Skip to content
This repository was archived by the owner on Oct 27, 2025. It is now read-only.

Commit e00d519

Browse files
committed
use digicert to sign windows releases
DigiCert Software Trust Manager remove the stuff we know works revert updated workflow try these windows only comment out credentials fix workflow reattempt wrong api key convert to a binary cert file try this try again GPT 5 has a go unknown flag debug IT worked, so adding back linuz and macos versions
1 parent 5c33026 commit e00d519

2 files changed

Lines changed: 66 additions & 28 deletions

File tree

.github/workflows/release.yml

Lines changed: 61 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,8 @@ on:
55
branches:
66
- master
77
- preview/*
8-
# uncomment after first official release.
9-
# tags:
10-
# - 'v*.*.*'
8+
tags:
9+
- 'v*.*.*'
1110

1211
jobs:
1312
publish-tauri:
@@ -159,32 +158,60 @@ jobs:
159158
SHA256SUMS
160159
SHA256SUMS.asc
161160
162-
# # === Windows EV Signing ===
163-
# - name: Write Windows EV Certificate to file
164-
# if: matrix.platform == 'windows-latest'
165-
# run: |
166-
# echo $env:WINDOWS_EV_CERTIFICATE > windows_cert.pfx
167-
# env:
168-
# WINDOWS_EV_CERTIFICATE: ${{ secrets.WINDOWS_EV_CERTIFICATE }}
169-
170-
# - name: Sign Windows Binary with EV Certificate
171-
# if: matrix.platform == 'windows-latest'
172-
# run: |
173-
# signtool sign /f windows_cert.pfx /p %WINDOWS_EV_CERTIFICATE_PASSWORD% /tr http://timestamp.digicert.com /td sha256 /fd sha256 path\to\metanet-desktop-setup.exe
174-
# env:
175-
# WINDOWS_EV_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_EV_CERTIFICATE_PASSWORD }}
176-
177-
# - name: Verify Windows Signature
178-
# if: matrix.platform == 'windows-latest'
179-
# run: |
180-
# signtool verify /pa /v path\to\metanet-desktop-setup.exe
181-
182-
- name: List Windows build artifacts for debugging
161+
- name: Set up certificate
162+
if: matrix.platform == 'windows-latest'
163+
run: |
164+
echo "${{ secrets.DIGICERT_CLIENT_AUTH_CERT }}" | base64 --decode > /d/Certificate_pkcs12.p12
165+
shell: bash
166+
167+
- name: Set DigiCert environment variables
183168
if: matrix.platform == 'windows-latest'
184-
shell: powershell
185169
run: |
186-
Write-Host "Checking build directory structure:"
187-
Get-ChildItem -Path src-tauri\target\release -Recurse | Where-Object { $_.Name -like "*.exe" } | ForEach-Object { $_.FullName }
170+
echo "SM_HOST=${{ secrets.DIGICERT_HOST }}" >> "$GITHUB_ENV"
171+
echo "SM_API_KEY=${{ secrets.DIGICERT_KEY_LOCKER_API_KEY }}" >> "$GITHUB_ENV"
172+
echo "SM_FINGERPRINT=${{ secrets.DIGICERT_CODE_SIGNING_SHA1_HASH }}" >> "$GITHUB_ENV"
173+
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
174+
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.DIGICERT_CLIENT_AUTH_PASS }}" >> "$GITHUB_ENV"
175+
shell: bash
176+
177+
- name: Code signing with Software Trust Manager
178+
if: matrix.platform == 'windows-latest'
179+
uses: digicert/ssm-code-signing@v1.1.0
180+
env:
181+
FORCE_DOWNLOAD_TOOLS: 'true'
182+
183+
- name: DigiCert tools healthcheck
184+
if: matrix.platform == 'windows-latest'
185+
shell: cmd
186+
run: |
187+
smctl version
188+
smctl healthcheck
189+
190+
- name: Sync KeyLocker certificate to Windows store (KSP)
191+
if: matrix.platform == 'windows-latest'
192+
shell: cmd
193+
run: |
194+
"%LOCALAPPDATA%\Temp\smtools-windows-x64\smksp_cert_sync.exe"
195+
certutil.exe -csp "DigiCert Software Trust Manager KSP" -key -user
196+
197+
- name: Sign Windows executables with DigiCert (KSP)
198+
if: matrix.platform == 'windows-latest'
199+
shell: cmd
200+
run: |
201+
for /r "src-tauri\target\release\bundle" %%f in (*.exe *.msi) do (
202+
smctl sign --fingerprint %SM_FINGERPRINT% --input "%%f"
203+
)
204+
205+
- name: Verify Windows Signatures
206+
if: matrix.platform == 'windows-latest'
207+
shell: pwsh
208+
run: |
209+
$signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" -ErrorAction SilentlyContinue | Select-Object -First 1 -ExpandProperty FullName
210+
if (-not $signtool) { throw "signtool.exe not found. Ensure Windows 10 SDK is installed on the runner." }
211+
$files = Get-ChildItem -Recurse -Path src-tauri\target\release\bundle\ -Include *.exe,*.msi | Select-Object -ExpandProperty FullName
212+
foreach ($file in $files) {
213+
& $signtool verify /pa "$file"
214+
}
188215
189216
- name: Upload Windows Artifact - MSI
190217
if: matrix.platform == 'windows-latest'
@@ -203,3 +230,10 @@ jobs:
203230
src-tauri/target/release/bundle/nsis/*.exe
204231
src-tauri/target/release/bundle/nsis-web/*.exe
205232
if-no-files-found: warn
233+
234+
- name: List Windows build artifacts for debugging
235+
if: matrix.platform == 'windows-latest'
236+
shell: powershell
237+
run: |
238+
Write-Host "Checking build directory structure:"
239+
Get-ChildItem -Path src-tauri\target\release -Recurse | Where-Object { $_.Name -like "*.exe" } | ForEach-Object { $_.FullName }

src-tauri/Cargo.toml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,14 @@ edition = "2021"
1111
# The `_lib` suffix may seem redundant but it is necessary
1212
# to make the lib name unique and wouldn't conflict with the bin name.
1313
# This seems to be only an issue on Windows, see https://github.com/rust-lang/cargo/issues/8519
14-
name = "metanet_desktop"
14+
name = "metanet_desktop_lib"
1515
path = "src/lib.rs"
1616
crate-type = ["staticlib", "cdylib", "rlib"]
1717

18+
[[bin]]
19+
name = "metanet-desktop"
20+
path = "src/main.rs"
21+
1822
[build-dependencies]
1923
tauri-build = { version = "2", features = [] }
2024

0 commit comments

Comments
 (0)