CI: Sign game capture with RSA cert first

2026-03-27 19:02:02 -04:00 · 2025-04-06 14:55:14 +02:00
parent 33cec16f56
commit 5b3a8dee4b
3 changed files with 60 additions and 1 deletions
--- a/.github/actions/windows-signing/action.yaml
+++ b/.github/actions/windows-signing/action.yaml
@@ -90,6 +90,22 @@ runs:
        Ensure-Location "${{ github.workspace }}/old_builds"
        rclone copy --transfers 100 ":gcs:obs-latest/${{ inputs.channel }}" .

+    - name: Sign Game Capture with RSA cert
+      shell: pwsh
+      run: |
+        . ${env:GITHUB_ACTION_PATH}\Invoke-External.ps1
+        $SignToolExe = "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe"
+        $signArgs = @(
+           "sign"
+           "/fd",   "sha256"
+           "/t",    "http://timestamp.digicert.com"
+           "/f",    "repo/.github/actions/windows-signing/prod-gc.crt"
+           "/csp",  "Google Cloud KMS Provider"
+           "/kc",   "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/game-capture-release-sign-hsm/cryptoKeyVersions/1"
+           "${{ github.workspace }}/build/data/obs-plugins/win-capture/*.dll"
+        )
+        Invoke-External $SignToolExe @signArgs
+
    - name: Run bouf
      shell: pwsh
      run: |
--- a/.github/actions/windows-signing/config.toml
+++ b/.github/actions/windows-signing/config.toml
@@ -23,8 +23,9 @@ sign_cert_file = "repo/.github/actions/windows-signing/prod.crt"
 sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1"
 sign_digest = "sha384"
 sign_ts_serv = "http://timestamp.digicert.com"
+sign_ts_algo = "sha256"
 sign_exts = ['exe', 'dll', 'pyd']
-sign_append = false
+sign_append = true

 [prepare.strip_pdbs]
 # PDBs to not strip
--- a/.github/actions/windows-signing/prod-gc.crt
+++ b/.github/actions/windows-signing/prod-gc.crt
@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIHYDCCBUigAwIBAgIQBt9dqZiAp4FVJf/AvIvPsjANBgkqhkiG9w0BAQsFADBp
+MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
+OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
+IDIwMjEgQ0ExMB4XDTI1MDExNjAwMDAwMFoXDTI4MDExNTIzNTk1OVowaDELMAkG
+A1UEBhMCVVMxEDAOBgNVBAgTB1d5b21pbmcxETAPBgNVBAcTCFNoZXJpZGFuMRkw
+FwYDVQQKExBPQlMgUHJvamVjdCwgTExDMRkwFwYDVQQDExBPQlMgUHJvamVjdCwg
+TExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA07e66QJeFjyk8p5l
+1/hOBt5qXf8paJIFoBsdy38qnkC6ZTJzrmSfERilRBM7UQ7Pzo9aE/On7aUrghdW
+ZfG/U/3s4KKYZMh+mQscHdx37Y4sUC0Yk/3s+1H3jAz5tEx9FlUgO30MKjSTr3Lc
+HjqoibokGrZOzqSF2pLqTmSX92/P7E9ii2EnZnTSDWHHLtVmS0YkE6TKQ5v2VHYP
+ynRVWuOl2wJFNctCYbcZAmBeVFne4k6w443Zvkz70m4lgtaJB24r2y2ay+vyQx2Q
+gEg3RgcW+3/zh/sqjCQ6RhUjFvdBHP9nPrhCw72P/2J04JrpMnTlHbwUp1ULyH9v
+rOYDu+8gk2sFgwjgKYGrjuehtwG8IokCppWPxUUyDTklFXbjDVlLQizmoPjwfUKy
+K6kJd6w6WR3jUdRZYIXuHPzzIQE3G2aB68tSyYANuXjQAOXtVKkFlMiI/KGATIKb
+FCnhFriqFOlG1vxeKUgqMNQqcaz52V8ZGEtVAOMZVP0FzZIDqrFwvDTQwsRVsRUU
+c6ACUGZVL5X5nn90XTYIf4oZGFIs7U/P+LmH7Hngb3ZnrvwhurSreaELR554ncOl
+fLJGpiJlTShkvubXycmYIiM+XLVkdziZlRFlMef5hp02fuT+825ivuWzaNTB0min
+hMatLBKIwxjO5Xlk6CztRQD6ezMCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg3
+4Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSNjnGJqRrmOQnj5YyA9Ax8ZpJ/
+ejA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3
+LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
+AQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
+LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIw
+MjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNl
+cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCB
+lAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj
+ZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t
+L0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNB
+MS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAaTE2qTXwECkUafRQ
+TlWT26xO9hZON1CxW+OUsHaaH35YkNwo4UZ6s46fIX4/bbCFGz5duplDfAmVs/LG
+AehgWKA0dyMBSyFc89XXhzvfr0bXMbUxD3kgrmJzH8QMbZGwJU89/U3Zo1OYPjd
+Xgm7xK2GdCKyW7Vz0vxi1U/lYZNPXm9SPpH2xlOqECZCrG7IHQWGMt6EWStp2o2j
+7Jxj4NyRTKhR5sXGXfUXJlPuW3/82lvZxTHFe9V7QSAm1gswOZYWaOfjyvkoObUL
+abZ4XNrxpzdVeJLMXX/a7F67mFwYpTWHSujGWVJpFzEpY267S+Exsvm15ZZkK1Ih
+seT+Qks5JZZMMJjHCxaUyjit0UKADe/uDglW/6kimCMIGCgigZkx+hOAfPeRxouk
+gC6jXfbGs+DLFom9wYPN8VFpFpwnoH+acglCSVZtF8BCMCI62/viwYE65v9p/Qmq
+qSrR61y4EIkF9gAVDReCCTzvXDLBWx7jpRFXcPmG4JaLFesHj7rezgkTe/YA57KI
+vc1geLf06UlucvxQ3sotiElMsTEZkB9blqd36PMsrLdPwJ/Q37zZX1XHfZKEF09N
+DXXolHdqgWiiG56gNtFoXN3aT/9V/cRz8muZIy5l6Jm0vvK4jkyTV1D5bEutfgcK
+k57TSjQGzCNnVLphmQTNIJNWQ7s=
+-----END CERTIFICATE-----