diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml index fc3562f..4d717b8 100644 --- a/.github/workflows/release-canary.yml +++ b/.github/workflows/release-canary.yml @@ -113,6 +113,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} BUILD_MANIFEST_NAME: target/distrib/${{ join(matrix.targets, '-') }}-dist-manifest.json + HAS_SSLDOTCOM_SIGNING: ${{ secrets.SSLDOTCOM_USERNAME != '' && secrets.SSLDOTCOM_PASSWORD != '' && secrets.SSLDOTCOM_CREDENTIAL_ID != '' && secrets.SSLDOTCOM_TOTP_SECRET != '' }} steps: - name: Enable windows longpaths run: git config --global core.longpaths true @@ -152,6 +153,31 @@ jobs: - name: Install dependencies run: ${{ matrix.packages_install }} + - name: Configure SSL.com signing env + if: ${{ runner.os == 'Windows' && env.HAS_SSLDOTCOM_SIGNING == 'true' }} + shell: bash + env: + SSLDOTCOM_USERNAME: ${{ secrets.SSLDOTCOM_USERNAME }} + SSLDOTCOM_PASSWORD: ${{ secrets.SSLDOTCOM_PASSWORD }} + SSLDOTCOM_CREDENTIAL_ID: ${{ secrets.SSLDOTCOM_CREDENTIAL_ID }} + SSLDOTCOM_TOTP_SECRET: ${{ secrets.SSLDOTCOM_TOTP_SECRET }} + run: | + write_github_env() { + local key="$1" + local value="$2" + local delimiter="EOF_${key}_$$" + { + echo "${key}<<${delimiter}" + echo "${value}" + echo "${delimiter}" + } >> "$GITHUB_ENV" + } + + write_github_env "SSLDOTCOM_USERNAME" "$SSLDOTCOM_USERNAME" + write_github_env "SSLDOTCOM_PASSWORD" "$SSLDOTCOM_PASSWORD" + write_github_env "SSLDOTCOM_CREDENTIAL_ID" "$SSLDOTCOM_CREDENTIAL_ID" + write_github_env "SSLDOTCOM_TOTP_SECRET" "$SSLDOTCOM_TOTP_SECRET" + - name: Build artifacts shell: bash run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 514f389..61c3484 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -98,6 +98,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} BUILD_MANIFEST_NAME: target/distrib/${{ join(matrix.targets, '-') }}-dist-manifest.json + HAS_SSLDOTCOM_SIGNING: ${{ secrets.SSLDOTCOM_USERNAME != '' && secrets.SSLDOTCOM_PASSWORD != '' && secrets.SSLDOTCOM_CREDENTIAL_ID != '' && secrets.SSLDOTCOM_TOTP_SECRET != '' }} steps: - name: Enable windows longpaths run: git config --global core.longpaths true @@ -137,6 +138,31 @@ jobs: - name: Install dependencies run: ${{ matrix.packages_install }} + - name: Configure SSL.com signing env + if: ${{ runner.os == 'Windows' && env.HAS_SSLDOTCOM_SIGNING == 'true' }} + shell: bash + env: + SSLDOTCOM_USERNAME: ${{ secrets.SSLDOTCOM_USERNAME }} + SSLDOTCOM_PASSWORD: ${{ secrets.SSLDOTCOM_PASSWORD }} + SSLDOTCOM_CREDENTIAL_ID: ${{ secrets.SSLDOTCOM_CREDENTIAL_ID }} + SSLDOTCOM_TOTP_SECRET: ${{ secrets.SSLDOTCOM_TOTP_SECRET }} + run: | + write_github_env() { + local key="$1" + local value="$2" + local delimiter="EOF_${key}_$$" + { + echo "${key}<<${delimiter}" + echo "${value}" + echo "${delimiter}" + } >> "$GITHUB_ENV" + } + + write_github_env "SSLDOTCOM_USERNAME" "$SSLDOTCOM_USERNAME" + write_github_env "SSLDOTCOM_PASSWORD" "$SSLDOTCOM_PASSWORD" + write_github_env "SSLDOTCOM_CREDENTIAL_ID" "$SSLDOTCOM_CREDENTIAL_ID" + write_github_env "SSLDOTCOM_TOTP_SECRET" "$SSLDOTCOM_TOTP_SECRET" + - name: Build artifacts shell: bash run: | diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index bacff56..c506ab6 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -123,3 +123,14 @@ Notes: - The workflow publishes an immutable tag: `canary--`. - It also updates a moving branch tag: `canary-` when the run is for the latest commit on that branch. + +## Windows Release Signing + +Release and canary workflows can Authenticode-sign Windows artifacts when these GitHub Actions repository secrets are configured: + +- `SSLDOTCOM_USERNAME` +- `SSLDOTCOM_PASSWORD` +- `SSLDOTCOM_CREDENTIAL_ID` +- `SSLDOTCOM_TOTP_SECRET` + +If those secrets are absent, `cargo-dist` skips Windows signing and the published `bt.exe` remains unsigned. diff --git a/Cargo.toml b/Cargo.toml index b10850c..6d1187c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -54,6 +54,7 @@ ci = "github" create-release = true pr-run-mode = "plan" allow-dirty = ["ci"] +ssldotcom-windows-sign = "prod" [package.metadata.dist] installers = ["shell", "powershell"]