diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index c3cbca4e0..7432a9cc0 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -173,7 +173,8 @@ jobs: - name: Build Windows 10 signed app package if: matrix.type == 'signed-app' && env.CODESIGN == '1' run: | - & .\scripts\package\win-package-appx.ps1 -BuildNumber $Env:BUILD_NUMBER -CertificateFile .\codesign.pfx -CertificatePassword $Env:CODESIGN_PFX_PASSWORD + $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_PFX_PASSWORD -Force -AsPlainText + & .\scripts\package\win-package-appx.ps1 -BuildNumber $Env:BUILD_NUMBER -CertificateFile .\codesign.pfx -CertificatePassword $CertPassword Move-Item .\dist\*.msix .\artifacts env: CODESIGN_PFX_PASSWORD: ${{ secrets.CODESIGN_PFX_PASSWORD }} @@ -184,10 +185,10 @@ jobs: If ($Env:CODESIGN) { $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_PFX_PASSWORD -Force -AsPlainText $Certificate = Get-PfxCertificate -FilePath .\codesign.pfx -Password $CertPassword - & .\scripts\package\win-package-installer.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate } Else { - & .\scripts\package\win-package-installer.ps1 -BuildNumber $Env:BUILD_NUMBER + $Certificate = $null } + & .\scripts\package\win-package-installer.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate Move-Item .\installer\*.exe .\artifacts dist\picard\fpcalc -version env: @@ -198,14 +199,16 @@ jobs: If ($Env:CODESIGN) { $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_PFX_PASSWORD -Force -AsPlainText $Certificate = Get-PfxCertificate -FilePath .\codesign.pfx -Password $CertPassword - & .\scripts\package\win-package-portable.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate - Remove-Item .\codesign.pfx } Else { - & .\scripts\package\win-package-portable.ps1 -BuildNumber $Env:BUILD_NUMBER + $Certificate = $null } + & .\scripts\package\win-package-portable.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate Move-Item .\dist\*.exe .\artifacts env: CODESIGN_PFX_PASSWORD: ${{ secrets.CODESIGN_PFX_PASSWORD }} + - name: Cleanup + if: env.CODESIGN == '1' + run: Remove-Item .\codesign.pfx - name: Archive production artifacts uses: actions/upload-artifact@v1 if: matrix.type != 'signed-app' || env.CODESIGN == '1' diff --git a/scripts/package/win-package-appx.ps1 b/scripts/package/win-package-appx.ps1 index 17358a8e0..014badcdb 100644 --- a/scripts/package/win-package-appx.ps1 +++ b/scripts/package/win-package-appx.ps1 @@ -6,7 +6,7 @@ Param( [ValidateScript({Test-Path $_ -PathType Leaf})] [String] $CertificateFile, - [String] + [SecureString] $CertificatePassword, [Int] $BuildNumber @@ -21,8 +21,7 @@ If (-Not $BuildNumber) { } If (-Not $Certificate -And $CertificateFile) { - $CertPassword = ConvertTo-SecureString -String $CertificatePassword -Force -AsPlainText - $Certificate = Get-PfxCertificate -FilePath $CertificateFile -Password $CertPassword + $Certificate = Get-PfxCertificate -FilePath $CertificateFile -Password $CertificatePassword } $ScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent @@ -67,7 +66,7 @@ ThrowOnExeError "MakeAppx failed" # Sign package If ($CertificateFile) { - SignTool sign /fd SHA256 /f "$CertificateFile" /p "$CertificatePassword" $PackageFile + SignTool sign /fd SHA256 /f "$CertificateFile" /p (ConvertFrom-SecureString -AsPlainText "$CertificatePassword") $PackageFile ThrowOnExeError "SignTool failed" } ElseIf ($Certificate) { SignTool sign /fd SHA256 /sha1 $Certificate.Thumbprint $PackageFile