Use code signing for release files (#244)

* Use code signing for release files * Use matrix strategy * Fix incorrect directory structure * Fix missing command option * Fix invalid file checksum * Fix missing imports * Add code signing policy * Update sponsor * Remove SHA256 checksum * Test release process * Switch to release policy
2025-10-20 16:03:47 +08:00 · 2025-06-30 15:08:21 +08:00
parent b82b9691d6
commit a443bf41ba
6 changed files with 213 additions and 23 deletions
--- a/.github/workflows/releaser.yml
+++ b/.github/workflows/releaser.yml
@ -8,8 +8,9 @@ jobs:
  build:
    name: Build
    runs-on: windows-latest
-    outputs:
-      version: ${{ steps.build.outputs.version }}
+    strategy:
+      matrix:
+        architecture: [x64, x86]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@ -20,22 +21,138 @@ jobs:
          go-version: '1.23'

      - name: Setup VS environment
-        shell: cmd
+        shell: powershell
        run: |
-          for /f "usebackq delims=" %%i in (`vswhere.exe -latest -property installationPath`) do echo %%i\VC\Auxiliary\Build>>%GITHUB_PATH%
+          echo "$(vswhere.exe -latest -property installationPath)\VC\Auxiliary\Build" >> $env:GITHUB_PATH
+          @"
+          @echo off
+          setlocal enabledelayedexpansion
+          set SRC_DIR=%~1
+          :safe_copy
+          shift
+          if "%~1"=="" exit /b 0
+          if "%~2"=="" exit /b 1
+          set SRC_FILE=%SRC_DIR%\%~1
+          set DST_FILE=%~2\%~1
+          if not "%~x1" == ".msi" (
+          set SRC_FILE_UNSIGNED=!SRC_FILE!.unsigned
+          copy /Y "!SRC_FILE!" "!SRC_FILE_UNSIGNED!"
+          "%SIGNTOOL%" remove /s "!SRC_FILE_UNSIGNED!" || exit /b 1
+          call :pe_compare "!SRC_FILE_UNSIGNED!" "!DST_FILE!" || (
+          echo File checksum mismatch: !SRC_FILE!
+          exit /b 1))
+          copy /Y "!SRC_FILE!" "!DST_FILE!"
+          shift
+          goto :safe_copy
+          :pe_compare
+          python -c "import os;import sys;from ctypes import *;header_sum,checksum1,checksum2=c_ulong(0),c_ulong(0),c_ulong(0);src_size,dst_size=os.path.getsize(sys.argv[1]),os.path.getsize(sys.argv[2]);f=open(sys.argv[1],'r+');f.seek(dst_size,os.SEEK_SET);f.truncate();f.close();assert windll.imagehlp.MapFileAndCheckSumW(sys.argv[1],byref(header_sum),byref(checksum1))==0;assert windll.imagehlp.MapFileAndCheckSumW(sys.argv[2],byref(header_sum),byref(checksum2))==0;assert checksum1.value==checksum2.value" %1 %2
+          goto :eof
+          "@ | Out-File -Encoding ascii -FilePath safe_copy.bat

-      - name: Build
-        id: build
+      - name: Build main application
        shell: cmd
-        run: |
-          for /f "tokens=3" %%a in ('findstr /r "Number.*=.*[0-9.]*" .\pkg\version\version.go') do set VERSION=%%a
-          echo version=%VERSION:"=%>>%GITHUB_OUTPUT%
-          build.bat
+        run: build.bat -p ${{ matrix.architecture }}

