diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index fee4dac3d..53f0e2f6f 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -274,7 +274,11 @@ jobs: run: pnpm install - name: Build release exe and MSI run: pnpm build - - name: Sign the MSI + - name: Install AzureSignTool + if: ${{ runner.os == 'Windows' }} + shell: bash + run: dotnet tool install --global AzureSignTool + - name: Sign the release exe and MSI if: ${{ runner.os == 'Windows' }} env: AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }} @@ -284,18 +288,8 @@ jobs: AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }} shell: bash run: | - # Install the required tools - dotnet tool install --global AzureSignTool - - # Sign the MSI file - AzureSignTool sign \ - --azure-key-vault-url "$AZURE_KEY_VAULT_URI" \ - --azure-key-vault-client-id "$AZURE_CLIENT_ID" \ - --azure-key-vault-tenant-id "$AZURE_TENANT_ID" \ - --azure-key-vault-client-secret "$AZURE_CLIENT_SECRET" \ - --azure-key-vault-certificate "$AZURE_CERT_NAME" \ - --timestamp-rfc3161 "http://timestamp.digicert.com" \ - --verbose ../target/release/bundle/msi/Firezone_${{ env.VERSION }}_x64_en-US.msi + ../../scripts/build/sign.sh ../target/release/Firezone.exe + ../../scripts/build/sign.sh ../target/release/bundle/msi/Firezone_${{ env.VERSION }}_x64_en-US.msi - name: Rename artifacts and compute SHA256 shell: bash run: ${{ matrix.rename-script }} diff --git a/scripts/build/sign.sh b/scripts/build/sign.sh new file mode 100755 index 000000000..256df4334 --- /dev/null +++ b/scripts/build/sign.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -euo pipefail + +AzureSignTool sign \ + --azure-key-vault-url "$AZURE_KEY_VAULT_URI" \ + --azure-key-vault-client-id "$AZURE_CLIENT_ID" \ + --azure-key-vault-tenant-id "$AZURE_TENANT_ID" \ + --azure-key-vault-client-secret "$AZURE_CLIENT_SECRET" \ + --azure-key-vault-certificate "$AZURE_CERT_NAME" \ + --timestamp-rfc3161 "http://timestamp.digicert.com" \ + --verbose "$1"