Sign binaries with SignPath #69
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| pull_request: | |
| paths: | |
| - .github/workflows/build.yml | |
| - build-exe/** | |
| push: | |
| branches: | |
| - main | |
| tags-ignore: | |
| - "**" | |
| paths: | |
| - .github/workflows/build.yml | |
| - build-exe/** | |
| workflow_dispatch: | |
| env: | |
| CLDR_VERSION: 45 | |
| ICONV_VERSION: 1.17 | |
| GETTEXT_VERSION: 0.22.5a | |
| # To be used for testing: we'll only build iconv | |
| #BUILD_ONLY_ICONV: y | |
| jobs: | |
| exe: | |
| name: Build executables ${{ matrix.link }} ${{ matrix.bits}} bits | |
| runs-on: windows-2022 | |
| strategy: | |
| matrix: | |
| bits: | |
| - 32 | |
| - 64 | |
| link: | |
| - shared | |
| - static | |
| env: | |
| CYGWIN_NOWINPATH: 1 | |
| CHERE_INVOKING: 1 | |
| defaults: | |
| run: | |
| shell: C:\cygwin\bin\bash.exe --login -o igncr -o errexit -o pipefail {0} | |
| steps: | |
| - | |
| name: Configure git | |
| shell: cmd | |
| run: git config --global core.autocrlf input | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v4 | |
| - | |
| name: Restore cache | |
| id: restore-cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ matrix.link }}-${{ matrix.bits }} | |
| path: | | |
| src\downloads | |
| C:\cygwin-packages | |
| - | |
| name: Set variables | |
| id: vars | |
| shell: pwsh | |
| run: ./build-exe/vars.ps1 -Bits ${{ matrix.bits }} -Link ${{ matrix.link }} | |
| - | |
| name: Download Cygwin installer | |
| shell: pwsh | |
| run: Invoke-WebRequest -Uri https://cygwin.com/setup-x86_64.exe -OutFile C:\CygwinInstaller.exe | |
| - | |
| name: Install Cygwin | |
| shell: cmd | |
| run: > | |
| C:\CygwinInstaller.exe | |
| --root C:\cygwin | |
| --local-package-dir C:\cygwin-packages | |
| --packages ${{ steps.vars.outputs.cygwin-packages }} | |
| --site http://mirrors.kernel.org/sourceware/cygwin/ | |
| --only-site | |
| --quiet-mode | |
| --upgrade-also | |
| --no-shortcuts | |
| --no-admin | |
| - | |
| name: Setup Cygwin environment | |
| run: | | |
| cd -- "$(/bin/cygpath -au '${{ github.workspace }}')" | |
| /bin/printf 'Working directory: %s\n' "$(/bin/pwd)" | |
| /bin/mkdir -p src/downloads | |
| /bin/mkdir installed | |
| /bin/mkdir files-unsigned | |
| /bin/mkdir files-signed | |
| /bin/mkdir installer-unsigned | |
| /bin/mkdir installer-signed | |
| /bin/perl -pe 's/\r\n|\n|\r/\r\n/g' < build-exe/license-for-distribution.txt > files-unsigned/license.txt | |
| INSTALLED_PATH="$(/bin/cygpath -au ./installed)" | |
| /bin/echo "INSTALLED_PATH=$INSTALLED_PATH" >> $GITHUB_ENV | |
| /bin/mkdir -p "$HOME" | |
| /bin/printf '\nPATH=%s/bin:${{ steps.vars.outputs.cygwin-path }}\nexport PATH\n' "$INSTALLED_PATH" >>$HOME/.bash_profile | |
| - | |
| name: Dump Cygwin PATH | |
| run: | | |
| IFS=: | |
| for p in $PATH; do | |
| printf '%s\n' "$p" | |
| done | |
| - | |
| name: Download CLDR | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\downloads | |
| shell: pwsh | |
| run: | | |
| if (Test-Path -LiteralPath "cldr-$env:CLDR_VERSION.zip" -PathType Leaf) { | |
| Write-Host -Object 'Already downloaded' | |
| } else { | |
| Invoke-WebRequest "https://unicode.org/Public/cldr/$env:CLDR_VERSION/core.zip" -OutFile "cldr-$env:CLDR_VERSION.zip" | |
| Write-Host -Object 'Downloaded' | |
| } | |
| - | |
| name: Extract CLDR | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: installed | |
| run: | | |
| unzip -p ../src/downloads/cldr-$CLDR_VERSION.zip LICENSE >cldr-license.txt | |
| unzip -p ../src/downloads/cldr-$CLDR_VERSION.zip common/supplemental/plurals.xml >cldr-plurals.xml | |
| - | |
| name: Download iconv | |
| working-directory: src\downloads | |
| shell: pwsh | |
| run: | | |
| if (Test-Path -LiteralPath "libiconv-$env:ICONV_VERSION.tar.gz" -PathType Leaf) { | |
| Write-Host -Object 'Already downloaded' | |
