Pass secret along in order to be able to sign the uninstaller.

The uninstaller is generated during the packaging, so we can't really sign it in the workflow like we do with the others (without a cumbersome workaround). Fortunately, there is a built-in command that sort-of handles this -- but we do need to make an argument to pass the secret along we use for the signing. part of CURA-12129
Ultimaker · Oct 1, 2024 · a5a1e88 · a5a1e88
1 parent 5bb56a3
commit a5a1e88
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/packaging/NSIS/Ultimaker-Cura.nsi.jinja b/packaging/NSIS/Ultimaker-Cura.nsi.jinja
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 UltiMaker B.V.
+# Copyright (c) 2024 UltiMaker
 # Cura's build system is released under the terms of the AGPLv3 or higher.
 
 !define APP_NAME "{{ app_name }}"
@@ -15,6 +15,7 @@
 !define REG_ROOT "HKLM"
 !define REG_APP_PATH "Software\Microsoft\Windows\CurrentVersion\App Paths\${APP_NAME}-${VERSION}"
 !define UNINSTALL_PATH "Software\Microsoft\Windows\CurrentVersion\Uninstall\${APP_NAME}-${VERSION}"
+!define SIGN_SECRET "{{ sign_secret }}"
 
 !define REG_START_MENU "Start Menu Folder"
 
@@ -214,3 +215,7 @@ DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
 DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
 SectionEnd
 
+!ifdef SIGN_SECRET
+!uninstfinalize 'signtool sign /v /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f C:\actions-runner\code_sign.cer /csp "eToken Base Cryptographic Provider" /kc ${SIGN_SECRET} "%1"' = 0
+; %1 is replaced by the uninstaller exe to be signed.
+!endif
diff --git a/packaging/NSIS/create_windows_installer.py b/packaging/NSIS/create_windows_installer.py
@@ -14,7 +14,7 @@
 from jinja2 import Template
 
 
-def generate_nsi(source_path: str, dist_path: str, filename: str):
+def generate_nsi(source_path: str, dist_path: str, filename: str, sign_secret: str):
     dist_loc = Path(os.getcwd(), dist_path)
     source_loc = Path(os.getcwd(), source_path)
     instdir = Path("$INSTDIR")
@@ -57,7 +57,8 @@ def generate_nsi(source_path: str, dist_path: str, filename: str):
         cura_icon = str(source_loc.joinpath("packaging", "icons", "Cura.ico")),
         mapped_out_paths = mapped_out_paths,
         rmdir_paths = rmdir_paths,
-        destination = filename
+        destination = filename,
+        sign_secret = sign_secret,
     )
 
     with open(dist_loc.joinpath("UltiMaker-Cura.nsi"), "w") as f:
@@ -77,6 +78,7 @@ def build(dist_path: str):
     parser.add_argument("source_path", type=str, help="Path to Conan install Cura folder.")
     parser.add_argument("dist_path", type=str, help="Path to Pyinstaller dist folder")
     parser.add_argument("filename", type = str, help = "Filename of the exe (e.g. 'UltiMaker-Cura-5.1.0-beta-Windows-X64.exe')")
+    parser.add_argument("sign_secret", type = str, help = "Supply secret for signing (the uninstaller, as the rest is already signed before).")
     args = parser.parse_args()
-    generate_nsi(args.source_path, args.dist_path, args.filename)
+    generate_nsi(args.source_path, args.dist_path, args.filename, args.sign_secret)
     build(args.dist_path)