Windows: Change to internal build script, changing the way we do code…

…-signing PiperOrigin-RevId: 636842687 Change-Id: Ib45450b9926b2924a2efdd914e1f3e7087cbc5b0
google · May 24, 2024 · f464766 · f464766
1 parent 927f492
commit f464766
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 23 deletions.
diff --git a/kokoro/msi/build.bat b/kokoro/msi/build.bat
@@ -35,6 +35,10 @@ unzip -q "%KOKORO_GFILE_DIR%\zulu16.28.11-ca-jdk16.0.0-win_x64.zip" ^
 unzip -q "%KOKORO_GFILE_DIR%\wix311-binaries.zip" ^
   -d "%BUILD_DIR%\wix" || exit /b
 
+:: Code-sign release artifacts
+if "%1" neq "release" ^
+  call :codesign "%KOKORO_GFILE_DIR%\*.exe" "%KOKORO_GFILE_DIR%\*.dll"
+
 :: Copy latest release artifacts.
 for %%I in (bindiff.exe ^
             bindiff_config_setup.exe ^
@@ -104,16 +108,20 @@ copy /Y ^
   "%BUILD_DIR%\Jre.wixobj" ^
   "%BUILD_DIR%\Setup.wixobj" || exit /b
 
-if "%1" neq "release" exit /b
-
 :: Release build, code sign the artifacts
-echo Code signing artifacts...
+if "%1" neq "release" call :codesign "%BUILD_DIR%\*.msi"
+
+exit /b
+
+
+:: Code-signs the specified artifacts and verifies them
+:: %* artifacts to sign
+:codesign
 
-set ARTIFACTS=^
-  "%BUILD_DIR%\*.msi"
+set ARTIFACTS=%*
 
-%SIGNTOOL% sign /v /tr http://timestamp.digicert.com /n "Google" /a /fd sha256 ^
-  /td sha256 %ARTIFACTS% || exit /b
+ksigntool sign GOOGLE_EXTERNAL /v /debug /t http://timestamp.digicert.com ^
+  %ARTIFACTS% || exit /b
 %SIGNTOOL% verify /pa /all %ARTIFACTS% || exit /b
 
 exit /b
diff --git a/kokoro/windows/build.bat b/kokoro/windows/build.bat
@@ -6,8 +6,6 @@ if "%1" == "release" (
 
 echo on
 
-set SIGNTOOL="%ProgramFiles(x86)%\Windows kits\10\bin\x86\signtool.exe"
-
 set BUILD_DIR=%cd%\build
 if not exist "%BUILD_DIR%" mkdir "%BUILD_DIR%"
 
@@ -43,17 +41,3 @@ cmake --build . --config Release || exit /b
 ctest --build-config Release --output-on-failure -R "^[A-Z]" || exit /b
 cmake --install . --config Release --strip || exit /b
 popd
-
-if "%1" neq "release" exit /b
-
-:: Release build, code sign the artifacts
-echo Code signing artifacts...
-
-set ARTIFACTS=^
-  "%OUT_DIR%\bindiff-prefix\bindiff.exe" ^
-  "%OUT_DIR%\bindiff-prefix\bindiff_config_setup.exe" ^
-  "%OUT_DIR%\bindiff-prefix\bindiff*.dll"
-
-%SIGNTOOL% sign /v /tr http://timestamp.digicert.com /n "Google" /a /fd sha256 ^
-  /td sha256 %ARTIFACTS% || exit /b
-%SIGNTOOL% verify /pa /all %ARTIFACTS% || exit /b