git-artifacts: also code-sign, if configured via the secrets

When the secrets `CODESIGN_P12` and `CODESIGN_PASS` are set, the workflow will now code-sign the `.exe` files contained in the package. This should help with a few anti-malware programs, at least when the certificate saw some action and gained trust. Note: `CODESIGN_P12` needs to be generated via cat <certificate>.p12 | base64 | tr '\n' % Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
git-for-windows · Sep 22, 2022 · 400f769 · 400f769
1 parent 5bfd37b
commit 400f769
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/.github/workflows/git-artifacts.yml b/.github/workflows/git-artifacts.yml
@@ -135,6 +135,18 @@ jobs:
           git remote add -f origin https://github.com/git-for-windows/git &&
           git fetch --tags bundle-artifacts/git.bundle $(cat bundle-artifacts/next_version) &&
           git reset --hard $(cat bundle-artifacts/next_version)
+      - name: Prepare home directory for code-signing
+        env:
+          CODESIGN_P12: ${{secrets.CODESIGN_P12}}
+          CODESIGN_PASS: ${{secrets.CODESIGN_PASS}}
+        if: env.CODESIGN_P12 != '' && env.CODESIGN_PASS != ''
+        shell: bash
+        run: |
+          cd home &&
+          mkdir -p .sig &&
+          echo -n "$CODESIGN_P12" | tr % '\n' | base64 -d >.sig/codesign.p12 &&
+          echo -n "$CODESIGN_PASS" >.sig/codesign.pass
+          git config --global alias.signtool '!sh "/usr/src/build-extra/signtool.sh"'
       - name: Prepare home directory for GPG signing
         if: env.GPGKEY != ''
         shell: bash