Revert "ci: integrate signpath"

This reverts commit c0337189565611b0bb8ce2d71fc45a9f07c1984e.

Revert until the SignPath GitHub app does not require admin
permissions.

diff --git a/.github/workflows/guix.yml b/.github/workflows/guix.yml
index 7010c4c0bc801069bd893c03d831faa976c5cdf4..8f06f96ad5a1f6bcafa474d3d058a4852bc7dc8b 100644 (file)
--- a/.github/workflows/guix.yml
+++ b/.github/workflows/guix.yml
@@ -36,9 +36,7 @@ jobs:
           - target: "x86_64-w64-mingw32.installer"
           - target: "x86_64-apple-darwin"
           - target: "arm64-apple-darwin"
-    outputs:
-      WIN_INSTALLER_ARTIFACT_ID: ${{ steps.win-installer.outputs.WIN_INSTALLER_ARTIFACT_ID }}
-      WIN_EXECUTABLE_ARTIFACT_ID: ${{ steps.win-executable.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}
+
     name: ${{ matrix.toolchain.target }}
     steps:
       - uses: actions/checkout@v4
@@ -57,7 +55,7 @@ jobs:
           path: contrib/depends/sources
           key: sources-${{ hashFiles('contrib/depends/packages/*') }}
       - name: install dependencies
-        run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils osslsigncode
+        run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils
       - name: fix apparmor
         run: sudo cp .github/workflows/guix /etc/apparmor.d/guix; sudo /etc/init.d/apparmor reload; sudo aa-enforce guix || echo "failed"
       - name: purge apparmor
@@ -74,18 +72,11 @@ jobs:
           files: |
             guix/guix-build-*/build/distsrc-*/build/bin/feather.exe
       - uses: actions/upload-artifact@v4
-        id: upload-artifact
         with:
           name: ${{ matrix.toolchain.target }}
           path: |
             guix/guix-build-*/output/${{ matrix.toolchain.target }}/*
             guix/guix-build-*/logs/${{ matrix.toolchain.target }}/*
-      - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32.installer' }}
-        id: win-installer
-        run: echo "WIN_INSTALLER_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"
-      - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' }}
-        id: win-executable
-        run: echo "WIN_EXECUTABLE_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"
 
   bundle-logs:
     runs-on: ubuntu-24.04
@@ -109,45 +100,3 @@ jobs:
           artifacts: "**/*.AppImage,**/*-linux-arm.zip,**/*-linux-arm64.zip,**/*-linux-riscv64.zip,**/*-linux.zip,**/*-mac-arm64.zip,**/*-mac.zip,**/*-win.zip,**/FeatherWalletSetup-*.exe,**/feather-${{github.ref_name}}.tar.gz"
           draft: true
           name: v${{github.ref_name}}
-
-  codesigning:
-    runs-on: ubuntu-24.04
-    needs: [build-guix, bundle-logs]
-    if: startsWith(github.ref, 'refs/tags/')
-    strategy:
-      fail-fast: false
-      matrix:
-        toolchain:
-          - target: "x86_64-w64-mingw32"
-          - target: "x86_64-w64-mingw32.installer"
-    steps:
-      - name: install dependencies
-        run: sudo apt update; sudo apt -y install osslsigncode
-      - name: "set artifact id"
-        run: |
-          if [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32" ]; then
-            echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}" >> $GITHUB_ENV
-            echo "ARTIFACT_SLUG=executable" >> $GITHUB_ENV
-          elif [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32.installer" ]; then
-            echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_INSTALLER_ARTIFACT_ID }}" >> $GITHUB_ENV
-            echo "ARTIFACT_SLUG=installer" >> $GITHUB_ENV
-          fi
-      - uses: signpath/github-action-submit-signing-request@v1
-        name: "request signature"
-        with:
-          api-token: '${{ secrets.SIGNPATH_API_KEY }}'
-          organization-id: 'd3e94749-9c69-44e9-82de-c65cb3832869'
-          project-slug: 'feather'
-          signing-policy-slug: 'release-signing'
-          artifact-configuration-slug: ${{ env.ARTIFACT_SLUG }}
-          github-artifact-id: ${{ env.ARTIFACT_ID }}
-          wait-for-completion: true
-          output-artifact-directory: codesigning/
-      - name: "extract signature"
-        run: osslsigncode extract-signature -in codesigning/guix-build-*/output/${{ matrix.toolchain.target }}/*-unsigned.exe -out codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem
-      - uses: actions/upload-artifact@v4
-        name: "upload signature"
-        with:
-          name: ${{ matrix.toolchain.target }}.pem
-          path: |
-            codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem

diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index 821f41f5dfae54e60bef4b0caa2e5e7d2768812e..6190d8cfe62a4f198fcd72433cf7d4bce2b1f614 100755 (executable)
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -415,9 +415,25 @@ mkdir -p "$DISTSRC"
         # for release
         case "$HOST" in
             *mingw*)
-                if [ -z "$OPTIONS" ]; then
-                    mv feather.exe "${OUTDIR}/${DISTNAME}-unsigned.exe"
-                fi
+                case "$OPTIONS" in
+                    installer)
+                        find . -print0 \
+                            | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
+                        find . \
+                            | sort \
+                            | zip -X@ "${OUTDIR}/${DISTNAME}-win-installer.zip" \
+                            || ( rm -f "${OUTDIR}/${DISTNAME}-win-installer.zip" && exit 1 )
+                        ;;
+                    "")
+                        mv feather.exe ${DISTNAME}.exe && \
+                        find . -print0 \
+                            | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
+                        find . \
+                            | sort \
+                            | zip -X@ "${OUTDIR}/${DISTNAME}-win.zip" \
+                            || ( rm -f "${OUTDIR}/${DISTNAME}-win.zip" && exit 1 )
+                        ;;
+                esac
                 ;;
             *linux*)
                 if [ "$OPTIONS" != "pack" ]; then

diff --git a/contrib/installers/windows/setup.nsi.in b/contrib/installers/windows/setup.nsi.in
index 0e0d5eb3334b11d9e724927b515d2432c30d4c43..323c25f3ff254bcdc49764da29e9cb9eba076e6c 100644 (file)
--- a/contrib/installers/windows/setup.nsi.in
+++ b/contrib/installers/windows/setup.nsi.in
@@ -1,6 +1,6 @@
 Name "Feather Wallet"
 
-OutFile "${CUR_PATH}\contrib\installers\windows\FeatherWalletSetup-@PROJECT_VERSION@-unsigned.exe"
+OutFile "${CUR_PATH}\contrib\installers\windows\FeatherWalletSetup-@PROJECT_VERSION@.exe"
 RequestExecutionLevel highest
 SetCompressor /SOLID lzma
 SetDateSave off