mirror/obs-studio
1
0
Fork 0
mirror of https://github.com/obsproject/obs-studio.git synced 2026-03-27 19:02:02 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11747 from derrod/dual-sign-sigh

Browse Source 
CI: Add ARM and Game Capture Dual-Signing
This commit is contained in:
Ryan Foster
2025-04-15 11:56:14 -07:00
committed by GitHub
parent 33cec16f56 395da055da
commit 3dbb2f1cd5
6 changed files with 136 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
.github/actions/windows-signing/action.yaml vendored
View File

@@ -14,6 +14,10 @@ inputs:
description: Update channel
required: false
default: 'stable'
architecture:
description: OBS build architecture
required: false
default: 'x64'
runs:
using: composite
@@ -71,6 +75,7 @@ runs:
Invoke-External msiexec /i $msiPath /qn /norestart
- name: Install rclone
if: inputs.architecture == 'x64'
shell: pwsh
run: |
choco install rclone --version=1.64.2 -y --no-progress
@@ -81,7 +86,15 @@ runs:
workload_identity_provider: ${{ inputs.gcpWorkloadIdentityProvider }}
service_account: ${{ inputs.gcpServiceAccountName }}
- name: Ensure previous build directory exists
if: inputs.architecture != 'x64'
shell: pwsh
run: |
. ${env:GITHUB_ACTION_PATH}\Ensure-Location.ps1
Ensure-Location "${{ github.workspace }}/old_builds"
- name: Download Previous Build
if: inputs.architecture == 'x64'
shell: pwsh
env:
RCLONE_GCS_ENV_AUTH: 'true'
@@ -90,12 +103,28 @@ runs:
Ensure-Location "${{ github.workspace }}/old_builds"
rclone copy --transfers 100 ":gcs:obs-latest/${{ inputs.channel }}" .
- name: Sign Game Capture with RSA cert
shell: pwsh
run: |
. ${env:GITHUB_ACTION_PATH}\Invoke-External.ps1
$SignToolExe = "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe"
$signArgs = @(
"sign"
"/fd", "sha256"
"/t", "http://timestamp.digicert.com"
"/f", "repo/.github/actions/windows-signing/prod-gc.crt"
"/csp", "Google Cloud KMS Provider"
"/kc", "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/game-capture-release-sign-hsm/cryptoKeyVersions/1"
"${{ github.workspace }}/build/data/obs-plugins/win-capture/*.dll"
)
Invoke-External $SignToolExe @signArgs
- name: Run bouf
shell: pwsh
run: |
. ${env:GITHUB_ACTION_PATH}\Invoke-External.ps1
$boufArgs = @(
"--config", "${env:GITHUB_ACTION_PATH}/config.toml",
"--config", "${env:GITHUB_ACTION_PATH}/config_${{ inputs.architecture }}.toml"
"--version", "${{ inputs.version }}"
"--branch", "${{ inputs.channel }}"
"-i", "${{ github.workspace }}/build"
@@ -106,6 +135,7 @@ runs:
Invoke-External "${{ github.workspace }}\bouf\bin\bouf.exe" @boufArgs
- name: Sync Latest Build
if: inputs.architecture == 'x64'
shell: pwsh
env:
RCLONE_INCLUDE: '**/${{ inputs.version }}/**'
@@ -115,6 +145,7 @@ runs:
rclone sync --delete-excluded --transfers 100 "${{ github.workspace }}/old_builds" ":gcs:obs-latest/${{ inputs.channel }}"
- name: Upload Build to Archive
if: inputs.architecture == 'x64'
shell: pwsh
env:
RCLONE_GCS_ENV_AUTH: 'true'

47
.github/actions/windows-signing/config_arm64.toml vendored Normal file
View File

