[skip ci] Use CodeSignTool in the github action

GMOD · Sep 18, 2024 · 370cf2d · 370cf2d
1 parent 80631be
commit 370cf2d
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 21 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -73,15 +73,11 @@ jobs:
           cd products/jbrowse-desktop/code_signer
           wget  https://www.ssl.com/download/codesigntool-for-linux-and-macos -O out.zip
           unzip out.zip
+          chmod +x CodeSignTool.sh
           cd ../../../
 
       - name: Build app
         env:
-          # NOTE: must explicitly pass in even the parameters that
-          # esigner-codesign says are optional since we're not using the action
-          # directly, but rather passing the params in as env vars:
-          # xref https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1994110062
-          CODE_SIGN_SCRIPT_PATH: 'code_signer'
           WINDOWS_SIGN_USER_NAME: ${{ secrets.WINDOWS_SIGN_USER_NAME }}
           WINDOWS_SIGN_USER_PASSWORD: ${{ secrets.WINDOWS_SIGN_USER_PASSWORD }}
           WINDOWS_SIGN_CREDENTIAL_ID: ${{ secrets.WINDOWS_SIGN_CREDENTIAL_ID }}

diff --git a/products/jbrowse-desktop/sign.js b/products/jbrowse-desktop/sign.js
@@ -1,6 +1,5 @@
-// this script taken from
+// this script adapted from
 // https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-899798533
-// see our shared google drive -> developer folder for more info on this
 const path = require('path')
 const fs = require('fs')
 const childProcess = require('child_process')
@@ -13,22 +12,35 @@ if (!fs.existsSync(TEMP_DIR)) {
 
 function sign(configuration) {
   console.log(`Signing ${configuration.path}`)
-  const { name, dir } = path.parse(configuration.path)
-  // CodeSignTool can't sign in place without verifying the overwrite with a
-  // y/m interaction so we are creating a new file in a temp directory and
-  // then replacing the original file with the signed file.
+  // we move signed files to a file named tmp.exe because our product name
+  // contains a space, meaning our .exe contains a space, which CodeSignTool
+  // balks at even with attempted backslash escaping, so we rename to tmp.exe
+  const tmpExe = `tmp-${Math.random()}.exe`
+
+  // note: CodeSignTool can't sign in place without verifying the overwrite
+  // with a y/m interaction so we are creating a new file in a temp directory
+  // and then replacing the original file with the signed file.
   const signFile = [
-    'codesigner/CodeSignTool.sh sign',
-    `-input_file_path="${configuration.path}"`,
-    `-output_dir_path="${TEMP_DIR}"`,
-    `-credential_id="${process.env.WINDOWS_SIGN_CREDENTIAL_ID}"`,
-    `-username="${process.env.WINDOWS_SIGN_USER_NAME}"`,
-    `-password="${process.env.WINDOWS_SIGN_USER_PASSWORD}"`,
-    `-totp_secret="${process.env.WINDOWS_SIGN_USER_TOTP}"`,
+    // code_signer is directory containing the CodeSignTool script in
+    // products/jbrowse-desktop that is created by .github/workflows/release.sh
+    // on windows
+    'CODE_SIGN_TOOL_PATH=code_signer bash code_signer/CodeSignTool.sh sign',
+    `-input_file_path='${tmpExe}'`,
+    `-output_dir_path='${TEMP_DIR}'`,
+    `-credential_id='${process.env.WINDOWS_SIGN_CREDENTIAL_ID}'`,
+    `-username='${process.env.WINDOWS_SIGN_USER_NAME}'`,
+    `-password='${process.env.WINDOWS_SIGN_USER_PASSWORD}'`,
+    `-totp_secret='${process.env.WINDOWS_SIGN_USER_TOTP}'`,
   ].join(' ')
-
-  const moveFile = `mv "${path.join(TEMP_DIR, name)}" "${dir}"`
-  childProcess.execSync(`${setDir} && ${signFile} && ${moveFile}`, {
+  const preMoveFile = `cp "${configuration.path}" "${tmpExe}"`
+  const postMoveFile = `cp "${path.join(TEMP_DIR, tmpExe)}" "${configuration.path}"`
+  childProcess.execSync(`${preMoveFile}`, {
+    stdio: 'inherit',
+  })
+  childProcess.execSync(`${signFile}`, {
+    stdio: 'inherit',
+  })
+  childProcess.execSync(`${postMoveFile}`, {
     stdio: 'inherit',
   })
 }