Another go at signing

2025-03-11 16:13:16 +01:00 · 2019-06-11 13:37:56 -07:00 · 2019-06-11 13:37:56 -07:00 · 782e0e63dc
commit 782e0e63dc
parent a86e41f898
1 changed files with 38 additions and 29 deletions
--- a/tools/ci-scripts/postbuild.py
+++ b/tools/ci-scripts/postbuild.py
@ -111,6 +111,42 @@ def fixupWinZip(filename):
    print("Replacing {} with fixed {}".format(fullPath, outFullPath))
    shutil.move(outFullPath, fullPath)

+def signBuild(executablePath):
+    if sys.platform != 'win32':
+        print('Skipping signing because platform is not win32')
+        return
+
+    RELEASE_TYPE = os.getenv("RELEASE_TYPE", "")
+    if RELEASE_TYPE != "PRODUCTION":
+        print('Skipping signing because RELEASE_TYPE "{}" != "PRODUCTION"'.format(RELEASE_TYPE))
+        return
+
+    HF_PFX_FILE = os.getenv("HF_PFX_FILE", "")
+    if HF_PFX_FILE == "":
+        print('Skipping signing because HF_PFX_FILE is empty')
+        return
+
+    HF_PFX_PASSPHRASE = os.getenv("HF_PFX_PASSPHRASE", "")
+    if HF_PFX_PASSPHRASE == "":
+        print('Skipping signing because HF_PFX_PASSPHRASE is empty')
+        return
+
+    # FIXME use logic similar to the SetPackagingParameteres.cmake to locate the executable
+    SIGN_TOOL = "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x64/signtool.exe"
+    # sign the launcher executable
+    print("Signing {}".format(executablePath))
+    hifi_utils.executeSubprocess([
+            SIGN_TOOL,
+            'sign', 
+            '/fd', 'sha256',
+            '/f', HF_PFX_FILE,
+            '/p', HF_PFX_PASSPHRASE,
+            '/tr', 'http://sha256timestamp.ws.symantec.com/sha256/timestamp',
+            '/td', 'SHA256',
+            '"{}"'.format(executablePath)
+        ])
+
+
 def buildLightLauncher():
    launcherSourcePath = os.path.join(SOURCE_PATH, 'launchers', sys.platform)
    launcherBuildPath = os.path.join(BUILD_PATH, 'launcher') 
@ -141,39 +177,12 @@ def buildLightLauncher():
        launcherDestFile = os.path.join(BUILD_PATH, "{}.dmg".format(computeArchiveName('Launcher')))
        launcherSourceFile = os.path.join(launcherBuildPath, "HQ Launcher.dmg")
    elif sys.platform == 'win32':
-        # FIXME
        launcherDestFile = os.path.join(BUILD_PATH, "{}.exe".format(computeArchiveName('Launcher')))
        launcherSourceFile = os.path.join(launcherBuildPath, "Release", "HQLauncher.exe")
+
+    signBuild(launcherSourceFile)
    print("Moving {} to {}".format(launcherSourceFile, launcherDestFile))
    shutil.move(launcherSourceFile, launcherDestFile)
-    if sys.platform != 'win32':
-        print('Skipping signing because platform is not win32')
-    RELEASE_TYPE = os.getenv("RELEASE_TYPE", "")
-    if RELEASE_TYPE != "PRODUCTION":
-        print('Skipping signing because RELEASE_TYPE "{}" != "PRODUCTION"'.format(RELEASE_TYPE))
-        return
-    HF_PFX_FILE = os.getenv("HF_PFX_FILE", "")
-    if HF_PFX_FILE == "":
-        print('Skipping signing because HF_PFX_FILE is empty')
-        return
-    HF_PFX_PASSPHRASE = os.getenv("HF_PFX_PASSPHRASE", "")
-    if HF_PFX_PASSPHRASE == "":
-        print('Skipping signing because HF_PFX_PASSPHRASE is empty')
-        return
-    # FIXME use logic similar to the SetPackagingParameteres.cmake to locate the executable
-    SIGN_TOOL = "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x64/signtool.exe"
-    # sign the launcher executable
-    print("Signing {}".format(launcherDestFile))
-    hifi_utils.executeSubprocess([
-            SIGN_TOOL,
-            'sign', 
-            '/fd', 'sha256',
-            '/f', HF_PFX_FILE,
-            '/p', HF_PFX_PASSPHRASE,
-            '/tr', 'http://sha256timestamp.ws.symantec.com/sha256/timestamp',
-            '/td', 'SHA256',
-            '"{}"'.format(launcherDestFile)
-        ], folder=launcherBuildPath)