-      - name: Upload assets
+      - name: Get version info
+        shell: powershell
+        run: |
+          $version = $((Get-Item .\bin\${{ matrix.architecture }}\frpmgr.exe).VersionInfo.ProductVersion)
+          echo "VERSION=$version" >> $env:GITHUB_ENV
+          $signtool = $(cmd /C "vcvarsall ${{ matrix.architecture }} && where signtool" | Select-Object -Last 1)
+          echo "SIGNTOOL=$signtool" >> $env:GITHUB_ENV
+
+      - name: Build custom actions
+        shell: cmd
+        run: installer\build.bat %VERSION% ${{ matrix.architecture }} actions
+
+      - name: Prepare to upload files
+        shell: cmd
+        run: copy /Y installer\build\${{ matrix.architecture }}\actions.dll bin\${{ matrix.architecture }}
+
+      - name: Upload unsigned application
+        id: upload-unsigned-application
        uses: actions/upload-artifact@v4
        with:
-          name: assets
+          name: frpmgr-${{ env.VERSION }}-main-${{ matrix.architecture }}-unsigned
+          path: |
+            bin/${{ matrix.architecture }}/frpmgr.exe
+            bin/${{ matrix.architecture }}/actions.dll
+
+      - name: Sign
+        uses: signpath/github-action-submit-signing-request@v1.2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: 'frpmgr'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{ steps.upload-unsigned-application.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'dist'
+
+      - name: Verify and copy signed files
+        shell: cmd
+        run: safe_copy dist frpmgr.exe bin\${{ matrix.architecture }} actions.dll installer\build\${{ matrix.architecture }}
+
+      - name: Build MSI installer
+        shell: cmd
+        run: installer\build.bat %VERSION% ${{ matrix.architecture }} msi
+
+      - name: Upload unsigned installer
+        id: upload-unsigned-installer
+        uses: actions/upload-artifact@v4
+        with:
+          name: frpmgr-${{ env.VERSION }}-installer-${{ matrix.architecture }}-unsigned
+          path: installer/build/${{ matrix.architecture }}/frpmgr.msi
+
+      - name: Sign
+        uses: signpath/github-action-submit-signing-request@v1.2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: 'frpmgr'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{ steps.upload-unsigned-installer.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'dist'
+
+      - name: Verify and copy signed files
+        shell: cmd
+        run: safe_copy dist frpmgr.msi installer\build\${{ matrix.architecture }}
+
+      - name: Build EXE bootstrapper
+        shell: cmd
+        run: installer\build.bat %VERSION% ${{ matrix.architecture }} setup
+
+      - name: Upload unsigned bootstrapper
+        id: upload-unsigned-bootstrapper
+        uses: actions/upload-artifact@v4
+        with:
+          name: frpmgr-${{ env.VERSION }}-setup-${{ matrix.architecture }}-unsigned
+          path: installer/build/${{ matrix.architecture }}/setup.exe
+
+      - name: Sign
+        uses: signpath/github-action-submit-signing-request@v1.2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: 'frpmgr'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{ steps.upload-unsigned-bootstrapper.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'dist'
+
+      - name: Verify and copy signed files
+        shell: cmd
+        run: safe_copy dist setup.exe installer\build\${{ matrix.architecture }}
+
+      - name: Create release files
+        shell: cmd
+        run: installer\build.bat %VERSION% ${{ matrix.architecture }} dist
+
+      - name: Upload release files
+        uses: actions/upload-artifact@v4
+        with:
+          name: frpmgr-${{ env.VERSION }}-dist-${{ matrix.architecture }}
          path: |
            bin/*.exe
            bin/*.zip
@ -45,13 +162,16 @@ jobs:
    needs: build
    runs-on: ubuntu-latest
    steps:
+      - name: Get version info
+        run: |
+          tag_name="${{ github.event.release.tag_name }}"
+          echo "VERSION=${tag_name#v}" >> $GITHUB_ENV
+
      - name: Collect files
        uses: actions/download-artifact@v4
        with:
-          name: assets
-
-      - name: Calculate SHA256 checksum
-        run: sha256sum *.exe *.zip > frpmgr-${{ needs.build.outputs.version }}-sha256-checksums.txt
+          pattern: frpmgr-${{ env.VERSION }}-dist-*
+          merge-multiple: true

