Added: ffdec-cli.exe is signed

This commit is contained in:
Jindra Petřík
2026-02-16 18:54:53 +01:00
parent 203ac6dcc9
commit acbafca451
3 changed files with 137 additions and 4 deletions

View File

@@ -274,7 +274,7 @@ jobs:
name: lib_dist
path: libsrc/ffdec_lib/dist
exe:
name: Generate EXE
name: Generate EXEs
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -351,12 +351,37 @@ jobs:
xvfb-run wine $WINEPREFIX/resourcehacker/ResourceHacker.exe -open $WINEPREFIX/versioninfo.rc -save $WINEPREFIX/versioninfo.res -action compile
xvfb-run wine $WINEPREFIX/resourcehacker/ResourceHacker.exe -open $WINEPREFIX/ffdec.exe -save $WINEPREFIX/ffdec.exe -action addoverwrite -res $WINEPREFIX/versioninfo.res -mask "Version Info,1"
cp $WINEPREFIX/ffdec.exe resources/ffdec.exe
- name: Upload EXE
uses: actions/upload-artifact@v4
with:
name: unsigned_exe
path: resources/ffdec.exe
- name: Generate CLI EXE version info
run: |
sed -i \
-e 's/@MAJOR@/${{ needs.compute-version.outputs.verMajor }}/g' \
-e 's/@MINOR@/${{ needs.compute-version.outputs.verMinor }}/g' \
-e 's/@RELEASE@/${{ needs.compute-version.outputs.verRelease }}/g' \
-e 's/@BUILD@/${{ needs.compute-version.outputs.verBuild }}/g' \
-e 's/@VERSION@/${{ needs.compute-version.outputs.verShort }}/g' \
versioninfo-cli.rc
- name: Replace CLI EXE version info
run: |
export WINEPREFIX=$(pwd)/tools/wine
cp resources/ffdec-cli.exe $WINEPREFIX/ffdec-cli.exe
cp versioninfo-cli.rc $WINEPREFIX/versioninfo-cli.rc
xvfb-run wine $WINEPREFIX/resourcehacker/ResourceHacker.exe -open $WINEPREFIX/versioninfo-cli.rc -save $WINEPREFIX/versioninfo-cli.res -action compile
xvfb-run wine $WINEPREFIX/resourcehacker/ResourceHacker.exe -open $WINEPREFIX/ffdec-cli.exe -save $WINEPREFIX/ffdec-cli.exe -action addoverwrite -res $WINEPREFIX/versioninfo-cli.res -mask "Version Info,1"
cp $WINEPREFIX/ffdec-cli.exe resources/ffdec-cli.exe
- name: Upload CLI EXE
uses: actions/upload-artifact@v4
with:
name: unsigned_cli_exe
path: resources/ffdec-cli.exe
#--- Note: Windows runner cannot run Resource Hacker for some reason
# exe:
# name: Generate EXE
@@ -464,6 +489,12 @@ jobs:
with:
name: unsigned_exe
path: dist/
- name: Download unsigned CLI EXE artifact
uses: actions/download-artifact@v4
with:
name: unsigned_cli_exe
path: dist/
- name: Set up JDK
uses: actions/setup-java@v4
@@ -644,7 +675,68 @@ jobs:
shell: pwsh
run: |
$signtool = "${{ steps.signtool.outputs.path }}"
& $signtool verify /pa /v "dist/ffdec.exe"
& $signtool verify /pa /v "dist/ffdec.exe"
- name: Sign CLI EXE with KMS key
shell: pwsh
run: |
$signtool = "${{ steps.signtool.outputs.path }}"
$kc = "projects/$env:GCP_PROJECT_ID/locations/$env:GCP_LOCATION/keyRings/$env:KMS_KEYRING/cryptoKeys/$env:KMS_KEY/cryptoKeyVersions/$env:KMS_KEY_VERSION"
$ErrorActionPreference = 'Stop'
$exe = $signtool
$args = @(
"sign",
"/v",
"/debug",
"/fd", "sha256",
"/tr", "http://timestamp.sectigo.com?td=sha256",
"/td", "sha256",
"/f", "$env:CERT_PATH",
"/csp", "Google Cloud KMS Provider",
"/kc", "$kc",
"dist/ffdec-cli.exe"
)
# --- retry policy ---
$maxAttempts = 5
$delaySeconds = 10
$needle = "SignTool Error: An unexpected internal error has occurred"
for ($attempt = 1; $attempt -le $maxAttempts; $attempt++) {
Write-Host "Attempt $attempt/${maxAttempts}: $exe $($args -join ' ')"
$output = & $exe @args 2>&1 | Out-String
$exitCode = $LASTEXITCODE
if ($output) { Write-Host $output.TrimEnd() }
if ($exitCode -eq 0) {
Write-Host "Succeeded."
exit 0
}
$hasNeedle = $output -match [regex]::Escape($needle)
if ($hasNeedle -and $attempt -lt $maxAttempts) {
Write-Warning "Detected transient SignTool internal error. Retrying in $delaySeconds seconds..."
Start-Sleep -Seconds $delaySeconds
continue
}
if ($hasNeedle) {
throw "Failed after $maxAttempts attempts due to repeated SignTool internal error (exit code $exitCode)."
} else {
throw "Command failed (exit code $exitCode). Output did not match retry condition."
}
}
- name: Verify CLI EXE signature
shell: pwsh
run: |
$signtool = "${{ steps.signtool.outputs.path }}"
& $signtool verify /pa /v "dist/ffdec-cli.exe"
- name: Get Msi tools path
@@ -755,8 +847,14 @@ jobs:
uses: actions/upload-artifact@v4
with:
name: signed_exe
path: dist/ffdec.exe
path: dist/ffdec.exe
- name: Upload signed CLI EXE artifact
uses: actions/upload-artifact@v4
with:
name: signed_cli_exe
path: dist/ffdec-cli.exe
- name: Rename MSI
shell: cmd
run: |
@@ -816,7 +914,13 @@ jobs:
with:
name: signed_exe
path: dist/
- name: Download signed CLI EXE artifact
uses: actions/download-artifact@v4
with:
name: signed_cli_exe
path: dist/
- name: Download signed MSI artifact
uses: actions/download-artifact@v4
with: