mirror of
https://github.com/openp2p-cn/openp2p.git
synced 2026-07-02 02:07:04 +08:00
* add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * add(ci): github action & signing * chore: update signature CI * fix(ci): sign windows binaries with direct CERTUM SHA1 * fix(ci): replace cert-store wait with simplysign readiness check * feat(ci): refactor certum signing flow for release * fix(ci): fail certum auth when session not ready * fix(ci): retry certum auth and fail critical steps * fix(ci): add cert preflight checks before signtool * fix(install): update SimplySign Desktop MSI download link to version 9.4.3.90 * fix(ci): mask totp and certificate identifiers in scripts * fix(ci): remove certificate inventory logs from release * add(ci): CHANGE beta release * feat(ci): resolve certum msi url dynamically from download page * add(ci): github action & signing * add(ci): github action & signing * revert(ci): app/app/build.gradle for build * add(ci): github action & signing * add(ci): github action & signing * Update default URLs for binary file downloads --------- Co-authored-by: Suyunmeng <Susus0175@proton.me> Co-authored-by: OpenP2P <89245779+TenderIronh@users.noreply.github.com>
172 lines
5.9 KiB
YAML
172 lines
5.9 KiB
YAML
name: Sign External Binaries
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
url_x86:
|
|
description: 'X86 (i386) 二进制文件下载地址'
|
|
type: string
|
|
required: false
|
|
default: 'https://console.openpxp.com/download/v1/latest/openp2p386-latest.exe'
|
|
url_x64:
|
|
description: 'X64 (amd64) 二进制文件下载地址'
|
|
type: string
|
|
required: false
|
|
default: 'https://console.openpxp.com/download/v1/latest/openp2p64-latest.exe'
|
|
url_arm:
|
|
description: 'ARM (arm64) 二进制文件下载地址'
|
|
type: string
|
|
required: false
|
|
default: 'https://console.openpxp.com/download/v1/latest/openp2parm64-latest.exe'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
sign:
|
|
name: Sign Binaries (Certum SimplySign)
|
|
runs-on: windows-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Validate inputs
|
|
shell: bash
|
|
run: |
|
|
if [ -z "${{ inputs.url_x86 }}" ] && [ -z "${{ inputs.url_x64 }}" ] && [ -z "${{ inputs.url_arm }}" ]; then
|
|
echo "ERROR: 至少需要提供一个二进制文件下载地址"
|
|
exit 1
|
|
fi
|
|
echo "=== 输入的下载地址 ==="
|
|
[ -n "${{ inputs.url_x86 }}" ] && echo "X86: ${{ inputs.url_x86 }}"
|
|
[ -n "${{ inputs.url_x64 }}" ] && echo "X64: ${{ inputs.url_x64 }}"
|
|
[ -n "${{ inputs.url_arm }}" ] && echo "ARM: ${{ inputs.url_arm }}"
|
|
|
|
- name: Download binaries
|
|
shell: bash
|
|
run: |
|
|
mkdir -p sign_binaries
|
|
|
|
download_file() {
|
|
local url="$1"
|
|
local label="$2"
|
|
if [ -z "$url" ]; then
|
|
echo "跳过 ${label}: 未提供下载地址"
|
|
return
|
|
fi
|
|
echo "正在下载 ${label}: ${url}"
|
|
# 从 URL 中提取文件名
|
|
local filename=$(basename "$url" | sed 's/[?#].*//')
|
|
# 如果文件名为空或不合理,使用 label 作为文件名
|
|
if [ -z "$filename" ] || [ "$filename" = "/" ]; then
|
|
filename="${label}-binary.exe"
|
|
fi
|
|
curl -fSL --retry 3 --retry-delay 5 -o "sign_binaries/${filename}" "$url"
|
|
if [ $? -eq 0 ]; then
|
|
echo "下载成功: ${filename}"
|
|
else
|
|
echo "ERROR: 下载失败 ${label}: ${url}"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
download_file "${{ inputs.url_x86 }}" "x86"
|
|
download_file "${{ inputs.url_x64 }}" "x64"
|
|
download_file "${{ inputs.url_arm }}" "arm"
|
|
|
|
echo ""
|
|
echo "=== 已下载的文件 ==="
|
|
ls -la sign_binaries/
|
|
|
|
- name: Setup Certum Code Signing (Windows)
|
|
shell: bash
|
|
run: |
|
|
echo "=== SETTING UP CERTUM CODE SIGNING FOR WINDOWS ==="
|
|
echo "Installing SimplySign Desktop and configuring for automatic authentication"
|
|
|
|
chmod +x ./.github/scripts/install-simplysign.sh
|
|
./.github/scripts/install-simplysign.sh
|
|
|
|
echo "Configuring registry for automatic login dialog..."
