build: don't hardcode Windows certificate password

Use a file for the Windows code-signing certificate instead of
hardcoding it into the CMake code.

Update the developer manual with instructions on where to put the
Windows code-signing certificate and the file containing the password
for it.

Signed-off-by: Rafael Kitover <rkitover@gmail.com>
This commit is contained in:
Rafael Kitover 2024-09-29 20:57:40 +00:00
parent 7fa90531e6
commit 4e2799b582
No known key found for this signature in database
GPG Key ID: 08AB596679D86240
2 changed files with 9 additions and 4 deletions

View File

@ -212,6 +212,10 @@ and tags.
Make sure you have set up a Windows code signing certificate with the right Make sure you have set up a Windows code signing certificate with the right
password and a Mac 'Developer ID Application' certificate. password and a Mac 'Developer ID Application' certificate.
Put the Windows certificate into `~/.codesign/windows_comodo.pkcs12` as a PKCS12
file that is password protected, and put the password for it into
`~/.codesign/windows_comodo.pkcs12.password`.
#### Release Commit and Tag #### Release Commit and Tag
Once you are sure you're ready to release, and you are in a git clone on master Once you are sure you're ready to release, and you are in a git clone on master

View File

@ -788,7 +788,7 @@ endif()
if(UPSTREAM_RELEASE AND WIN32) if(UPSTREAM_RELEASE AND WIN32)
set(home "$ENV{HOME}") set(home "$ENV{HOME}")
if((MSVC OR NOT CMAKE_CROSSCOMPILING) AND NOT DEFINED ENV{MSYSTEM_PREFIX}) if(NOT home OR ((MSVC OR NOT CMAKE_CROSSCOMPILING) AND NOT DEFINED ENV{MSYSTEM_PREFIX}))
set(home "$ENV{USERPROFILE}") set(home "$ENV{USERPROFILE}")
endif() endif()
@ -796,8 +796,9 @@ if(UPSTREAM_RELEASE AND WIN32)
string(REGEX REPLACE "\\\\" "/" home "${home}") string(REGEX REPLACE "\\\\" "/" home "${home}")
set(cert "${home}/.codesign/windows_comodo.pkcs12") set(cert "${home}/.codesign/windows_comodo.pkcs12")
file(STRINGS "${home}/.codesign/windows_comodo.pkcs12.password" cert_password)
if(EXISTS "${cert}") if(EXISTS "${cert}" AND cert_password)
find_program(OSSLSIGNCODE_PROGRAM osslsigncode) find_program(OSSLSIGNCODE_PROGRAM osslsigncode)
find_program(SIGNTOOL_PROGRAM signtool) find_program(SIGNTOOL_PROGRAM signtool)
@ -806,7 +807,7 @@ if(UPSTREAM_RELEASE AND WIN32)
TARGET visualboyadvance-m TARGET visualboyadvance-m
POST_BUILD POST_BUILD
COMMAND ${CMAKE_COMMAND} -E rename visualboyadvance-m.exe visualboyadvance-m-unsigned.exe COMMAND ${CMAKE_COMMAND} -E rename visualboyadvance-m.exe visualboyadvance-m-unsigned.exe
COMMAND ${OSSLSIGNCODE_PROGRAM} sign -pkcs12 ${cert} -pass "vbam3!13" -t http://timestamp.digicert.com -n visualboyadvance-m -i https://github.com/visualboyadvance-m/visualboyadvance-m -in visualboyadvance-m-unsigned.exe -out visualboyadvance-m.exe COMMAND ${OSSLSIGNCODE_PROGRAM} sign -pkcs12 ${cert} -pass "${cert_password}" -t http://timestamp.digicert.com -n visualboyadvance-m -i https://github.com/visualboyadvance-m/visualboyadvance-m -in visualboyadvance-m-unsigned.exe -out visualboyadvance-m.exe
WORKING_DIRECTORY ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
) )
elseif(SIGNTOOL_PROGRAM) elseif(SIGNTOOL_PROGRAM)
@ -814,7 +815,7 @@ if(UPSTREAM_RELEASE AND WIN32)
TARGET visualboyadvance-m TARGET visualboyadvance-m
POST_BUILD POST_BUILD
COMMAND ${CMAKE_COMMAND} -E copy visualboyadvance-m.exe visualboyadvance-m-unsigned.exe COMMAND ${CMAKE_COMMAND} -E copy visualboyadvance-m.exe visualboyadvance-m-unsigned.exe
COMMAND ${SIGNTOOL_PROGRAM} sign /f ${cert} /fd certHash /td certHash /p "vbam3!13" /tr http://timestamp.digicert.com /du https://github.com/visualboyadvance-m/visualboyadvance-m /a visualboyadvance-m.exe COMMAND ${SIGNTOOL_PROGRAM} sign /f ${cert} /fd certHash /td certHash /p "${cert_password}" /tr http://timestamp.digicert.com /du https://github.com/visualboyadvance-m/visualboyadvance-m /a visualboyadvance-m.exe
WORKING_DIRECTORY ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
) )
endif() endif()