From 5b3a8dee4b05b650df76ae9fb03cbba998bbf817 Mon Sep 17 00:00:00 2001 From: derrod Date: Sun, 6 Apr 2025 14:55:14 +0200 Subject: [PATCH] CI: Sign game capture with RSA cert first --- .github/actions/windows-signing/action.yaml | 16 ++++++++ .github/actions/windows-signing/config.toml | 3 +- .github/actions/windows-signing/prod-gc.crt | 42 +++++++++++++++++++++ 3 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 .github/actions/windows-signing/prod-gc.crt diff --git a/.github/actions/windows-signing/action.yaml b/.github/actions/windows-signing/action.yaml index 56f8b7a32..5ab5b1a7b 100644 --- a/.github/actions/windows-signing/action.yaml +++ b/.github/actions/windows-signing/action.yaml @@ -90,6 +90,22 @@ runs: Ensure-Location "${{ github.workspace }}/old_builds" rclone copy --transfers 100 ":gcs:obs-latest/${{ inputs.channel }}" . + - name: Sign Game Capture with RSA cert + shell: pwsh + run: | + . ${env:GITHUB_ACTION_PATH}\Invoke-External.ps1 + $SignToolExe = "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" + $signArgs = @( + "sign" + "/fd", "sha256" + "/t", "http://timestamp.digicert.com" + "/f", "repo/.github/actions/windows-signing/prod-gc.crt" + "/csp", "Google Cloud KMS Provider" + "/kc", "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/game-capture-release-sign-hsm/cryptoKeyVersions/1" + "${{ github.workspace }}/build/data/obs-plugins/win-capture/*.dll" + ) + Invoke-External $SignToolExe @signArgs + - name: Run bouf shell: pwsh run: | diff --git a/.github/actions/windows-signing/config.toml b/.github/actions/windows-signing/config.toml index aae385293..8a6938895 100644 --- a/.github/actions/windows-signing/config.toml +++ b/.github/actions/windows-signing/config.toml @@ -23,8 +23,9 @@ sign_cert_file = "repo/.github/actions/windows-signing/prod.crt" sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1" sign_digest = "sha384" sign_ts_serv = "http://timestamp.digicert.com" +sign_ts_algo = "sha256" sign_exts = ['exe', 'dll', 'pyd'] -sign_append = false +sign_append = true [prepare.strip_pdbs] # PDBs to not strip diff --git a/.github/actions/windows-signing/prod-gc.crt b/.github/actions/windows-signing/prod-gc.crt new file mode 100644 index 000000000..0f128b7cd --- /dev/null +++ b/.github/actions/windows-signing/prod-gc.crt @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIHYDCCBUigAwIBAgIQBt9dqZiAp4FVJf/AvIvPsjANBgkqhkiG9w0BAQsFADBp +MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT +OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0 +IDIwMjEgQ0ExMB4XDTI1MDExNjAwMDAwMFoXDTI4MDExNTIzNTk1OVowaDELMAkG +A1UEBhMCVVMxEDAOBgNVBAgTB1d5b21pbmcxETAPBgNVBAcTCFNoZXJpZGFuMRkw +FwYDVQQKExBPQlMgUHJvamVjdCwgTExDMRkwFwYDVQQDExBPQlMgUHJvamVjdCwg +TExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA07e66QJeFjyk8p5l +1/hOBt5qXf8paJIFoBsdy38qnkC6ZTJzrmSfERilRBM7UQ7Pzo9aE/On7aUrghdW +ZfG/U/3s4KKYZMh+mQscHdx37Y4sUC0Yk/3s+1H3jAz5tEx9FlUgO30MKjSTr3Lc +HjqoibokGrZOzqSF2pLqTmSX92/P7E9ii2EnZnTSDWHHLtVmS0YkE6TKQ5v2VHYP +ynRVWuOl2wJFNctCYbcZAmBeVFne4k6w443Zvkz70m4lgtaJB24r2y2ay+vyQx2Q +gEg3RgcW+3/zh/sqjCQ6RhUjFvdBHP9nPrhCw72P/2J04JrpMnTlHbwUp1ULyH9v +rOYDu+8gk2sFgwjgKYGrjuehtwG8IokCppWPxUUyDTklFXbjDVlLQizmoPjwfUKy +K6kJd6w6WR3jUdRZYIXuHPzzIQE3G2aB68tSyYANuXjQAOXtVKkFlMiI/KGATIKb +FCnhFriqFOlG1vxeKUgqMNQqcaz52V8ZGEtVAOMZVP0FzZIDqrFwvDTQwsRVsRUU +c6ACUGZVL5X5nn90XTYIf4oZGFIs7U/P+LmH7Hngb3ZnrvwhurSreaELR554ncOl +fLJGpiJlTShkvubXycmYIiM+XLVkdziZlRFlMef5hp02fuT+825ivuWzaNTB0min +hMatLBKIwxjO5Xlk6CztRQD6ezMCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg3 +4Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSNjnGJqRrmOQnj5YyA9Ax8ZpJ/ +ejA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3 +LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG +AQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0 +LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIw +MjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNl +cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCB +lAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj +ZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t +L0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNB +MS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAaTE2qTXwECkUafRQ +TlWT26xO9hZON1CxW+OUsHaaH35YkNwo4UZ6s46fIX4/bbCFGz5duplDfAmVs/LG ++AehgWKA0dyMBSyFc89XXhzvfr0bXMbUxD3kgrmJzH8QMbZGwJU89/U3Zo1OYPjd +Xgm7xK2GdCKyW7Vz0vxi1U/lYZNPXm9SPpH2xlOqECZCrG7IHQWGMt6EWStp2o2j +7Jxj4NyRTKhR5sXGXfUXJlPuW3/82lvZxTHFe9V7QSAm1gswOZYWaOfjyvkoObUL +abZ4XNrxpzdVeJLMXX/a7F67mFwYpTWHSujGWVJpFzEpY267S+Exsvm15ZZkK1Ih +seT+Qks5JZZMMJjHCxaUyjit0UKADe/uDglW/6kimCMIGCgigZkx+hOAfPeRxouk +gC6jXfbGs+DLFom9wYPN8VFpFpwnoH+acglCSVZtF8BCMCI62/viwYE65v9p/Qmq +qSrR61y4EIkF9gAVDReCCTzvXDLBWx7jpRFXcPmG4JaLFesHj7rezgkTe/YA57KI +vc1geLf06UlucvxQ3sotiElMsTEZkB9blqd36PMsrLdPwJ/Q37zZX1XHfZKEF09N +DXXolHdqgWiiG56gNtFoXN3aT/9V/cRz8muZIy5l6Jm0vvK4jkyTV1D5bEutfgcK +k57TSjQGzCNnVLphmQTNIJNWQ7s= +-----END CERTIFICATE-----