Sign Windows releases with MrTrust certificate
This commit is contained in:
@@ -19,10 +19,13 @@ jobs:
|
||||
MODRINTH_SOCKET_URL: wss://api.modrinth.com/
|
||||
MODRINTH_LAUNCHER_META_URL: https://launcher-meta.modrinth.com/
|
||||
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||
MRTRUST_CODE_SIGNING_PFX_BASE64: ${{ secrets.MRTRUST_CODE_SIGNING_PFX_BASE64 }}
|
||||
MRTRUST_PFX_PASSWORD: ${{ secrets.MRTRUST_PFX_PASSWORD }}
|
||||
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
||||
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
|
||||
TAURI_SIGNING_PUBLIC_KEY: ${{ secrets.TAURI_SIGNING_PUBLIC_KEY }}
|
||||
XWIN_CACHE_DIR: .xwin-cache
|
||||
JSIGN_VERSION: "7.4"
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -66,6 +69,25 @@ jobs:
|
||||
- name: Install Windows Rust target
|
||||
run: rustup target add x86_64-pc-windows-msvc
|
||||
|
||||
- name: Prepare MrTrust Windows code signing
|
||||
shell: bash
|
||||
run: |
|
||||
if [ -z "${MRTRUST_CODE_SIGNING_PFX_BASE64}" ] || [ -z "${MRTRUST_PFX_PASSWORD}" ]; then
|
||||
echo "::error::MRTRUST_CODE_SIGNING_PFX_BASE64 and MRTRUST_PFX_PASSWORD are required so MrTrust-installed users can trust Modrinth Plus."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p .signing
|
||||
printf '%s' "${MRTRUST_CODE_SIGNING_PFX_BASE64}" | base64 --decode > .signing/MrSphay-CodeSigning.pfx
|
||||
chmod 600 .signing/MrSphay-CodeSigning.pfx
|
||||
|
||||
curl --fail-with-body --location \
|
||||
--output .signing/jsign.jar \
|
||||
"https://github.com/ebourg/jsign/releases/download/${JSIGN_VERSION}/jsign-${JSIGN_VERSION}.jar"
|
||||
|
||||
echo "MRTRUST_PFX_PATH=${GITHUB_WORKSPACE}/.signing/MrSphay-CodeSigning.pfx" >> "${GITHUB_ENV}"
|
||||
echo "JSIGN_JAR=${GITHUB_WORKSPACE}/.signing/jsign.jar" >> "${GITHUB_ENV}"
|
||||
|
||||
- name: Prepare Modrinth Plus update metadata
|
||||
shell: bash
|
||||
run: |
|
||||
@@ -74,12 +96,12 @@ jobs:
|
||||
if [ -n "${TAURI_SIGNING_PRIVATE_KEY}" ] && [ -n "${TAURI_SIGNING_PUBLIC_KEY}" ]; then
|
||||
node -e "const fs=require('fs'); const path='apps/app/tauri-release.conf.json'; const config=JSON.parse(fs.readFileSync(path,'utf8')); config.plugins.updater.pubkey=process.env.TAURI_SIGNING_PUBLIC_KEY; fs.writeFileSync(path, JSON.stringify(config,null,'\\t')+'\\n');"
|
||||
else
|
||||
echo "::warning::TAURI_SIGNING_PRIVATE_KEY and TAURI_SIGNING_PUBLIC_KEY are not set. Building installer without publishing self-update metadata."
|
||||
node -e "const fs=require('fs'); const path='apps/app/tauri-release.conf.json'; const config=JSON.parse(fs.readFileSync(path,'utf8')); config.plugins.updater.pubkey='dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDIwMzM5QkE0M0FCOERBMzkKUldRNTJyZzZwSnN6SUdPRGdZREtUUGxMblZqeG9OVHYxRUlRTzJBc2U3MUNJaDMvZDQ1UytZZmYK'; fs.writeFileSync(path, JSON.stringify(config,null,'\\t')+'\\n');"
|
||||
echo "::error::TAURI_SIGNING_PRIVATE_KEY and TAURI_SIGNING_PUBLIC_KEY are required for release/update builds."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Build Windows desktop client
|
||||
run: pnpm --filter @modrinth/app exec tauri build --runner cargo-xwin --target x86_64-pc-windows-msvc
|
||||
run: pnpm --filter @modrinth/app exec tauri build --config tauri-release.conf.json --runner cargo-xwin --target x86_64-pc-windows-msvc --bundles "nsis,updater"
|
||||
|
||||
- name: Upload Windows desktop client
|
||||
uses: actions/upload-artifact@v3
|
||||
@@ -159,3 +181,8 @@ jobs:
|
||||
--upload-file "${package_dir}/latest/latest.json" \
|
||||
"${latest_url}/latest.json"
|
||||
fi
|
||||
|
||||
- name: Clean signing material
|
||||
if: always()
|
||||
shell: bash
|
||||
run: rm -rf .signing
|
||||
|
||||
Reference in New Issue
Block a user