Merge pull request #14219 from Ultimaker/CURA-8607_sign_windows_installer_workflow

CURA-8607_sign_windows_installer_workflow
2025-08-14 11:15:54 +08:00 · 2023-01-06 11:25:17 +01:00 · 2023-01-06 11:25:17 +01:00 · 8efc4052b9
commit 8efc4052b9
parent a1b9232f9d 097067321d
1 changed files with 21 additions and 0 deletions
--- a/.github/workflows/cura-installer.yml
+++ b/.github/workflows/cura-installer.yml
@ -61,6 +61,8 @@ env:
    MACOS_CERT_USER: ${{ secrets.MACOS_CERT_USER }}
    GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
    MACOS_CERT_PASSPHRASE: ${{ secrets.MACOS_CERT_PASSPHRASE }}
+    WIN_CERT_INSTALLER_CER: ${{ secrets.WIN_CERT_INSTALLER_CER }}
+    WIN_CERT_INSTALLER_CER_PASS: ${{ secrets.WIN_CERT_INSTALLER_CER_PASS }}
    CURA_CONAN_VERSION: ${{ inputs.cura_conan_version }}
    ENTERPRISE: ${{ inputs.enterprise }}
    STAGING: ${{ inputs.staging }}
@ -153,6 +155,17 @@ jobs:
                    p12-file-base64: ${{ secrets.MACOS_CERT_P12 }}
                    p12-password: ${{ secrets.MACOS_CERT_PASSPHRASE }}

+            -   name: Create PFX certificate from BASE64_PFX_CONTENT secret
+                if: ${{ runner.os == 'Windows' }}
+                id: create-pfx
+                env:
+                    PFX_CONTENT: ${{ secrets.WIN_CERT_INSTALLER_CER }}
+                run: |
+                    $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"; 
+                    $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT); 
+                    Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
+                    echo "PFX_PATH=$pfxPath" >> $env:GITHUB_OUTPUT;
+
            -   name: Clean Conan local cache
                if: ${{ inputs.conan_clean_local_cache }}
                run: conan remove "*" -f
@ -230,6 +243,14 @@ jobs:
                    python ..\cura_inst\packaging\NSIS\create_windows_installer.py ../cura_inst . "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
                working-directory: dist

+            - name: Sign the Windows exe installer (Powershell)
+              if: ${{ github.event.inputs.installer == 'true' && runner.os == 'Windows' }}
+              env:
+                  PFX_PATH: ${{ steps.create-pfx.outputs.PFX_PATH }}
+              run: |
+                  & "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe" sign /f $Env:PFX_PATH /p "$Env:WIN_CERT_INSTALLER_CER_PASS" /fd SHA256 /t http://timestamp.digicert.com "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
+              working-directory: dist
+
            -   name: Create the Linux AppImage (Bash)
                if: ${{ github.event.inputs.installer == 'true' && runner.os == 'Linux' }}
                run: python ../cura_inst/packaging/AppImage/create_appimage.py ./UltiMaker-Cura $CURA_VERSION_FULL "UltiMaker-Cura-$CURA_VERSION_FULL-${{ inputs.os_name }}.AppImage"