| } else { | |
| Invoke-WebRequest "https://ftp.gnu.org/pub/gnu/libiconv/libiconv-$env:ICONV_VERSION.tar.gz" -OutFile "libiconv-$env:ICONV_VERSION.tar.gz" | |
| Write-Host -Object 'Downloaded' | |
| } | |
| - | |
| name: Extract iconv | |
| working-directory: src | |
| run: tar x -z -f downloads/libiconv-$ICONV_VERSION.tar.gz | |
| - | |
| name: Configure iconv | |
| id: iconv-configure | |
| working-directory: src\libiconv-${{ env.ICONV_VERSION }} | |
| run: | | |
| mkdir build | |
| cd build | |
| ../configure \ | |
| CPPFLAGS='${{ steps.vars.outputs.cpp-flags }}' \ | |
| LDFLAGS='${{ steps.vars.outputs.ld-flags }}' \ | |
| ${{ steps.vars.outputs.configure-args }} \ | |
| --prefix=$INSTALLED_PATH | |
| - | |
| name: Compile iconv | |
| working-directory: src\libiconv-${{ env.ICONV_VERSION }}\build | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check iconv | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\libiconv-${{ env.ICONV_VERSION }}\build | |
| run: make check --jobs=$(nproc) | |
| - | |
| name: Install iconv | |
| working-directory: src\libiconv-${{ env.ICONV_VERSION }}\build | |
| run: make install && cp ../COPYING $INSTALLED_PATH/iconv-license.txt | |
| - | |
| name: Download gettext | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\downloads | |
| shell: pwsh | |
| run: | | |
| if (Test-Path -LiteralPath "gettext-$env:GETTEXT_VERSION.tar.gz" -PathType Leaf) { | |
| Write-Host -Object 'Already downloaded' | |
| } else { | |
| Invoke-WebRequest "${{ steps.vars.outputs.gettext-source-url }}" -OutFile "gettext-$env:GETTEXT_VERSION.tar.gz" | |
| Write-Host -Object 'Downloaded' | |
| } | |
| - | |
| name: Extract gettext | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src | |
| run: tar x -z -f downloads/gettext-$GETTEXT_VERSION.tar.gz | |
| - | |
| name: Configure gettext | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| id: gettext-configure | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }} | |
| run: | | |
| mkdir build | |
| cd build | |
| ../configure \ | |
| CPPFLAGS="-I$INSTALLED_PATH/include ${{ steps.vars.outputs.cpp-flags }}" \ | |
| LDFLAGS="-L$INSTALLED_PATH/lib ${{ steps.vars.outputs.ld-flags }}" \ | |
| ${{ steps.vars.outputs.configure-args }} \ | |
| --disable-java \ | |
| --disable-native-java \ | |
| --disable-csharp \ | |
| --disable-openmp \ | |
| --disable-curses \ | |
| --without-emacs \ | |
| --with-included-libxml \ | |
| --without-bzip2 \ | |
| --without-xz \ | |
| --prefix=$INSTALLED_PATH | |
| - | |
| name: Ignore gettext C tests | |
| if: steps.vars.outputs.gettext-ignore-tests-c && env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }} | |
| run: for f in ${{ steps.vars.outputs.gettext-ignore-tests-c }}; do echo 'int main() { return 0; }' >$f; done | |
| - | |
| name: Install gettext license | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }} | |
| run: cp COPYING $INSTALLED_PATH/gettext-license.txt | |
| - | |
| name: Compile gettext/gnulib-local | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gnulib-local | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check gettext/gnulib-local | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gnulib-local | |
| run: make --jobs=$(nproc) check | |
| - | |
| name: Install gettext/gnulib-local | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gnulib-local | |
| run: make --jobs=$(nproc) install | |
| - | |
| name: Compile gettext/gettext-runtime | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-runtime | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check gettext/gettext-runtime | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-runtime | |
| run: make --jobs=$(nproc) check | |
| - | |
| name: Install gettext/gettext-runtime | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-runtime | |
| run: make --jobs=$(nproc) install | |
