Merge pull request #10599 from iamazeem/10559-win-sign-tech-debt

`./script/sign` cleanup
2025-03-19 13:32:59 -04:00 · 2025-03-19 13:32:59 -04:00 · cf3f0ee6b8
commit cf3f0ee6b8
parent 45ffa3c668 342e3cd70c
3 changed files with 10 additions and 45 deletions
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -39,8 +39,7 @@ builds:
    goarch: [386, amd64, arm64]
    hooks:
      post:
-        - cmd: >-
-            {{ if eq .Runtime.Goos "windows" }}pwsh .\script\sign.ps1{{ else }}./script/sign{{ end }} '{{ .Path }}'
+        - cmd: pwsh .\script\sign.ps1 '{{ .Path }}'
          output: true
    binary: bin/gh
    main: ./cmd/gh
--- a/docs/release-process-deep-dive.md
+++ b/docs/release-process-deep-dive.md
@ -428,9 +428,6 @@ Breaking this command down:
 * `/dlib` points to the previously extracted DLL
 * `/dmdf` points to the previously created metadata file

-> [!WARNING]
-> The [`GoReleaser` signing hook](https://github.com/cli/cli/blob/756f4ec04abdc9fdbab3fef35b182c546ef1dd17/.goreleaser.yml#L43) can currently call `./script/sign` on a non-windows machine, but this is an artifact from pre-HSM that should be removed.
-
 ## <a id="release">[release](https://github.com/cli/cli/blob/756f4ec04abdc9fdbab3fef35b182c546ef1dd17/.github/workflows/deployment.yml#L250-L395)</a>

 <details>
--- a/script/sign
+++ b/script/sign
@ -1,36 +1,12 @@
 #!/bin/bash
 # usage: script/sign <file>
 #
-# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool, and signs
-# Windows EXE and MSI files using osslsigncode.
+# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool
 #
 set -e

-sign_windows() {
-  if [ -z "$CERT_FILE" ]; then
-    echo "skipping Windows code-signing; CERT_FILE not set" >&2
-    return 0
-  fi
-
-  if [ ! -f "$CERT_FILE" ]; then
-    echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
-    return 1
-  fi
-
-  if [ -z "$CERT_PASSWORD" ]; then
-    echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
-    return 1
-  fi
-
-  osslsigncode sign -n "GitHub CLI" -t http://timestamp.digicert.com \
-    -pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
-    -in "$1" -out "$1"~
-
-  mv "$1"~ "$1"
-}
-
 sign_macos() {
-  if [ -z "$APPLE_DEVELOPER_ID" ]; then
+  if [[ -z "$APPLE_DEVELOPER_ID" ]]; then
    echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
    return 0
  fi
@ -42,24 +18,17 @@ sign_macos() {
  fi
 }

-if [ $# -eq 0 ]; then
+if [[ $# -eq 0 ]]; then
  echo "usage: script/sign <file>" >&2
  exit 1
 fi

 platform="$(uname -s)"
+if [[ $platform != "Darwin" ]]; then
+  echo "error: must run on macOS; skipping codesigning/notarization" >&2
+  exit 1
+fi

 for input_file; do
-  case "$input_file" in
-  *.exe | *.msi )
-    sign_windows "$input_file"
-    ;;
-  * )
-    if [ "$platform" = "Darwin" ]; then
-      sign_macos "$input_file"
-    else
-      printf "warning: don't know how to sign %s on %s\n" "$1", "$platform" >&2
-    fi
-    ;;
-  esac
-done
+  sign_macos "$input_file"
+done