Merge pull request #2937 from rryan/appveyor-codesign

Add a PKCS12 Windows code signing certificate and sign exe/msi artifacts.
mixxxdj · Jul 15, 2020 · 25e92a3 · 25e92a3
2 parents 3648cd1 + 4d7422a
commit 25e92a3
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/appveyor.yml b/appveyor.yml
@@ -165,7 +165,13 @@ for:
     ENVIRONMENTS_PATH: C:\mixxx-buildserver
     MSVC_PATH: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Community"
     PATH: 'C:\Python37-x64;C:\Python37-x64\Scripts;%PATH%'
-
+    CODESIGN_CERTIFICATE_PATH: build\certificates\windows_sectigo_codesign_certificate.pfx
+    CODESIGN_CERTIFICATE_SECURE_FILE_SECRET:
+      secure: 1xzNVbLop/5/ySSgZxPzyOz5cm8nVMLEIEW4x0XOJjI=
+    CODESIGN_CERTIFICATE_SECURE_FILE_SALT:
+      secure: tw+bg3qfia7+WQdBdXtC301Z9Dv7yQ6SwpWcFJav9YC4zwyyGztev6pAbGE93sln4VO0WRCJ+4/KTviBMPXvXQ==
+    CODESIGN_CERTIFICATE_PASSWORD:
+      secure: EiAsLAgrsS+N3rr71AAkXPCrxIe2vLvlOvCipnTw6pg=
 
   install:
     - set /P ENVIRONMENT_NAME=<build/windows/golden_environment
@@ -183,6 +189,13 @@ for:
       )
     - choco install ninja
     - python -m pip install git+https://github.com/frerich/clcache.git
+    # Decrypt the code signing certificate.
+    - ps: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1'))
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        appveyor-tools\secure-file -decrypt %CODESIGN_CERTIFICATE_PATH%.enc -secret %CODESIGN_CERTIFICATE_SECURE_FILE_SECRET% -salt %CODESIGN_CERTIFICATE_SECURE_FILE_SALT%
+      ) else (
+        echo "Skipping certificate decryption because we are in a pull request."
+      )
 
   before_build:
     - FOR /D %%G IN (%WINLIB_PATH%\Qt-*) DO SET QT_PATH=%%G
@@ -235,8 +248,18 @@ for:
       ..
     - cmake --build .
     - cmake --build . --target install
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        signtool sign /f ..\%CODESIGN_CERTIFICATE_PATH% /p %CODESIGN_CERTIFICATE_PASSWORD% *.exe
+      ) else (
+        echo "Skipping codesigning *.exe because we are in a pull request."
+      )
     # Generate WIX installer
     - cpack -G "WIX"
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        signtool sign /f ..\%CODESIGN_CERTIFICATE_PATH% /p %CODESIGN_CERTIFICATE_PASSWORD% *.msi
+      ) else (
+        echo "Skipping codesigning *.msi because we are in a pull request."
+      )
 
   test_script:
     # Calling mixxx-test under bash to have standard output and use stdbuf to

diff --git a/build/certificates/windows_sectigo_codesign_certificate.pfx.enc b/build/certificates/windows_sectigo_codesign_certificate.pfx.enc