From 782e0e63dc95797d488535d5f7be08921b62da09 Mon Sep 17 00:00:00 2001 From: Brad Davis Date: Tue, 11 Jun 2019 13:37:56 -0700 Subject: [PATCH] Another go at signing --- tools/ci-scripts/postbuild.py | 67 ++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/tools/ci-scripts/postbuild.py b/tools/ci-scripts/postbuild.py index 835ceb828b..08f42b977c 100644 --- a/tools/ci-scripts/postbuild.py +++ b/tools/ci-scripts/postbuild.py @@ -111,6 +111,42 @@ def fixupWinZip(filename): print("Replacing {} with fixed {}".format(fullPath, outFullPath)) shutil.move(outFullPath, fullPath) +def signBuild(executablePath): + if sys.platform != 'win32': + print('Skipping signing because platform is not win32') + return + + RELEASE_TYPE = os.getenv("RELEASE_TYPE", "") + if RELEASE_TYPE != "PRODUCTION": + print('Skipping signing because RELEASE_TYPE "{}" != "PRODUCTION"'.format(RELEASE_TYPE)) + return + + HF_PFX_FILE = os.getenv("HF_PFX_FILE", "") + if HF_PFX_FILE == "": + print('Skipping signing because HF_PFX_FILE is empty') + return + + HF_PFX_PASSPHRASE = os.getenv("HF_PFX_PASSPHRASE", "") + if HF_PFX_PASSPHRASE == "": + print('Skipping signing because HF_PFX_PASSPHRASE is empty') + return + + # FIXME use logic similar to the SetPackagingParameteres.cmake to locate the executable + SIGN_TOOL = "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x64/signtool.exe" + # sign the launcher executable + print("Signing {}".format(executablePath)) + hifi_utils.executeSubprocess([ + SIGN_TOOL, + 'sign', + '/fd', 'sha256', + '/f', HF_PFX_FILE, + '/p', HF_PFX_PASSPHRASE, + '/tr', 'http://sha256timestamp.ws.symantec.com/sha256/timestamp', + '/td', 'SHA256', + '"{}"'.format(executablePath) + ]) + + def buildLightLauncher(): launcherSourcePath = os.path.join(SOURCE_PATH, 'launchers', sys.platform) launcherBuildPath = os.path.join(BUILD_PATH, 'launcher') @@ -141,39 +177,12 @@ def buildLightLauncher(): launcherDestFile = os.path.join(BUILD_PATH, "{}.dmg".format(computeArchiveName('Launcher'))) launcherSourceFile = os.path.join(launcherBuildPath, "HQ Launcher.dmg") elif sys.platform == 'win32': - # FIXME launcherDestFile = os.path.join(BUILD_PATH, "{}.exe".format(computeArchiveName('Launcher'))) launcherSourceFile = os.path.join(launcherBuildPath, "Release", "HQLauncher.exe") + + signBuild(launcherSourceFile) print("Moving {} to {}".format(launcherSourceFile, launcherDestFile)) shutil.move(launcherSourceFile, launcherDestFile) - if sys.platform != 'win32': - print('Skipping signing because platform is not win32') - RELEASE_TYPE = os.getenv("RELEASE_TYPE", "") - if RELEASE_TYPE != "PRODUCTION": - print('Skipping signing because RELEASE_TYPE "{}" != "PRODUCTION"'.format(RELEASE_TYPE)) - return - HF_PFX_FILE = os.getenv("HF_PFX_FILE", "") - if HF_PFX_FILE == "": - print('Skipping signing because HF_PFX_FILE is empty') - return - HF_PFX_PASSPHRASE = os.getenv("HF_PFX_PASSPHRASE", "") - if HF_PFX_PASSPHRASE == "": - print('Skipping signing because HF_PFX_PASSPHRASE is empty') - return - # FIXME use logic similar to the SetPackagingParameteres.cmake to locate the executable - SIGN_TOOL = "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x64/signtool.exe" - # sign the launcher executable - print("Signing {}".format(launcherDestFile)) - hifi_utils.executeSubprocess([ - SIGN_TOOL, - 'sign', - '/fd', 'sha256', - '/f', HF_PFX_FILE, - '/p', HF_PFX_PASSPHRASE, - '/tr', 'http://sha256timestamp.ws.symantec.com/sha256/timestamp', - '/td', 'SHA256', - '"{}"'.format(launcherDestFile) - ], folder=launcherBuildPath)