Kalakoi/GDevelop
1
0
Fork 0
mirror of https://github.com/4ian/GDevelop.git synced 2025-10-15 10:19:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Windows code signing (#6233)

Browse Source
This commit is contained in:
Florian Rival
2024-01-21 22:03:44 +01:00
committed by GitHub
parent 7fbe1bd23d
commit 70d5de16bf
4 changed files with 188 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
appveyor.yml
View File

@@ -16,7 +16,47 @@ skip_tags: true # Don't rebuild on tags.
init:
- ps: Install-Product node 16
- cmd: set NODE_OPTIONS=--max-old-space-size=8192
cache:
- '%APPDATA%\npm-cache' # npm cache
- newIDE\app\node_modules -> newIDE\app\package-lock.json
- newIDE\electron-app\node_modules -> newIDE\electron-app\package-lock.json
- GDevelop.js\node_modules -> GDevelop.js\package-lock.json
install:
# Download and install SSL.com eSigner CKA.
# See https://www.ssl.com/how-to/how-to-integrate-esigner-cka-with-ci-cd-tools-for-automated-code-signing/.
#
# This is necessary because of "signing to be FIPS-140 compliant". See
# https://github.com/electron-userland/electron-builder/issues/6158
#
# Make sure to DISABLE "malware blocker" in SSL.com to avoid errors like:
# Error information: "Error: SignerSign() failed." (-2146893821/0x80090003)
- ps: >-
# Download and Unzip eSignerCKA Setup
Set-StrictMode -Version 'Latest'
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip"
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination "eSigner_CKA_Installer.exe" -Path "eSigner_CKA_*\*.exe"
# Install it. See https://www.ssl.com/how-to/how-to-integrate-esigner-cka-with-ci-cd-tools-for-automated-code-signing/
New-Item -ItemType Directory -Force -Path "C:\projects\gdevelop\eSignerCKA"
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR="C:\projects\gdevelop\eSignerCKA" | Out-Null
# Disable logger.
# $LogConfig = Get-Content -Path C:\projects\gdevelop\eSignerCKA/log4net.config
# $LogConfig[0] = '<log4net threshold="OFF">'
# $LogConfig | Set-Content -Path C:\projects\gdevelop\eSignerCKA/log4net.config
# Build GDevelop.js (and run tests to ensure it works).
# (in a subshell to avoid Emscripten polluting the Node.js and npm version for the rest of the build)
- cmd: >-
@@ -39,7 +79,7 @@ install:
# setuptools will make distutils available again (but we should migrate our packages probably).
- cmd: >-
pip install setuptools
cd newIDE\app
npm -v && npm install
@@ -50,21 +90,54 @@ install:
cd ..\..
# Package the app for Windows (and sign it with the certificate set in environment variables).
# Package the app for Windows (and sign it).
# Don't sign the appx (it will be signed by the Microsoft Store).
build_script:
- ps: >-
cd newIDE\electron-app
# Prepare certificate. See https://www.ssl.com/how-to/automate-ev-code-signing-with-signtool-or-certutil-esigner/?_gl=1*vuybcy*_gcl_au*MTEwODg1NDM2Mi4xNzA1ODU1NjM4#automated-code-signing
C:\projects\gdevelop\eSignerCKA/eSignerCKATool.exe config -mode product -user "$Env:ESIGNER_USER_NAME" -pass "$Env:ESIGNER_USER_PASSWORD" -totp "$Env:ESIGNER_USER_TOTP" -key "C:\projects\gdevelop\eSignerCKA\master.key" -r
C:\projects\gdevelop\eSignerCKA/eSignerCKATool.exe unload
C:\projects\gdevelop\eSignerCKA/eSignerCKATool.exe load
# Find certificate so we can tell electron-builder which one to use.
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
echo Certificate: $CodeSigningCert
# Use a custom signtool path because of the signtool.exe bundled withy electron-builder not working for some reason.
# Can also be found in versioned folders like "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe".
$Env:SIGNTOOL_PATH = "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe"
# Extract thumbprint and subject name of the certificate (will be passed to electron-builder).
$Env:GD_SIGNTOOL_THUMBPRINT = $CodeSigningCert.Thumbprint
$Env:GD_SIGNTOOL_SUBJECT_NAME = ($CodeSigningCert.Subject -replace ", ?", "`n" | ConvertFrom-StringData).CN
# Build the nsis installer (signed: electron-builder will use SignTool.exe with the certificate)
node scripts/build.js --win nsis --publish=never
Remove-Item -Path Env:CSC_LINK ; Remove-Item -Path Env:CSC_KEY_PASSWORD ; node scripts/build.js --skip-app-build --win appx --publish=never
# Build the appx (not signed).
$Env:GD_SIGNTOOL_THUMBPRINT = ''
$Env:GD_SIGNTOOL_SUBJECT_NAME = ''
node scripts/build.js --skip-app-build --win appx --publish=never
cd ..\..
# Clean dist folder to keep only installers/binaries.
- cmd: >-
DEL /F/Q/S newIDE\electron-app\dist\win-unpacked
rmdir /s /q newIDE\electron-app\dist\win-unpacked
# Run a few tests on Windows.
test_script:

