MrSphay/MrTrust
1
0
Fork 0
generated from MrSphay/codex-agent-repository-kit
Code Issues Pull Requests Actions Packages Projects Releases 5 Wiki Activity

0.1.3

Browse Source 
Added Ubuntu-runner signing support through osslsigncode and PFX secrets.
This commit is contained in:
MrSphay
2026-05-16 03:08:43 +02:00
parent 16e5d1377c
commit 631a66dab1
9 changed files with 122 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
docs/agent-target-integration.md
View File

@@ -43,6 +43,8 @@ Apply every item that fits the target project:
- Use the public thumbprint from `mrtrust.integration.json`.
- Only run signing where private signing material is securely available.
- Do not commit `.pfx`, private keys, passwords, tokens, or signing secrets.
- On the available `ubuntu-latest` Gitea runners, use `osslsigncode` with PFX secrets for `.exe`, `.dll`, `.msi`, and `.cat`.
- PowerShell script signing (`.ps1`, `.psm1`, `.psd1`) still requires a Windows signing environment. If no Windows runner exists, document that limitation instead of blocking PE/MSI signing.
4. Add verification.
- Verify the target project still builds.
@@ -76,6 +78,12 @@ Check a signature:
Get-AuthenticodeSignature .\dist\App.exe | Format-List Status,SignerCertificate,StatusMessage
```
Sign a release directory on an Ubuntu Gitea runner:
```bash
bash ./MrTrust/scripts/Sign-MrTrustProjectLinux.sh ./dist
```
## Installer Patterns
### Inno Setup
@@ -118,6 +126,45 @@ Document that users should run it once before launching signed MrSphay apps if W
## CI Signing Patterns
### Gitea Actions On Ubuntu Runner
Use this when only `ubuntu-latest`, `ubuntu-24.04`, or `ubuntu-22.04` runners are available.
Required Gitea secrets:
```text
MRTRUST_CODESIGN_PFX_BASE64
MRTRUST_CODESIGN_PFX_PASSWORD
```
Create `MRTRUST_CODESIGN_PFX_BASE64` locally from the private `.pfx`:
```powershell
[Convert]::ToBase64String([IO.File]::ReadAllBytes(".\private\MrSphay-CodeSigning.pfx")) | Set-Clipboard
```
Then paste the clipboard value into the Gitea secret. Do not commit the `.pfx` or the base64 value.
Ubuntu workflow step:
```yaml
- name: Install signing tool
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y osslsigncode
- name: Sign Windows artifacts
shell: bash
env:
MRTRUST_CODESIGN_PFX_BASE64: ${{ secrets.MRTRUST_CODESIGN_PFX_BASE64 }}
MRTRUST_CODESIGN_PFX_PASSWORD: ${{ secrets.MRTRUST_CODESIGN_PFX_PASSWORD }}
run: |
bash ./MrTrust/scripts/Sign-MrTrustProjectLinux.sh ./dist
```
This signs `.exe`, `.dll`, `.msi`, and `.cat` artifacts. It does not sign PowerShell script files.
### Gitea Actions On Windows Runner
```yaml