Skip to content

Commit 97801ff

Browse files
metsmametsma
authored
Hardened signing with Developer ID (#1331)
IB-8451 Signed-off-by: Raul Metsma <[email protected]>
1 parent 6ed7808 commit 97801ff

File tree

3 files changed

+16
-27
lines changed

3 files changed

+16
-27
lines changed

.github/workflows/build.yml

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
env:
3030
HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: YES
3131
run: |
32-
brew install ninja flatbuffers
32+
brew install flatbuffers
3333
HASH=($(shasum prepare_osx_build_environment.sh))
3434
curl -O -L -s https://installer.id.ee/media/github/opensc_0.23.0.pkg
3535
curl -O -L -s https://installer.id.ee/media/github/${HASH}.zip
@@ -100,16 +100,8 @@ jobs:
100100
container: fedora:${{ matrix.container }}
101101
strategy:
102102
matrix:
103-
container: [40, 41, 42]
103+
container: [41, 42]
104104
steps:
105-
- name: Install Deps
106-
run: |
107-
dnf install -y --setopt=install_weak_deps=False \
108-
git gcc-c++ cmake rpm-build gettext openssl-devel openldap-devel pcsc-lite-devel qt6-qtsvg-devel qt6-qttools-devel flatbuffers-devel flatbuffers-compiler zlib-devel
109-
- name: Checkout
110-
uses: actions/checkout@v4
111-
with:
112-
submodules: recursive
113105
- name: Download artifact
114106
uses: dawidd6/action-download-artifact@v6
115107
with:
@@ -118,8 +110,12 @@ jobs:
118110
name: fedora_${{ matrix.container }}
119111
path: libdigidocpp-pkg
120112
repo: open-eid/libdigidocpp
121-
- name: Install artifact
122-
run: dnf install -y ./libdigidocpp-pkg/*.rpm
113+
- name: Install Deps
114+
run: dnf install -y ./libdigidocpp-pkg/*.rpm git gcc-c++ cmake rpm-build gettext openssl-devel openldap-devel pcsc-lite-devel qt6-qtsvg-devel qt6-qttools-devel flatbuffers-devel flatbuffers-compiler zlib-devel
115+
- name: Checkout
116+
uses: actions/checkout@v4
117+
with:
118+
submodules: recursive
123119
- name: Build
124120
run: |
125121
cmake -DCMAKE_INSTALL_PREFIX=/usr -B build -S .

client/CMakeLists.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -200,7 +200,7 @@ if( APPLE )
200200
$<TARGET_BUNDLE_CONTENT_DIR:${PROJECT_NAME}>/PlugIns/*/*
201201
$<TARGET_BUNDLE_CONTENT_DIR:${PROJECT_NAME}>/Library/QuickLook/DigiDocQL.qlgenerator
202202
COMMAND if echo \"$$SIGNCERT\" | grep -q "Developer ID" \; then
203-
codesign -f -s \"$$SIGNCERT\" $<TARGET_BUNDLE_DIR:${PROJECT_NAME}> --entitlements ${CMAKE_SOURCE_DIR}/${PROJECT_NAME}.eToken.entitlements\;
203+
codesign -f --options runtime -s \"$$SIGNCERT\" $<TARGET_BUNDLE_DIR:${PROJECT_NAME}> --entitlements ${CMAKE_SOURCE_DIR}/${PROJECT_NAME}.eToken.entitlements\;
204204
else
205205
codesign -f -s \"$$SIGNCERT\" $<TARGET_BUNDLE_DIR:${PROJECT_NAME}> --entitlements ${CMAKE_SOURCE_DIR}/${PROJECT_NAME}.entitlements\;
206206
fi

extensions/windows/CMakeLists.txt

Lines changed: 7 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,5 @@
11
cmake_minimum_required(VERSION 3.16)
22
project(EsteidShellExtension VERSION 3.13.9)
3-
4-
if(CMAKE_SIZEOF_VOID_P EQUAL 8)
5-
set(PLATFORM "x64")
6-
else()
7-
set(PLATFORM "x86")
8-
endif()
9-
103
add_library(${PROJECT_NAME} SHARED
114
dllmain.cpp
125
EsteidShellExtension.def
@@ -32,15 +25,15 @@ set_target_properties(${PROJECT_NAME} PROPERTIES
3225

3326
add_custom_target(msishellext DEPENDS ${PROJECT_NAME}
3427
COMMAND wix.exe build -nologo
35-
-arch ${PLATFORM}
28+
-arch $ENV{PLATFORM}
3629
-d ShellExt=$<TARGET_FILE:EsteidShellExtension>
3730
${CMAKE_CURRENT_SOURCE_DIR}/EsteidShellExtension.wxs
38-
${CMAKE_MODULE_PATH}/WelcomeDlg.wxs
39-
${CMAKE_MODULE_PATH}/WixUI_Minimal.wxs
31+
${CMAKE_CURRENT_SOURCE_DIR}/../../common/WelcomeDlg.wxs
32+
${CMAKE_CURRENT_SOURCE_DIR}/../../common/WixUI_Minimal.wxs
4033
-ext WixToolset.UI.wixext
41-
-bv WixUIDialogBmp=${CMAKE_MODULE_PATH}/dlgbmp.bmp
42-
-bv WixUIBannerBmp=${CMAKE_MODULE_PATH}/banner.bmp
43-
-o Digidoc_ShellExt-${VERSION}$ENV{VER_SUFFIX}.${PLATFORM}.msi
34+
-bv WixUIDialogBmp=${CMAKE_CURRENT_SOURCE_DIR}/../../common/dlgbmp.bmp
35+
-bv WixUIBannerBmp=${CMAKE_CURRENT_SOURCE_DIR}/../../common/banner.bmp
36+
-o Digidoc_ShellExt-${VERSION}$ENV{VER_SUFFIX}.$ENV{PLATFORM}.msi
4437
WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
4538
)
4639

@@ -57,6 +50,6 @@ if(SIGNCERT)
5750
add_custom_command(TARGET msishellext POST_BUILD
5851
COMMAND signtool.exe sign /a /v /s MY /n "${SIGNCERT}" /fd SHA256 /du http://installer.id.ee
5952
/tr http://timestamp.digicert.com /td SHA256
60-
"${CMAKE_BINARY_DIR}/Digidoc_ShellExt-${VERSION}$ENV{VER_SUFFIX}.${PLATFORM}.msi"
53+
"${CMAKE_BINARY_DIR}/Digidoc_ShellExt-${VERSION}$ENV{VER_SUFFIX}.$ENV{PLATFORM}.msi"
6154
)
6255
endif()

0 commit comments

Comments
 (0)