| - | |
| name: Compile gettext/libtextstyle | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\libtextstyle | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check gettext/libtextstyle | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\libtextstyle | |
| run: make --jobs=$(nproc) check | |
| - | |
| name: Install gettext/libtextstyle | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\libtextstyle | |
| run: make --jobs=$(nproc) install | |
| - | |
| name: Compile gettext/gettext-tools | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-tools | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check gettext/gettext-tools | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-tools | |
| run: XFAIL_TESTS='${{ steps.vars.outputs.gettext-xfail-gettext-tools }}' make --jobs=$(nproc) check | |
| - | |
| name: Install gettext/gettext-tools | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-tools | |
| run: make --jobs=$(nproc) install | |
| - | |
| name: Prepare build log | |
| id: prepare-build-log | |
| if: (success() || failure()) && steps.iconv-configure.outcome == 'success' | |
| run: | | |
| mkdir build-log | |
| if [ -d src/libiconv-$ICONV_VERSION/build ]; then | |
| tar c -J -f build-log/iconv.tar.xz src/libiconv-$ICONV_VERSION/build | |
| fi | |
| if [ -d src/gettext-$GETTEXT_VERSION/build ]; then | |
| tar c -J -f build-log/gettext.tar.xz src/gettext-$GETTEXT_VERSION/build | |
| fi | |
| if find installed -mindepth 1 -maxdepth 1 | read; then | |
| tar c -J -f build-log/installed.tar.xz installed | |
| fi | |
| ls -al build-log | |
| - | |
| name: Copy built assets | |
| run: ./build-exe/create-output.sh installed files-unsigned '${{ steps.vars.outputs.mingw-host }}' | |
| - | |
| name: Delete install directory | |
| run: rm -rf installed | |
| - | |
| name: Process dependencies | |
| shell: pwsh | |
| run: > | |
| ./build-exe/process-dependencies.ps1 | |
| -Bits ${{ matrix.bits }} | |
| -Link ${{ matrix.link }} | |
| -OutputPath files-unsigned | |
| -MinGWPath C:\cygwin\usr\${{ steps.vars.outputs.mingw-host }} | |
| - | |
| name: Check bitness | |
| run: ./build-exe/check-bits.sh ${{ matrix.bits }} files-unsigned | |
| - | |
| name: Check if programs load translations correctly | |
| if: env.BUILD_ONLY_ICONV != 'y' | |
| shell: pwsh | |
| run: | | |
| $env:LANGUAGE = 'it' | |
| $stdout = & .\files-unsigned\bin\xgettext.exe --help | |
| if (-not($?)) { | |
| throw "xgettext.exe failed" | |
| } | |
| $stdout = $stdout -join "`n" | |
| if (!$stdout.Contains('impostazione predefinita')) { | |
| throw "xgettext.exe didn't load the translations.`nIts output is:`n$stdout" | |
| } | |
| Write-Host "xgettext.exe correctly loaded the translations when LANGUAGE=$env:LANGUAGE`nIts localized output is`n$stdout" | |
| - | |
| name: Upload unsigned files | |
| if: steps.vars.outputs.signpath-signing-policy | |
| id: upload-files-unsigned | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-files-unsigned | |
| path: files-unsigned | |
| if-no-files-found: error | |
| retention-days: 1 | |
| - | |
| name: Sign files | |
| if: steps.vars.outputs.signpath-signing-policy | |
| id: sign-files | |
| uses: signpath/github-action-submit-signing-request@v1 | |
| with: | |
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | |
| organization-id: 98c3accc-92c9-4962-b150-ff1f5c6356b8 | |
| project-slug: gettext-iconv-windows | |
| signing-policy-slug: '${{ steps.vars.outputs.signpath-signing-policy }}' | |
| artifact-configuration-slug: gh_sigh_files | |
| github-artifact-id: ${{ steps.upload-files-unsigned.outputs.artifact-id }} | |
| wait-for-completion: true | |
| output-artifact-directory: files-signed | |
| parameters: | | |
| iconvPEVersion: "${{ env.ICONV_VERSION }}" | |
| gettextPEVersion: "${{ env.GETTEXT_VERSION }}" | |
