Work around parallel race condition problems

2022-01-10 15:51:32 -06:00 · 2022-01-10 15:51:32 -06:00 · f30b7dbf72
commit f30b7dbf72
parent 45adc4ad76
3 changed files with 23 additions and 16 deletions
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -9,6 +9,7 @@ before:
  hooks:
    - go mod tidy
    - make manpages GH_VERSION={{.Version}}
+    - ./script/prepare-windows-cert.sh "{{.Env.GITHUB_CERT_PASSWORD}}" "{{.Env.DESKTOP_CERT_TOKEN}}"

 builds:
  - <<: &build_defaults
@ -34,10 +35,7 @@ builds:
    goarch: [386, amd64]
    hooks:
      post:
-        - cmd: ./script/sign-windows-executable.sh {{ .Path }}
-          env:
-            - GITHUB_CERT_PASSWORD={{ .Env.GITHUB_CERT_PASSWORD }}
-            - DESKTOP_CERT_TOKEN={{ .Env.DESKTOP_CERT_TOKEN }}
+        - ./script/sign-windows-executable.sh {{ .Path }}

 archives:
  - id: nix
--- a/script/prepare-windows-cert.sh
+++ b/script/prepare-windows-cert.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+
+GITHUB_CERT_PASSWORD=$1
+DESKTOP_CERT_TOKEN=$2
+
+curl \
+  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
+  -H "Accept: application/vnd.github.v3.raw" \
+  --output windows-certificate.pfx \
+  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+
+openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD} || echo "no bueno 1"
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD} || echo "no bueno 2"
--- a/script/sign-windows-executable.sh
+++ b/script/sign-windows-executable.sh
@ -3,14 +3,13 @@ set -e

 EXECUTABLE_PATH=$1

-curl \
-  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
-  -H "Accept: application/vnd.github.v3.raw" \
-  --output windows-certificate.pfx \
-  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+ARCH="386"

-openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
-openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
+if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then
+  ARCH="amd64"
+fi
+
+OUT_PATH=gh_signed-${ARCH}.exe

 osslsigncode sign \
  -certs certificate.pem \
@ -18,9 +17,6 @@ osslsigncode sign \
  -n "GitHub CLI" \
  -t http://timestamp.digicert.com \
  -in $EXECUTABLE_PATH \
-  -out gh_signed.exe
+  -out $OUT_PATH

-# Oddly, there can be a delay before the file is *actually* available - wait for it
-while [ ! -f gh_signed.exe ]; do sleep 1; done;
-
-mv gh_signed.exe $EXECUTABLE_PATH
+mv $OUT_PATH $EXECUTABLE_PATH