From 96c703541acc44cf509298d7cc67c20748afc553 Mon Sep 17 00:00:00 2001 From: Ryo Yamashita Date: Fri, 30 Aug 2024 15:55:34 +0900 Subject: [PATCH 1/2] =?UTF-8?q?add:=20=E3=82=B3=E3=83=BC=E3=83=89=E7=BD=B2?= =?UTF-8?q?=E5=90=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 13 ++++++ .github/workflows/shellcheck.yml | 22 +++++++++ codesign.bash | 79 ++++++++++++++++++++++++++++++++ 3 files changed, 114 insertions(+) create mode 100644 .github/workflows/shellcheck.yml create mode 100755 codesign.bash diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 49014ce..277f111 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,11 @@ on: release: description: "リリースするかどうか" type: boolean + code_signing: + description: "コード署名する" + type: boolean + required: false + default: false env: ONNXRUNTIME_VERSION: @@ -438,6 +443,14 @@ jobs: fi mv ${{ matrix.result_dir }}/${{ matrix.artifact_name }} ./artifact/ + - name: Code signing (Windows) + if: runner.os == 'Windows' && inputs.code_signing + run: find ./${{ matrix.result_dir }}/${{ matrix.artifact_name }}/lib -name '*.dll' -exec ./builder/codesign.bash {} ';' + env: + ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }} + ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }} + ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }} + - name: Upload artifact uses: actions/upload-artifact@v4 with: diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml new file mode 100644 index 0000000..98990e7 --- /dev/null +++ b/.github/workflows/shellcheck.yml @@ -0,0 +1,22 @@ +name: ShellCheck + +on: + - push + - pull_request + +jobs: + shellcheck: + runs-on: ubuntu-22.04 + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Update ShellCheck + run: | + sudo apt-get update + sudo apt-get install -y shellcheck + shellcheck -V + + - name: ShellCheck + run: git ls-files | grep -E '\.(ba)?sh' | xargs shellcheck diff --git a/codesign.bash b/codesign.bash new file mode 100755 index 0000000..5c80cf5 --- /dev/null +++ b/codesign.bash @@ -0,0 +1,79 @@ +#!/usr/bin/env bash +# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!! + +# eSignerCKAを使ってコード署名する + +set -eu + +if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名 + echo "ESIGNERCKA_USERNAMEが未定義です" + exit 1 +fi +if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード + echo "ESIGNERCKA_PASSWORDが未定義です" + exit 1 +fi +if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret + echo "ESIGNERCKA_TOTP_SECRETが未定義です" + exit 1 +fi + +if [ $# -ne 1 ]; then + echo "引数の数が一致しません" + exit 1 +fi +target_file_glob="$1" + +# eSignerCKAのセットアップ +INSTALL_DIR='..\eSignerCKA' +if [ ! -d "$INSTALL_DIR" ]; then + curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip" + unzip -o SSL.COM-eSigner-CKA_1.0.6.zip + mv ./*eSigner*CKA_*.exe eSigner_CKA_Installer.exe + powershell " + & ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR='$INSTALL_DIR' | Out-Null + & '$INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$INSTALL_DIR\master.key' -r + & '$INSTALL_DIR\eSignerCKATool.exe' unload + " + rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe +fi + +# 証明書を読み込む +powershell "& '$INSTALL_DIR\eSignerCKATool.exe' load" + +# shellcheck disable=SC2016 +THUMBPRINT=$( + powershell ' + $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 + echo "$($CodeSigningCert.Thumbprint)" + ' +) + +# 指定ファイルに署名する +function codesign() { + TARGET="$1" + # shellcheck disable=SC2012 + SIGNTOOL=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない + powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /sha1 '$THUMBPRINT' '$TARGET'" +} + +# 指定ファイルが署名されているか +function is_signed() { + TARGET="$1" + SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) + powershell "& '$SIGNTOOL' verify /pa '$TARGET'" >/dev/null 2>&1 || return 1 +} + +# 署名されていなければ署名 +# shellcheck disable=SC2012,SC2086 +ls $target_file_glob | while read -r target_file; do + if is_signed "$target_file"; then + echo "署名済み: $target_file" + else + echo "署名開始: $target_file" + codesign "$target_file" + fi +done + +# 証明書を破棄 +powershell "& '$INSTALL_DIR\eSignerCKATool.exe' unload" From f7700862a566ed53c8572ca1c98d9e8af35bdf71 Mon Sep 17 00:00:00 2001 From: Ryo Yamashita Date: Sun, 1 Sep 2024 02:18:50 +0900 Subject: [PATCH 2/2] `product` environment --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 277f111..4cc0e9d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -219,6 +219,7 @@ jobs: ARCH_SUFFIX: "${{ (matrix.linux_cross_arch != '' && '-') || '' }}${{ (matrix.linux_cross_arch != '' && matrix.linux_cross_arch) || '' }}" runs-on: ${{ matrix.os }} + environment: ${{ inputs.code_signing && 'production' || '' }} # コード署名用のenvironment steps: - uses: actions/setup-python@v4