@@ -0,0 +1,47 @@
[general]
log_level = "trace"
[env]
# On CI these should be in %PATH%
sevenzip_path = "7z"
makensis_path = "makensis"
pandoc_path = "pandoc"
pdbcopy_path = "C:/Program Files (x86)/Windows Kits/10/Debuggers/x64/pdbcopy.exe"
## Preparation steps
[prepare]
[prepare.copy]
never_copy = [
"bin/32bit",
"obs-plugins/32bit",
".keepme",
]
[prepare.codesign]
sign_cert_file = "repo/.github/actions/windows-signing/prod.crt"
sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1"
sign_digest = "sha384"
sign_ts_serv = "http://timestamp.digicert.com"
sign_ts_algo = "sha256"
sign_exts = ['exe', 'dll', 'pyd']
sign_append = true
[prepare.strip_pdbs]
# PDBs to not strip
exclude = [
"obs-frontend-api.pdb",
"obs64.pdb",
"obs.pdb",
]
[package]
[package.installer]
skip = true
[package.zip]
name = "OBS-Studio-{version}-arm64.zip"
pdb_name = "OBS-Studio-{version}-arm64-pdbs.zip"
[package.updater]
skip_sign = true

13
.github/actions/windows-signing/config.toml → .github/actions/windows-signing/config_x64.toml vendored
View File

@@ -23,8 +23,9 @@ sign_cert_file = "repo/.github/actions/windows-signing/prod.crt"
sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1"
sign_digest = "sha384"
sign_ts_serv = "http://timestamp.digicert.com"
sign_ts_algo = "sha256"
sign_exts = ['exe', 'dll', 'pyd']
sign_append = false
sign_append = true
[prepare.strip_pdbs]
# PDBs to not strip
@@ -34,15 +35,6 @@ exclude = [
"obs.pdb",
]
## Delta patch generation
[generate]
patch_type = "zstd"
compress_files = true
exclude_from_parallel = [
"libcef.dll"
]
[package]
[package.installer]
nsis_script = "bouf/nsis/mp-installer.nsi"
@@ -52,5 +44,4 @@ name = "OBS-Studio-{version}-x64.zip"
pdb_name = "OBS-Studio-{version}-pdbs.zip"
[package.updater]
vc_redist_path = "bouf/nsis/VC_redist.x64.exe"
skip_sign = true

42
.github/actions/windows-signing/prod-gc.crt vendored Normal file
View File

@@ -0,0 +1,42 @@
-----BEGIN CERTIFICATE-----
MIIHYDCCBUigAwIBAgIQBt9dqZiAp4FVJf/AvIvPsjANBgkqhkiG9w0BAQsFADBp
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
IDIwMjEgQ0ExMB4XDTI1MDExNjAwMDAwMFoXDTI4MDExNTIzNTk1OVowaDELMAkG
A1UEBhMCVVMxEDAOBgNVBAgTB1d5b21pbmcxETAPBgNVBAcTCFNoZXJpZGFuMRkw
FwYDVQQKExBPQlMgUHJvamVjdCwgTExDMRkwFwYDVQQDExBPQlMgUHJvamVjdCwg
TExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA07e66QJeFjyk8p5l
1/hOBt5qXf8paJIFoBsdy38qnkC6ZTJzrmSfERilRBM7UQ7Pzo9aE/On7aUrghdW
ZfG/U/3s4KKYZMh+mQscHdx37Y4sUC0Yk/3s+1H3jAz5tEx9FlUgO30MKjSTr3Lc
HjqoibokGrZOzqSF2pLqTmSX92/P7E9ii2EnZnTSDWHHLtVmS0YkE6TKQ5v2VHYP
ynRVWuOl2wJFNctCYbcZAmBeVFne4k6w443Zvkz70m4lgtaJB24r2y2ay+vyQx2Q
gEg3RgcW+3/zh/sqjCQ6RhUjFvdBHP9nPrhCw72P/2J04JrpMnTlHbwUp1ULyH9v
rOYDu+8gk2sFgwjgKYGrjuehtwG8IokCppWPxUUyDTklFXbjDVlLQizmoPjwfUKy
K6kJd6w6WR3jUdRZYIXuHPzzIQE3G2aB68tSyYANuXjQAOXtVKkFlMiI/KGATIKb
FCnhFriqFOlG1vxeKUgqMNQqcaz52V8ZGEtVAOMZVP0FzZIDqrFwvDTQwsRVsRUU
c6ACUGZVL5X5nn90XTYIf4oZGFIs7U/P+LmH7Hngb3ZnrvwhurSreaELR554ncOl
fLJGpiJlTShkvubXycmYIiM+XLVkdziZlRFlMef5hp02fuT+825ivuWzaNTB0min
hMatLBKIwxjO5Xlk6CztRQD6ezMCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg3
4Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSNjnGJqRrmOQnj5YyA9Ax8ZpJ/
ejA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
AQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIw
MjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNl
cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCB
lAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj
ZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNB
MS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAaTE2qTXwECkUafRQ
TlWT26xO9hZON1CxW+OUsHaaH35YkNwo4UZ6s46fIX4/bbCFGz5duplDfAmVs/LG
+AehgWKA0dyMBSyFc89XXhzvfr0bXMbUxD3kgrmJzH8QMbZGwJU89/U3Zo1OYPjd
Xgm7xK2GdCKyW7Vz0vxi1U/lYZNPXm9SPpH2xlOqECZCrG7IHQWGMt6EWStp2o2j
7Jxj4NyRTKhR5sXGXfUXJlPuW3/82lvZxTHFe9V7QSAm1gswOZYWaOfjyvkoObUL
abZ4XNrxpzdVeJLMXX/a7F67mFwYpTWHSujGWVJpFzEpY267S+Exsvm15ZZkK1Ih
seT+Qks5JZZMMJjHCxaUyjit0UKADe/uDglW/6kimCMIGCgigZkx+hOAfPeRxouk
gC6jXfbGs+DLFom9wYPN8VFpFpwnoH+acglCSVZtF8BCMCI62/viwYE65v9p/Qmq
qSrR61y4EIkF9gAVDReCCTzvXDLBWx7jpRFXcPmG4JaLFesHj7rezgkTe/YA57KI
vc1geLf06UlucvxQ3sotiElMsTEZkB9blqd36PMsrLdPwJ/Q37zZX1XHfZKEF09N
DXXolHdqgWiiG56gNtFoXN3aT/9V/cRz8muZIy5l6Jm0vvK4jkyTV1D5bEutfgcK
k57TSjQGzCNnVLphmQTNIJNWQ7s=
-----END CERTIFICATE-----