106
newIDE/electron-app/electron-builder-config.js Normal file
View File

@@ -0,0 +1,106 @@
/**
* @type {import('electron-builder').Configuration}
* @see https://www.electron.build/configuration/configuration
*/
const config = {
appId: 'com.gdevelop-app.ide',
extraResources: [
{
from: '../app/resources/in-app-tutorials',
to: 'in-app-tutorials',
},
{
from: '../app/resources/GDJS',
to: 'GDJS',
},
{
from: '../app/resources/preview_node_modules',
to: 'preview_node_modules',
},
],
linux: {
target: [
{
target: 'AppImage',
arch: ['x64', 'arm64'],
},
{
target: 'zip',
arch: ['x64', 'arm64'],
},
{
target: 'deb',
arch: ['x64', 'arm64'],
},
],
},
mac: {
category: 'public.app-category.developer-tools',
hardenedRuntime: true,
entitlements: './build/entitlements.mac.inherit.plist',
target: {
target: 'default',
arch: ['universal'],
},
},
win: {
executableName: 'GDevelop',
},
nsis: {
oneClick: false,
allowToChangeInstallationDirectory: true,
},
appx: {
publisherDisplayName: 'GDevelop game engine',
displayName: 'GDevelop',
publisher: 'CN=B13CB8D3-97AA-422C-A394-0EE51B9ACAD3',
identityName: 'GDevelopgameengine.GDevelop',
backgroundColor: '#524F9C',
languages: [
'EN-US',
'ZH-HANS',
'DE',
'IT',
'JA',
'PT-BR',
'RU',
'ES',
'FR',
'SL',
],
},
afterSign: 'scripts/electron-builder-after-sign.js',
publish: [
{
provider: 'github',
},
],
};
if (
process.env.GD_SIGNTOOL_SUBJECT_NAME &&
process.env.GD_SIGNTOOL_THUMBPRINT
) {
config.win.certificateSubjectName = process.env.GD_SIGNTOOL_SUBJECT_NAME;
config.win.certificateSha1 = process.env.GD_SIGNTOOL_THUMBPRINT;
// electron-builder default signtool.exe is not sufficient for some reason.
if (!process.env.SIGNTOOL_PATH) {
console.error(
"❌ SIGNTOOL_PATH is not specified - signing won't work with the builtin signtool provided by electron-builder."
);
} else {
console.log(
' SIGNTOOL_PATH is specified and set to:',
process.env.SIGNTOOL_PATH
);
}
// Seems required, see https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1587045539.
config.win.signingHashAlgorithms = ['sha256'];
console.log(' Set Windows build signing options:', config.win);
} else {
console.log(' No Windows build signing options set.');
}
module.exports = config;

85
newIDE/electron-app/package.json
View File

@@ -19,91 +19,6 @@
"import-zipped-electron-extensions": "node scripts/import-zipped-electron-extension.js ReactDeveloperTools app/extensions/",
"copy-electron-remote-to-app-resources": "node scripts/copy-electron-remote-to-app-resources.js"
},
"build": {
"appId": "com.gdevelop-app.ide",
"extraResources": [
{
"from": "../app/resources/in-app-tutorials",
"to": "in-app-tutorials"
},
{
"from": "../app/resources/GDJS",
"to": "GDJS"
},
{
"from": "../app/resources/preview_node_modules",
"to": "preview_node_modules"
}
],
"linux": {
"target": [
{
"target": "AppImage",
"arch": [
"x64",
"arm64"
]
},
{
"target": "zip",
"arch": [
"x64",
"arm64"
]
},
{
"target": "deb",
"arch": [
"x64",
"arm64"
]
}
]
},
"mac": {
"category": "public.app-category.developer-tools",
"hardenedRuntime": true,
"entitlements": "./build/entitlements.mac.inherit.plist",
"target": {
"target": "default",
"arch": [
"universal"
]
}
},
"win": {
"executableName": "GDevelop"
},
"nsis": {
"oneClick": false,
"allowToChangeInstallationDirectory": true
},
"appx": {
"publisherDisplayName": "GDevelop game engine",
"displayName": "GDevelop",
"publisher": "CN=B13CB8D3-97AA-422C-A394-0EE51B9ACAD3",
"identityName": "GDevelopgameengine.GDevelop",
"backgroundColor": "#524F9C",
"languages": [
"EN-US",
"ZH-HANS",
"DE",
"IT",
"JA",
"PT-BR",
"RU",
"ES",
"FR",
"SL"
]
},
"afterSign": "scripts/electron-builder-after-sign.js",
"publish": [
{
"provider": "github"
}
]
},
"devDependencies": {
"@electron/notarize": "^2.1.0",
"adm-zip": "^0.5.10",

6
newIDE/electron-app/scripts/build.js
View File

@@ -20,7 +20,11 @@ let electronBuilderArguments = process.argv
.slice(2)
.filter(arg => arg !== '--skip-app-build');
shell.exec(
[electronBuilder, electronBuilderArguments.join(' ')].join(' '),
[
electronBuilder,
'--config=electron-builder-config.js',
electronBuilderArguments.join(' '),
].join(' '),
code => {
if (code !== 0) {
shell.echo(`❌ Electron build failed with code ${code}.`);