Use production signing only on demand (#21)

mlocati · Oct 2, 2024 · e96456e · e96456e
1 parent fca3627
commit e96456e
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 19 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -14,7 +14,16 @@ on:
       - .github/workflows/build.yml
       - build-exe/**
   workflow_dispatch:
-
+    inputs:
+      sign:
+        description: Sign binaries
+        type: choice
+        options:
+          - 'no'
+          - test
+          - production
+        default: test
+
 env:
   CLDR_VERSION: 45
   ICONV_VERSION: 1.17
@@ -24,7 +33,7 @@ env:
 
 jobs:
   exe:
-    name: Build executables ${{ matrix.link }} ${{ matrix.bits}} bits
+    name: Executables ${{ matrix.bits}}-bit ${{ matrix.link }}
     runs-on: windows-2022
     strategy:
       matrix:
@@ -53,15 +62,15 @@ jobs:
         id: restore-cache
         uses: actions/cache/restore@v4
         with:
-          key: ${{ matrix.link }}-${{ matrix.bits }}
+          key: build-exe-${{ matrix.link }}-${{ matrix.bits }}
           path: |
             src\downloads
             C:\cygwin-packages
       -
         name: Set variables
         id: vars
         shell: pwsh
-        run: ./build-exe/vars.ps1 -Bits ${{ matrix.bits }} -Link ${{ matrix.link }}
+        run: ./build-exe/vars.ps1 -Bits ${{ matrix.bits }} -Link ${{ matrix.link }} -Sign '${{ github.event.inputs.sign }}'
       -
         name: Download Cygwin installer
         shell: pwsh

diff --git a/build-exe/vars.ps1 b/build-exe/vars.ps1
@@ -6,7 +6,10 @@ param (
     [int] $Bits,
     [Parameter(Mandatory = $true)]
     [ValidateSet('shared', 'static')]
-    [string] $Link
+    [string] $Link,
+    [Parameter(Mandatory = $false)]
+    [ValidateSet('', 'no', 'test', 'production')]
+    [string] $Sign
 )
 
 if (-not($env:ICONV_VERSION)) {
@@ -53,22 +56,34 @@ switch ($Link) {
     }
 }
 
-# Leave empty to disable code signing
+if ($env:GITHUB_REPOSITORY -ne 'mlocati/gettext-iconv-windows') {
+    Write-Host -Object "Using -Sign no because the current repository ($($env:GITHUB_REPOSITORY)) is not the upstream one`n"
+    $Sign = 'no'
+} elseif ($env:GITHUB_EVENT_NAME -eq 'pull_request') {
+    Write-Host -Object "Using -Sign no because the current event is $($env:GITHUB_EVENT_NAME)`n"
+    $Sign = 'no'
+} elseif (-not($Sign)) {
+    Write-Host -Object "Using -Sign test`n"
+    $Sign = 'test'
+}
 $signpathSigningPolicy = ''
 $signaturesCanBeInvalid = 0
-if ($env:GITHUB_REPOSITORY -ne 'mlocati/gettext-iconv-windows') {
-    Write-Host -Object "Signing is disabled because the current repository ($($env:GITHUB_REPOSITORY)) is not the upstream one`n"
-} else {
-    switch ($env:GITHUB_EVENT_NAME) {
-        'pull_request' {
-            Write-Host -Object "Using the Test signing policy because the current event is $($env:GITHUB_EVENT_NAME)`n"
-            $signpathSigningPolicy = 'test-signing'
-            $signaturesCanBeInvalid = 1
-        }
-        default {
-            Write-Host -Object "Using the Release signing policy because the current event is $($env:GITHUB_EVENT_NAME)`n"
-            $signpathSigningPolicy = 'release-signing'
-        }
+switch ($Sign) {
+    'no' {
+        Write-Host "Signing is disabled`n"
+    }
+    'test' {
+        $signpathSigningPolicy = 'test-signing'
+        $signaturesCanBeInvalid = 1
+        Write-Host "SignPath signing policy: $signpathSigningPolicy (self-signed certificate)`n"
+    }
+    'production' {
+        $signpathSigningPolicy = 'release-signing'
+        $signaturesCanBeInvalid = 1
+        Write-Host "SignPath signing policy: $signpathSigningPolicy (production certificate)`n"
+    }
+    default {
+        throw "Invalid value of the -Sign argument ($Sign)"
     }
 }