2
.github/workflows/push.yaml vendored
View File

@@ -207,7 +207,7 @@ jobs:
sign-windows-build:
name: Windows Signing ✍️
uses: obsproject/obs-studio/.github/workflows/sign-windows.yaml@dc7a58484d3ef2c610a5184dd05d1d02dbd3e549
uses: obsproject/obs-studio/.github/workflows/sign-windows.yaml@65f417d65c32857f44e7d0871753ba0c099130fd
if: github.repository_owner == 'obsproject' && github.ref_type == 'tag'
needs: build-project
permissions:

19
.github/workflows/sign-windows.yaml vendored
View File

@@ -3,7 +3,10 @@ on:
workflow_call:
jobs:
create-windows-update:
name: Create Windows Update 🥩
name: Sign Windows Build 🥩
strategy:
matrix:
architecture: [x64, arm64]
runs-on: windows-2022
environment:
name: bouf
@@ -41,7 +44,7 @@ jobs:
- name: Download Artifact 📥
uses: actions/download-artifact@v4
with:
name: obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}
name: obs-studio-windows-${{ matrix.architecture }}-${{ steps.setup.outputs.commitHash }}
path: ${{ github.workspace }}/build
- name: Run bouf 🥩
@@ -51,29 +54,31 @@ jobs:
gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
version: ${{ github.ref_name }}
channel: ${{ steps.setup.outputs.channel }}
architecture: ${{ matrix.architecture }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: ${{ github.workspace }}/output/*-x64.zip
subject-path: ${{ github.workspace }}/output/*-${{ matrix.architecture }}.zip
- name: Upload Signed Build
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-signed
name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-signed
compression-level: 0
path: ${{ github.workspace }}/output/*-x64.zip
path: ${{ github.workspace }}/output/*-${{ matrix.architecture }}.zip
- name: Upload PDBs
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-pdbs
compression-level: 0
path: ${{ github.workspace }}/output/*-pdbs.zip
- name: Upload Installer
uses: actions/upload-artifact@v4
if: matrix.architecture == 'x64'
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-installer
name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-installer
compression-level: 0
path: ${{ github.workspace }}/output/*.exe