From a5a1e88b18e47d40cf92a41f4c0a8b7393162471 Mon Sep 17 00:00:00 2001 From: Remco Burema Date: Tue, 1 Oct 2024 11:51:01 +0200 Subject: [PATCH] Pass secret along in order to be able to sign the uninstaller. The uninstaller is generated during the packaging, so we can't really sign it in the workflow like we do with the others (without a cumbersome workaround). Fortunately, there is a built-in command that sort-of handles this -- but we do need to make an argument to pass the secret along we use for the signing. part of CURA-12129 --- packaging/NSIS/Ultimaker-Cura.nsi.jinja | 7 ++++++- packaging/NSIS/create_windows_installer.py | 8 +++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/packaging/NSIS/Ultimaker-Cura.nsi.jinja b/packaging/NSIS/Ultimaker-Cura.nsi.jinja index 0a2ce0f517..f2151e7191 100644 --- a/packaging/NSIS/Ultimaker-Cura.nsi.jinja +++ b/packaging/NSIS/Ultimaker-Cura.nsi.jinja @@ -1,4 +1,4 @@ -# Copyright (c) 2022 UltiMaker B.V. +# Copyright (c) 2024 UltiMaker # Cura's build system is released under the terms of the AGPLv3 or higher. !define APP_NAME "{{ app_name }}" @@ -15,6 +15,7 @@ !define REG_ROOT "HKLM" !define REG_APP_PATH "Software\Microsoft\Windows\CurrentVersion\App Paths\${APP_NAME}-${VERSION}" !define UNINSTALL_PATH "Software\Microsoft\Windows\CurrentVersion\Uninstall\${APP_NAME}-${VERSION}" +!define SIGN_SECRET "{{ sign_secret }}" !define REG_START_MENU "Start Menu Folder" @@ -214,3 +215,7 @@ DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}" DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}" SectionEnd +!ifdef SIGN_SECRET +!uninstfinalize 'signtool sign /v /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f C:\actions-runner\code_sign.cer /csp "eToken Base Cryptographic Provider" /kc ${SIGN_SECRET} "%1"' = 0 +; %1 is replaced by the uninstaller exe to be signed. +!endif diff --git a/packaging/NSIS/create_windows_installer.py b/packaging/NSIS/create_windows_installer.py index 5ec31c8e35..b1455e983a 100644 --- a/packaging/NSIS/create_windows_installer.py +++ b/packaging/NSIS/create_windows_installer.py @@ -14,7 +14,7 @@ from pathlib import Path from jinja2 import Template -def generate_nsi(source_path: str, dist_path: str, filename: str): +def generate_nsi(source_path: str, dist_path: str, filename: str, sign_secret: str): dist_loc = Path(os.getcwd(), dist_path) source_loc = Path(os.getcwd(), source_path) instdir = Path("$INSTDIR") @@ -57,7 +57,8 @@ def generate_nsi(source_path: str, dist_path: str, filename: str): cura_icon = str(source_loc.joinpath("packaging", "icons", "Cura.ico")), mapped_out_paths = mapped_out_paths, rmdir_paths = rmdir_paths, - destination = filename + destination = filename, + sign_secret = sign_secret, ) with open(dist_loc.joinpath("UltiMaker-Cura.nsi"), "w") as f: @@ -77,6 +78,7 @@ if __name__ == "__main__": parser.add_argument("source_path", type=str, help="Path to Conan install Cura folder.") parser.add_argument("dist_path", type=str, help="Path to Pyinstaller dist folder") parser.add_argument("filename", type = str, help = "Filename of the exe (e.g. 'UltiMaker-Cura-5.1.0-beta-Windows-X64.exe')") + parser.add_argument("sign_secret", type = str, help = "Supply secret for signing (the uninstaller, as the rest is already signed before).") args = parser.parse_args() - generate_nsi(args.source_path, args.dist_path, args.filename) + generate_nsi(args.source_path, args.dist_path, args.filename, args.sign_secret) build(args.dist_path)