From 4e2799b58217fbe80c9719a83c0544be22971323 Mon Sep 17 00:00:00 2001
From: Rafael Kitover <rkitover@gmail.com>
Date: Sun, 29 Sep 2024 20:57:40 +0000
Subject: [PATCH] build: don't hardcode Windows certificate password

Use a file for the Windows code-signing certificate instead of
hardcoding it into the CMake code.

Update the developer manual with instructions on where to put the
Windows code-signing certificate and the file containing the password
for it.

Signed-off-by: Rafael Kitover <rkitover@gmail.com>
---
 DEVELOPER-MANUAL.md   | 4 ++++
 src/wx/CMakeLists.txt | 9 +++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/DEVELOPER-MANUAL.md b/DEVELOPER-MANUAL.md
index 530ccb50..5eab31dd 100644
--- a/DEVELOPER-MANUAL.md
+++ b/DEVELOPER-MANUAL.md
@@ -212,6 +212,10 @@ and tags.
 Make sure you have set up a Windows code signing certificate with the right
 password and a Mac 'Developer ID Application' certificate.
 
+Put the Windows certificate into `~/.codesign/windows_comodo.pkcs12` as a PKCS12
+file that is password protected, and put the password for it into
+`~/.codesign/windows_comodo.pkcs12.password`.
+
 #### Release Commit and Tag
 
 Once you are sure you're ready to release, and you are in a git clone on master
diff --git a/src/wx/CMakeLists.txt b/src/wx/CMakeLists.txt
index 794eb8e0..7f0fbf7e 100644
--- a/src/wx/CMakeLists.txt
+++ b/src/wx/CMakeLists.txt
@@ -788,7 +788,7 @@ endif()
 if(UPSTREAM_RELEASE AND WIN32)
     set(home "$ENV{HOME}")
 
-    if((MSVC OR NOT CMAKE_CROSSCOMPILING) AND NOT DEFINED ENV{MSYSTEM_PREFIX})
+    if(NOT home OR ((MSVC OR NOT CMAKE_CROSSCOMPILING) AND NOT DEFINED ENV{MSYSTEM_PREFIX}))
         set(home "$ENV{USERPROFILE}")
     endif()
 
@@ -796,8 +796,9 @@ if(UPSTREAM_RELEASE AND WIN32)
     string(REGEX REPLACE "\\\\" "/" home "${home}")
 
     set(cert "${home}/.codesign/windows_comodo.pkcs12")
+    file(STRINGS "${home}/.codesign/windows_comodo.pkcs12.password" cert_password)
 
-    if(EXISTS "${cert}")
+    if(EXISTS "${cert}" AND cert_password)
         find_program(OSSLSIGNCODE_PROGRAM osslsigncode)
         find_program(SIGNTOOL_PROGRAM     signtool)
 
@@ -806,7 +807,7 @@ if(UPSTREAM_RELEASE AND WIN32)
                 TARGET visualboyadvance-m
                 POST_BUILD
                 COMMAND ${CMAKE_COMMAND} -E rename visualboyadvance-m.exe visualboyadvance-m-unsigned.exe
-                COMMAND ${OSSLSIGNCODE_PROGRAM} sign -pkcs12 ${cert} -pass "vbam3!13" -t http://timestamp.digicert.com -n visualboyadvance-m -i https://github.com/visualboyadvance-m/visualboyadvance-m -in visualboyadvance-m-unsigned.exe -out visualboyadvance-m.exe
+                COMMAND ${OSSLSIGNCODE_PROGRAM} sign -pkcs12 ${cert} -pass "${cert_password}" -t http://timestamp.digicert.com -n visualboyadvance-m -i https://github.com/visualboyadvance-m/visualboyadvance-m -in visualboyadvance-m-unsigned.exe -out visualboyadvance-m.exe
                 WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
                 )
         elseif(SIGNTOOL_PROGRAM)
@@ -814,7 +815,7 @@ if(UPSTREAM_RELEASE AND WIN32)
                 TARGET visualboyadvance-m
                 POST_BUILD
                 COMMAND ${CMAKE_COMMAND} -E copy visualboyadvance-m.exe visualboyadvance-m-unsigned.exe
-                COMMAND ${SIGNTOOL_PROGRAM} sign /f ${cert} /fd certHash /td certHash /p "vbam3!13" /tr http://timestamp.digicert.com /du https://github.com/visualboyadvance-m/visualboyadvance-m /a visualboyadvance-m.exe
+                COMMAND ${SIGNTOOL_PROGRAM} sign /f ${cert} /fd certHash /td certHash /p "${cert_password}" /tr http://timestamp.digicert.com /du https://github.com/visualboyadvance-m/visualboyadvance-m /a visualboyadvance-m.exe
                 WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
                 )
         endif()