procyberian/gimp
2
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/gimp.git synced 2025-07-03 09:23:24 +00:00
Code Issues 1 Projects 1 Releases Packages Wiki Activity Actions

build/windows: Renew pseudo-gimp*.pfx certificate and document it

Browse source
This commit is contained in:
Bruno 2024-12-20 11:04:47 -03:00
parent 12db54cded
commit dd4b687d36
No known key found for this signature in database
4 changed files with 24 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
build/windows/store/3_dist-gimp-winsdk.ps1
View file

@ -353,8 +353,13 @@ if (-not $GITLAB_CI -and $wack -eq 'WACK')
if ($CI_COMMIT_TAG -notmatch 'GIMP_[0-9]*_[0-9]*_[0-9]*' -and $GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*' -and $MSIX_ARTIFACT -notlike "*msixupload")
{
Write-Output "$([char]27)[0Ksection_start:$(Get-Date -UFormat %s -Millisecond 0):msix_sign${msix_arch}[collapsed=true]$([char]13)$([char]27)[0KSelf-signing $MSIX_ARTIFACT (for testing purposes)"
signtool sign /debug /fd sha256 /a /f build\windows\store\pseudo-gimp.pfx /p eek $MSIX_ARTIFACT
Copy-Item build\windows\store\pseudo-gimp.pfx .\ -Recurse
signtool sign /debug /fd sha256 /a /f $(Resolve-Path build\windows\store\pseudo-gimp*.pfx) /p eek $MSIX_ARTIFACT
if ("$LASTEXITCODE" -gt '0' -or "$?" -eq 'False')
{
## We need to manually check failures in pre-7.4 PS
exit 1
}
Copy-Item build\windows\store\pseudo-gimp*.pfx pseudo-gimp.pfx -Recurse
Write-Output "$([char]27)[0Ksection_end:$(Get-Date -UFormat %s -Millisecond 0):msix_sign${msix_arch}$([char]13)$([char]27)[0K"
}
@ -367,7 +372,7 @@ if ($GITLAB_CI)
Move-Item $MSIX_ARTIFACT $output_dir
if ($CI_COMMIT_TAG -notmatch 'GIMP_[0-9]*_[0-9]*_[0-9]*' -and $GIMP_CI_MS_STORE -notlike 'MSIXUPLOAD*' -and $MSIX_ARTIFACT -notlike "*msixupload")
{
Get-ChildItem pseudo-gimp.pfx | Move-Item -Destination $output_dir
Copy-Item pseudo-gimp.pfx $output_dir
}
# Generate checksums in common "sha*sum" format

17
build/windows/store/README.md
View file

@ -20,10 +20,25 @@ Base rule to update the "GIMP (Preview)" entry:
Only 'Packages' and 'Store listings' sections are needed. On 'Packages' you will
add the generated .msixupload and on 'Store listings' the brief changelog.
If the .msix* starts to be refused to certification or to signing,
If the .msix* starts to be refused to certification or to self-signing,
run `build\windows\store\3_dist-gimp-winsdk.ps1 WACK` locally to see if it
still complies with the latest Windows policies. Make sure to update WinSDK.
If the .msix* starts to be refused to self-signing due to the .pfx file, then
generate a new one with the commands below and commit it to this dir.
```pwsh
$pseudo_gimp = "pseudo-gimp_$(Get-Date -Format yyyy)"
```
```pwsh
New-SelfSignedCertificate -Type Custom -Subject "$(([xml](Get-Content build\windows\store\AppxManifest.xml)).Package.Identity.Publisher)" -KeyUsage DigitalSignature -FriendlyName "$pseudo_gimp" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
```
```pwsh
Export-PfxCertificate -Cert "Cert:\CurrentUser\My\$(Get-ChildItem Cert:\CurrentUser\My | Where-Object FriendlyName -EQ "$pseudo_gimp" | Select-Object -ExpandProperty Thumbprint)" -FilePath "${pseudo_gimp}.pfx" -Password (ConvertTo-SecureString -String eek -Force -AsPlainText)
```
## Versioning the MSIX
* Every new .msixupload submission (with different content) needs a bumped version.

BIN
build/windows/store/pseudo-gimp.pfx
View file

Binary file not shown.

BIN
build/windows/store/pseudo-gimp_2024.pfx Normal file
View file

Binary file not shown.