release.conf.json --runner cargo-xwin --target x86_64-pc-windows-msvc --bundles "${TAURI_BUNDLES}"
- name: Upload Windows desktop client
uses: actions/upload-artifact@v3