| gettextPEVersionNumeric: "${{ steps.vars.outputs.gettext-peversion-numeric }}" | |
| - | |
| name: Check signatures | |
| if: steps.vars.outputs.signpath-signing-policy | |
| shell: pwsh | |
| run: > | |
| ./build-exe/check-signature.ps1 | |
| -Path files-signed | |
| -CanBeInvalid ${{ steps.vars.outputs.signatures-canbeinvalid }} | |
| - | |
| name: Create files archive | |
| shell: pwsh | |
| run: | | |
| if ('${{ steps.vars.outputs.signpath-signing-policy }}') { | |
| Set-Location -LiteralPath 'files-signed' | |
| } else { | |
| Set-Location -LiteralPath 'files-unsigned' | |
| } | |
| & 7z.exe a -bd -bt -mx9 -r -sse -tzip ..\gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.zip | |
| - | |
| name: Upload files archive | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-files | |
| path: gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.zip | |
| if-no-files-found: error | |
| compression-level: 0 | |
| - | |
| name: Prepare installer files | |
| run: | | |
| if [ -n '${{ steps.vars.outputs.signpath-signing-policy }}' ]; then | |
| mv files-signed installer-files | |
| else | |
| mv files-unsigned installer-files | |
| fi | |
| - | |
| name: Create installer | |
| shell: pwsh | |
| run: > | |
| ./build-exe/create-installer.ps1 | |
| -Bits ${{ matrix.bits }} | |
| -Link ${{ matrix.link }} | |
| -SourceDirectory installer-files | |
| -OutputDirectory installer-unsigned | |
| - | |
| name: Check bitness | |
| run: ./build-exe/check-bits.sh 32 installer-unsigned/gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.exe | |
| - | |
| name: Upload unsigned installer | |
| if: steps.vars.outputs.signpath-signing-policy | |
| id: upload-installer-unsigned | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-installer-unsigned | |
| path: installer-unsigned\gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.exe | |
| if-no-files-found: error | |
| compression-level: 0 | |
| retention-days: 1 | |
| - | |
| name: Sign installer | |
| if: steps.vars.outputs.signpath-signing-policy | |
| id: sign-installer | |
| uses: signpath/github-action-submit-signing-request@v1 | |
| with: | |
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | |
| organization-id: 98c3accc-92c9-4962-b150-ff1f5c6356b8 | |
| project-slug: gettext-iconv-windows | |
| signing-policy-slug: '${{ steps.vars.outputs.signpath-signing-policy }}' | |
| artifact-configuration-slug: gh_sigh_installer | |
| github-artifact-id: ${{ steps.upload-installer-unsigned.outputs.artifact-id }} | |
| wait-for-completion: true | |
| output-artifact-directory: installer-signed | |
| - | |
| name: Check signatures | |
| if: steps.vars.outputs.signpath-signing-policy | |
| shell: pwsh | |
| run: > | |
| ./build-exe/check-signature.ps1 | |
| -Path installer-signed | |
| -CanBeInvalid ${{ steps.vars.outputs.signatures-canbeinvalid }} | |
| - | |
| name: Move installer | |
| run: | | |
| if [ -n '${{ steps.vars.outputs.signpath-signing-policy }}' ]; then | |
| mv installer-signed/*.exe . | |
| else | |
| mv installer-unsigned/*.exe . | |
| fi | |
| - | |
| name: Upload installer | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-installer | |
| path: gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.exe | |
| if-no-files-found: error | |
| compression-level: 0 | |
| - | |
| name: Upload build log | |
| if: always() && steps.prepare-build-log.outcome == 'success' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-log | |
| if-no-files-found: ignore | |
| retention-days: 1 | |
| include-hidden-files: true | |
| compression-level: 0 | |
| path: build-log | |
| - | |
| name: Persist cache | |
| if: always() && steps.restore-cache.outputs.cache-hit != 'true' | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ steps.restore-cache.outputs.cache-primary-key }} | |
| path: | | |
| src\downloads | |
| C:\cygwin-packages |