STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

./script/sign cleanup

Browse source
This commit is contained in:
Azeem Sajid 2025-03-14 11:51:09 +05:00
parent 234d2effd5
commit f3e4976da3
3 changed files with 4 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.goreleaser.yml
View file

@ -40,7 +40,7 @@ builds:
hooks:
post:
- cmd: >-
{{ if eq .Runtime.Goos "windows" }}pwsh .\script\sign.ps1{{ else }}./script/sign{{ end }} '{{ .Path }}'
{{ if eq .Runtime.Goos "windows" }}pwsh .\script\sign.ps1{{ end }} '{{ .Path }}'
output: true
binary: bin/gh
main: ./cmd/gh

3
docs/release-process-deep-dive.md
View file

@ -428,9 +428,6 @@ Breaking this command down:
* `/dlib` points to the previously extracted DLL
* `/dmdf` points to the previously created metadata file
> [!WARNING]
> The [`GoReleaser` signing hook](https://github.com/cli/cli/blob/756f4ec04abdc9fdbab3fef35b182c546ef1dd17/.goreleaser.yml#L43) can currently call `./script/sign` on a non-windows machine, but this is an artifact from pre-HSM that should be removed.
## <a id="release">[release](https://github.com/cli/cli/blob/756f4ec04abdc9fdbab3fef35b182c546ef1dd17/.github/workflows/deployment.yml#L250-L395)</a>
<details>

33
script/sign
View file

@ -1,34 +1,10 @@
#!/bin/bash
# usage: script/sign <file>
#
# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool, and signs
# Windows EXE and MSI files using osslsigncode.
# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool
#
set -e
sign_windows() {
if [ -z "$CERT_FILE" ]; then
echo "skipping Windows code-signing; CERT_FILE not set" >&2
return 0
fi
if [ ! -f "$CERT_FILE" ]; then
echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
return 1
fi
if [ -z "$CERT_PASSWORD" ]; then
echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
return 1
fi
osslsigncode sign -n "GitHub CLI" -t http://timestamp.digicert.com \
-pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
-in "$1" -out "$1"~
mv "$1"~ "$1"
}
sign_macos() {
if [ -z "$APPLE_DEVELOPER_ID" ]; then
echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
@ -51,10 +27,7 @@ platform="$(uname -s)"
for input_file; do
case "$input_file" in
*.exe | *.msi )
sign_windows "$input_file"
;;
* )
*)
if [ "$platform" = "Darwin" ]; then
sign_macos "$input_file"
else
@ -62,4 +35,4 @@ for input_file; do
fi
;;
esac
done
done