GHA

BrowserWorks · Aug 23, 2023 · 1a91f8f · 1a91f8f
1 parent 471bf02
commit 1a91f8f
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -353,7 +353,7 @@ jobs:
 
           chmod +x ./sign/sign.sh
 
-          ./sign/sign.sh -k "$PWD"/sign/1 -p ${{ secrets.ONE_PEM }} -c "$PWD"/sign/2 -i "$PWD"/obj-${{ env.ARCH }}/dist/waterfox
+          ./sign/sign.sh -k "$PWD"/sign/1 -p ${{ secrets.ONE_PEM }} -c "$PWD"/sign/2 -i "$PWD"/obj-${{ env.ARCH }}/dist/waterfox -t windows
 
           rm -rf ./sign/
 
@@ -771,7 +771,14 @@ jobs:
       - name: ✍️ Sign .app(s)
         run: |
           sudo chmod -R 755 ./obj-${{ env.ARCH-X64 }}/dist/waterfox/Waterfox.app
-          xattr -cr ./obj-${{ env.ARCH-X64 }}/dist/waterfox/Waterfox.app
+          sudo xattr -dr com.apple.quarantine ./obj-${{ matrix.arch }}/dist/waterfox/Waterfox.app
+          sudo spctl --add ./obj-${{ matrix.arch }}/dist/waterfox/Waterfox.app
+          echo "${{ secrets.SIGN_BASE64 }}" | base64 --decode > sign.zip
+          unzip -q sign.zip
+          rm sign.zip
+          chmod +x ./sign/sign.sh
+          ./sign/sign.sh -k "$PWD"/sign/1 -p ${{ secrets.ONE_PEM }} -c "$PWD"/sign/2 -i "$PWD"/obj-${{ env.ARCH }}/dist/waterfox/Waterfox.app -t macos
+          rm -rf ./sign/
           python3 ./security/mac/hardenedruntime/codesign.py -v -m ./security/mac/hardenedruntime/codesign-map.json -r ./obj-${{ env.ARCH-X64 }}/dist/waterfox/Waterfox.app -d ./security/mac/hardenedruntime -s '${{ secrets.MACOS_CERTIFICATE_NAME }}'
           echo "Creating temp notarization archive"
           ditto -c -k --keepParent "./obj-${{ env.ARCH-X64 }}/dist/waterfox/Waterfox.app" "notarization.zip"
@@ -964,7 +971,13 @@ jobs:
           if [ -d "$PWD"/waterfox/browser/locales/en-GB ]; then
             ./mach package-multi-locale --locales ar cs da de el en-GB en-US es-ES es-MX fr hu id it ja ko lt nl nn-NO pl pt-BR pt-PT ru sv-SE th vi zh-CN zh-TW
           fi
-          mv obj-${{ env.ARCH }}/dist/waterfox-${{ env.VERSION_DISPLAY }}.en-US.linux-x86_64.tar.bz2 .
+          echo "${{ secrets.SIGN_BASE64 }}" | base64 --decode > sign.zip
+          unzip -q sign.zip
+          rm sign.zip
+          chmod +x ./sign/sign.sh
+          ./sign/sign.sh -k "$PWD"/sign/1 -p ${{ secrets.ONE_PEM }} -c "$PWD"/sign/2 -i "$PWD"/obj-${{ env.ARCH }}/dist/waterfox -t linux
+          rm -rf ./sign/
+          $(TAR) -c --owner=0 --group=0 --numeric-owner --mode=go-w --exclude=.mkdir.done -f "$PWD"/obj-${{ env.ARCH }}/dist/waterfox | bzip2 -vf > waterfox-${{ env.VERSION_DISPLAY }}.en-US.linux-x86_64.tar.bz2
           shasum -a 512 waterfox-${{ env.VERSION_DISPLAY }}.en-US.linux-x86_64.tar.bz2 > waterfox-${{ env.VERSION_DISPLAY }}.en-US.linux-x86_64.tar.bz2.sha512
       - name: "\U0001F4E6 Package MAR"
         if: ${{ inputs.TRIGGER_EVENT == 'workflow_dispatch' }}