From 400f76969dd96a00151cb4ba42fd447d241490a8 Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Sun, 12 Apr 2020 00:34:56 +0200
Subject: [PATCH] git-artifacts: also code-sign, if configured via the secrets

When the secrets `CODESIGN_P12` and `CODESIGN_PASS` are set, the
workflow will now code-sign the `.exe` files contained in the package.

This should help with a few anti-malware programs, at least when the
certificate saw some action and gained trust.

Note: `CODESIGN_P12` needs to be generated via

	cat <certificate>.p12 | base64 | tr '\n' %

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 .github/workflows/git-artifacts.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/git-artifacts.yml b/.github/workflows/git-artifacts.yml
index b5dbf6c4bcf5a4..7faeac0fcca436 100644
--- a/.github/workflows/git-artifacts.yml
+++ b/.github/workflows/git-artifacts.yml
@@ -135,6 +135,18 @@ jobs:
           git remote add -f origin https://github.com/git-for-windows/git &&
           git fetch --tags bundle-artifacts/git.bundle $(cat bundle-artifacts/next_version) &&
           git reset --hard $(cat bundle-artifacts/next_version)
+      - name: Prepare home directory for code-signing
+        env:
+          CODESIGN_P12: ${{secrets.CODESIGN_P12}}
+          CODESIGN_PASS: ${{secrets.CODESIGN_PASS}}
+        if: env.CODESIGN_P12 != '' && env.CODESIGN_PASS != ''
+        shell: bash
+        run: |
+          cd home &&
+          mkdir -p .sig &&
+          echo -n "$CODESIGN_P12" | tr % '\n' | base64 -d >.sig/codesign.p12 &&
+          echo -n "$CODESIGN_PASS" >.sig/codesign.pass
+          git config --global alias.signtool '!sh "/usr/src/build-extra/signtool.sh"'
       - name: Prepare home directory for GPG signing
         if: env.GPGKEY != ''
         shell: bash