|
|
powershell -ExecutionPolicy Bypass -File "./.github/scripts/configure-simplysign-registry.ps1"
|
|
|
|
echo "Certum signing environment ready"
|
|
|
|
- name: Authenticate Certum (Windows)
|
|
shell: bash
|
|
env:
|
|
CERTUM_OTP_URI: ${{ secrets.CERTUM_OTP_URI }}
|
|
CERTUM_USERNAME: ${{ secrets.CERTUM_USERNAME }}
|
|
CERTUM_CERTIFICATE_SHA1: ${{ secrets.CERTUM_CERTIFICATE_SHA1 }}
|
|
CERTUM_EXE_PATH: ${{ secrets.CERTUM_EXE_PATH }}
|
|
run: |
|
|
echo "=== CERTUM AUTHENTICATION ==="
|
|
echo "Authenticating with Certum cloud certificate using TOTP"
|
|
|
|
for attempt in 1 2 3; do
|
|
echo "Authentication attempt ${attempt}/3"
|
|
if powershell -ExecutionPolicy Bypass -File "./.github/scripts/connect-simplySign-enhanced.ps1"; then
|
|
echo "Authentication completed"
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$attempt" -lt 3 ]; then
|
|
echo "Authentication attempt failed, retrying in 10 seconds..."
|
|
sleep 10
|
|
fi
|
|
done
|
|
|
|
echo "ERROR: Certum authentication failed after 3 attempts"
|
|
exit 1
|
|
|
|
- name: Sign Binaries
|
|
shell: bash
|
|
env:
|
|
CERTUM_CERTIFICATE_SHA1: ${{ secrets.CERTUM_CERTIFICATE_SHA1 }}
|
|
run: |
|
|
echo "=== SIGNING BINARIES ==="
|
|
echo "Allowing connection to stabilize..."
|
|
sleep 10
|
|
|
|
echo "=== PKCS#11 Library Check ==="
|
|
if [ -f "/c/Windows/System32/SimplySignPKCS.dll" ]; then
|
|
echo "PKCS#11 library present: /c/Windows/System32/SimplySignPKCS.dll"
|
|
else
|
|
echo "PKCS#11 library not found"
|
|
fi
|
|
|
|
echo ""
|
|
echo "=== SimplySign Desktop Status ==="
|
|
powershell -Command "
|
|
Write-Host 'SimplySign Desktop process status:'
|
|
Get-Process -Name '*SimplySign*' -ErrorAction SilentlyContinue |
|
|
Select-Object Name, Id, MainWindowTitle, Responding |
|
|
Format-Table -AutoSize
|
|
"
|
|
|
|
echo ""
|
|
echo "Proceeding to signing..."
|
|
echo ""
|
|
|
|
powershell -ExecutionPolicy Bypass -File "./.github/scripts/sign-windows.ps1" -TargetDirectory "sign_binaries"
|
|
|
|
echo "Binary signing completed"
|
|
|
|
- name: Verify Signatures
|
|
shell: pwsh
|
|
run: |
|
|
$signedFiles = Get-ChildItem -Path "sign_binaries" -Recurse -File
|
|
foreach ($file in $signedFiles) {
|
|
$result = Get-AuthenticodeSignature -FilePath $file.FullName
|
|
$status = if ($result.Status -eq "Valid") { "VALID" } else { "INVALID/UNSIGNED ($($result.Status))" }
|
|
Write-Host "$($file.Name): $status"
|
|
}
|
|
continue-on-error: true
|
|
|
|
- name: Upload signed artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: signed-binaries
|
|
path: sign_binaries/
|
|
retention-days: 30
|