Skip to content

Commit 0f5d1b5

Browse files
McMastSMcMastS
authored
Avoid hardcoding signtool PATH in package-windows build step (#4535)
* Avoid hardcoding signtool path in package-windows build step Closes #4105 * Move signtool.exe fetching into package-windows step * Add ampersand so pwsh calls signtool * Comment out unnecessary steps for testing * Revert changes needed for testing build
1 parent ffdf89c commit 0f5d1b5

File tree

1 file changed

+6
-5
lines changed

1 file changed

+6
-5
lines changed

.github/workflows/build.yml

+6-5
Original file line numberDiff line numberDiff line change
@@ -243,8 +243,6 @@ jobs:
243243
Expand-Archive -Path ".\dist\k6-$env:VERSION-windows-amd64.zip" -DestinationPath .\packaging\
244244
move .\packaging\k6-$env:VERSION-windows-amd64\k6.exe .\packaging\
245245
rmdir .\packaging\k6-$env:VERSION-windows-amd64\
246-
- name: Add signtool to PATH
247-
run: echo "${env:ProgramFiles(x86)}\Windows Kits\10\bin\10.0.17763.0\x64" | Out-File -FilePath $env:GITHUB_PATH -Append
248246
249247
- name: Create the MSI package
250248
run: |
@@ -255,7 +253,7 @@ jobs:
255253
light.exe -ext WixUIExtension k6.wixobj
256254
257255
- name: Sign Windows binary and .msi package
258-
# GH secrets are unavaileble when building from project forks, so this
256+
# GH secrets are unavailable when building from project forks, so this
259257
# will fail for external PRs, even if we wanted to do it. And we don't.
260258
# We are only going to sign packages that are built from master or a
261259
# version tag, or manually triggered dev builds, so we have enough
@@ -266,11 +264,14 @@ jobs:
266264
$bytes = [Convert]::FromBase64String("${{ secrets.WIN_SIGN_CERT }}")
267265
[IO.File]::WriteAllBytes("k6.pfx", $bytes)
268266
267+
# Get the latest signtool executable
268+
$SignTool = Get-ChildItem -Path "${env:ProgramFiles(x86)}\Windows Kits\10\bin" -Recurse -Filter signtool.exe | Where-Object { $_.DirectoryName -like "*\x64" } | Sort-Object -Descending | Select-Object -First 1
269+
269270
# Sign the Windows binary
270-
signtool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.exe"
271+
& $SignTool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.exe"
271272
272273
# Sign the MSI package
273-
signtool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.msi"
274+
& $SignTool sign /f k6.pfx /p "${{ secrets.WIN_SIGN_PASS }}" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 "packaging\k6.msi"
274275
275276
# Cleanup signing artifacts
276277
del k6.pfx

0 commit comments

Comments
 (0)