Sign the main executable on windows
and automate the signing of the installers
This commit is contained in:
David Baker
parent
071223120b
commit
5a7efcd738
5 changed files with 123 additions and 37 deletions
|
|
@ -1,26 +1,30 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
usage() {
|
||||
echo "Usage: $0 -v <version> -c <config file> [-n]"
|
||||
echo "Usage: $0 -v <version> -d <config directory> [-n]"
|
||||
echo
|
||||
echo "version: commit-ish to check out and build"
|
||||
echo "config file: a path to a json config file to"
|
||||
echo "ship with the build. In addition, update_base_url:"
|
||||
echo "from this file is used to set up auto-update."
|
||||
echo "config directory: a path to a directory containing"
|
||||
echo "config.json, a json config file to ship with the build"
|
||||
echo "and env.sh, a file to source environment variables"
|
||||
echo "from."
|
||||
echo "-n: build with no config file."
|
||||
echo
|
||||
echo "Values may also be passed as environment variables"
|
||||
echo "The update_base_url value from config.json is used to set up auto-update."
|
||||
echo
|
||||
echo "Environment variables:"
|
||||
echo " OSSLSIGNCODE_SIGNARGS: Arguments to pass to osslsigncode when signing"
|
||||
echo " NOTARIZE_APPLE_ID: Apple ID to use for notarisation. The password for"
|
||||
echo " this account must be set in NOTARIZE_CREDS in the keychain."
|
||||
}
|
||||
|
||||
conffile=
|
||||
confdir=
|
||||
version=
|
||||
skipcfg=0
|
||||
while getopts "c:v:n" opt; do
|
||||
while getopts "d:v:n" opt; do
|
||||
case $opt in
|
||||
c)
|
||||
conffile=$OPTARG
|
||||
d)
|
||||
confdir=$OPTARG
|
||||
;;
|
||||
v)
|
||||
version=$OPTARG
|
||||
|
|
@ -42,6 +46,8 @@ if [ -z "$version" ]; then
|
|||
exit
|
||||
fi
|
||||
|
||||
conffile="$confdir/config.json"
|
||||
|
||||
if [ -z "$conffile" ] && [ "$skipcfg" = 0 ]; then
|
||||
echo "No config file given. Use -c to supply a config file or"
|
||||
echo "-n to build with no config file (and no auto update)."
|
||||
|
|
@ -67,14 +73,31 @@ if [ ! -f package.json ]; then
|
|||
exit
|
||||
fi
|
||||
|
||||
[ -f "$confdir/env.sh" ] && . "$confdir/env.sh"
|
||||
|
||||
if [ -z "$NOTARIZE_APPLE_ID" ]; then
|
||||
echo "NOTARIZE_APPLE_ID is not set"
|
||||
exit
|
||||
fi
|
||||
|
||||
osslsigncode -h 2> /dev/null
|
||||
if [ $? -ne 255 ]; then # osslsigncode exits with 255 after printing usgae...
|
||||
echo "osslsigncode not found"
|
||||
exit
|
||||
fi
|
||||
|
||||
# Test that altool can get its credentials for notarising the mac app
|
||||
xcrun altool -u "$NOTARIZE_APPLE_ID" -p '@keychain:NOTARIZE_CREDS' --list-apps || exit
|
||||
|
||||
# Get the token password: we'll need it later, but get it now so we fail early if it's not there
|
||||
token_password=`security find-generic-password -s riot_signing_token -w`
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "riot_signing_token not found in keychain"
|
||||
exit
|
||||
fi
|
||||
|
||||
set -e
|
||||
|
||||
echo "Building $version using Update base URL $update_base_url"
|
||||
|
||||
projdir=`pwd`
|
||||
|
|
@ -115,14 +138,12 @@ mkdir -p "$projdir/electron_app/dist/unsigned/"
|
|||
mkdir -p "$pubdir/install/macos"
|
||||
cp $distdir/*.dmg "$pubdir/install/macos/"
|
||||
|
||||
# Windows installers go to the dist dir because they need signing
|
||||
# Windows installers need signing, this comes later
|
||||
mkdir -p "$pubdir/install/win32/ia32/"
|
||||
mkdir -p "$projdir/electron_app/dist/unsigned/ia32/"
|
||||
cp $distdir/squirrel-windows-ia32/*.exe "$projdir/electron_app/dist/unsigned/ia32/"
|
||||
|
||||
mkdir -p "$pubdir/install/win32/x64/"
|
||||
mkdir -p "$projdir/electron_app/dist/unsigned/x64/"
|
||||
cp $distdir/squirrel-windows/*.exe "$projdir/electron_app/dist/unsigned/x64/"
|
||||
|
||||
# Packages for auto-update
|
||||
mkdir -p "$pubdir/update/macos"
|
||||
|
|
@ -144,9 +165,16 @@ cp $distdir/squirrel-windows/RELEASES "$pubdir/update/win32/x64/"
|
|||
# longer appears to work).
|
||||
cp $distdir/*_amd64.deb "$projdir/electron_app/dist/"
|
||||
|
||||
# Now we sign the windows installer executables (as opposed to the main binary which
|
||||
# is signed in the electron afteSign hook)
|
||||
echo "Signing Windows installers..."
|
||||
|
||||
osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows-ia32/*.exe" -out "$projdir/electron_app/dist/unsigned/ia32/"
|
||||
osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$distdir/squirrel-windows/*.exe" -out "$projdir/electron_app/dist/unsigned/x64/"
|
||||
|
||||
echo "Installers signed"
|
||||
|
||||
rm -rf "$builddir"
|
||||
|
||||
echo "Unsigned Windows installers have been placed in electron_app/dist/unsigned/ - sign them,"
|
||||
echo "or just copy them to "$pubdir/install/win32/\<arch\>/""
|
||||
echo "Once you've done this, $pubdir can be hosted on your web server."
|
||||
echo "$pubdir can now be hosted on your web server."
|
||||
echo "deb archives are in electron_app/dist/ - these should be added into your debian repository"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue