~zeal-developers/zeal/zeal

« back to all changes in this revision

Viewing changes to cmake/CodeSign.cmake

  • Committer: Oleg Shparber
  • Date: 2023-09-19 07:07:19 UTC
  • Revision ID: git-v1:e1c83d0ca78d4c0950605c410d97050644397af5
build(cmake): add support for base64-encoded signing certificate

This is a workaround for GitHub Actions not handling long or multiline
secrets properly.

Show diffs side-by-side

added added

removed removed

Lines of Context:
97
97
                set(_temp_path $ENV{TEMP})
98
98
            endif()
99
99
 
100
 
            set(_certificate_file "${_temp_path}/codesign.pem")
 
100
            set(_certificate_file "${_temp_path}/codesign.tmp")
101
101
            file(WRITE ${_certificate_file} $ENV{CODESIGN_CERTIFICATE})
102
102
            set(_ARG_CERTIFICATE_FILE ${_certificate_file})
 
103
        elseif(DEFINED ENV{CODESIGN_CERTIFICATE_BASE64})
 
104
            # Read base64-encoded certificate from environment variable,
 
105
            # decode with `certutil.exe`, and store in a temporary file
 
106
            # for signtool to use.
 
107
            #
 
108
            # This is useful for GitHub Actions, which cannot handle unencoded
 
109
            # multiline secrets.
 
110
 
 
111
            # Determine temporary file location. Try to keep it local to the build.
 
112
            if(CMAKE_BINARY_DIR)
 
113
                set(_temp_path ${CMAKE_BINARY_DIR})
 
114
            elseif(CPACK_TEMPORARY_DIRECTORY)
 
115
                set(_temp_path ${CPACK_TEMPORARY_DIRECTORY})
 
116
            else()
 
117
                set(_temp_path $ENV{TEMP})
 
118
            endif()
 
119
 
 
120
            # Save base64-encoded certificate to file.
 
121
            set(_certificate_file "${_temp_path}/codesign.tmp")
 
122
            set(_certificate_base64_file "${_certificate_file}.base64")
 
123
            file(WRITE ${_certificate_base64_file} $ENV{CODESIGN_CERTIFICATE_BASE64})
 
124
 
 
125
            # Decode certificate.
 
126
            set(_cmd_certutil_args "-decode" ${_certificate_base64_file} ${_certificate_file})
 
127
            execute_process(COMMAND "certutil.exe" ${_cmd_certutil_args}
 
128
                RESULT_VARIABLE _rc
 
129
                OUTPUT_VARIABLE _stdout
 
130
                # ERROR_VARIABLE  _stderr
 
131
            )
 
132
 
 
133
            # Remove temporary file first.
 
134
            file(REMOVE ${_certificate_base64_file})
 
135
 
 
136
            if(NOT _rc EQUAL 0)
 
137
                # For some reason certutil prints errors to stdout.
 
138
                message(NOTICE "Failed to decode certificate: ${_stdout}")
 
139
                return()
 
140
            endif()
 
141
 
 
142
            set(_ARG_CERTIFICATE_FILE ${_certificate_file})
103
143
        else()
104
144
            message(NOTICE "Certificate is not provided, no binaries will be signed.")
105
145
            return()
170
210
        )
171
211
 
172
212
        if(NOT _rc EQUAL 0)
173
 
            message(NOTICE "Signing failed: ${_stderr}")
 
213
            message(NOTICE "Failed to sign: ${_stderr}")
174
214
        endif()
175
215
 
176
216
        if(NOT _ARG_QUIET)