      - name: Upload release assets
        uses: shogo82148/actions-upload-release-asset@v1
@ -62,4 +182,3 @@ jobs:
          asset_path: |
            ./*.exe
            ./*.zip
-            ./*.txt
--- a/README.md
+++ b/README.md
@ -76,6 +76,36 @@ After that, the application can be run directly:
 go run ./cmd/frpmgr
 ```

+## Sponsors
+
+> We are really thankful for all of our users, contributors, and sponsors that has been keeping this project alive and well. We are also giving our gratitude for these company/organization for providing their service for us.
+
+1. SignPath Foundation for providing us free code signing!
+<p align=center>
+	<a href="https://about.signpath.io/">
+ 		<img src="./docs/sponsor_signpath.png" alt="SignPath Logo" height=50 />
+	</a>
+</p>
+
+## Code Signing Policy
+
+Free code signing provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/).
+
+Team roles:
+
+- Committers and reviewers: [Members team](https://github.com/koho/frpmgr/graphs/contributors)
+- Approvers: [Owners](https://github.com/koho)
+
+Read our full [Privacy Policy](#privacy-policy).
+
+## Privacy Policy
+
+This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it.
+
+FRP Manager has integrated the following services for additional functions, which can be enabled or disabled at any time in the settings:
+
+- [api.github.com](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement) (Check for program updates)
+
 ## Donation

 If this project is useful to you, consider supporting its development in one of the following ways:
--- a/README_zh.md
+++ b/README_zh.md
@ -76,6 +76,36 @@ go generate
 go run ./cmd/frpmgr
 ```

+## 赞助商
+
+> 我们非常感谢所有为项目发展而努力的用户、贡献者和赞助者。同时也感谢这些公司/组织为我们提供服务。
+
+1. SignPath Foundation 为我们提供免费的代码签名！
+<p align=center>
+	<a href="https://about.signpath.io/">
+ 		<img src="./docs/sponsor_signpath.png" alt="SignPath Logo" height=50 />
+	</a>
+</p>
+
+## 代码签名政策
+
+免费代码签名由 [SignPath.io](https://about.signpath.io/) 提供，证书由 [SignPath Foundation](https://signpath.org/) 提供。
+
+团队角色：
+
+- 提交者和审阅者：[团队成员](https://github.com/koho/frpmgr/graphs/contributors)
+- 审批者：[所有者](https://github.com/koho)
+
+请阅读我们的完整[隐私政策](#隐私政策)。
+
+## 隐私政策
+
+除非得到用户、安装或操作人员的许可，否则该程序不会将任何信息传输到其他联网系统。
+
+FRP 管理器集成了以下服务以实现附加功能，您可以随时在设置中启用或禁用这些服务：
+
+- [api.github.com](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement)（检查程序更新）
+
 ## 捐助

 如果本项目对您有帮助，请考虑通过以下方式支持其开发：
--- a/build.bat
+++ b/build.bat
@ -1,8 +1,18 @@
@echo off
 setlocal enabledelayedexpansion
+set GOARCH_x64=amd64
+set GOARCH_x86=386
 set BUILDDIR=%~dp0
 cd /d %BUILDDIR% || exit /b 1

+if "%~1" == "-p" (
+	set TARGET=%~2
+) else (
+	set TARGET=%~1
+)
+
+if "%TARGET%" == "" set TARGET=x64 x86
+
 :packages
 	echo [+] Downloading packages
 	go mod tidy || goto :error
@ -17,17 +27,18 @@ cd /d %BUILDDIR% || exit /b 1
 	set MOD=github.com/koho/frpmgr
 	set GO111MODULE=on
 	set CGO_ENABLED=0
-	for %%a in (amd64 386) do (
-		set GOARCH=%%a
-		go build -trimpath -ldflags="-H windowsgui -s -w -X %MOD%/pkg/version.BuildDate=%BUILD_DATE%" -o bin\x!GOARCH:~-2!\frpmgr.exe .\cmd\frpmgr || goto :error
+	for %%a in (%TARGET%) do (
+		set GOARCH=!GOARCH_%%a!
+		go build -trimpath -ldflags="-H windowsgui -s -w -X %MOD%/pkg/version.BuildDate=%BUILD_DATE%" -o bin\%%a\frpmgr.exe .\cmd\frpmgr || goto :error
 	)

 if "%~1" == "-p" goto :success

 :installer
 	echo [+] Building installer
-	call installer\build.bat %VERSION% x64 || goto :error
-	call installer\build.bat %VERSION% x86 || goto :error
+	for %%a in (%TARGET%) do (
+		call installer\build.bat %VERSION% %%a || goto :error
+	)

 :success
 	echo [+] Success
--- a/docs/sponsor_signpath.png
+++ b/docs/sponsor_signpath.png
--- a/installer/build.bat
+++ b/installer/build.bat
@ -58,7 +58,7 @@ if not defined WIX (
 	goto :eof

 :build_setup
-	rc /DFILENAME=%SETUP_FILENAME% /DVERSION_ARRAY=%VERSION:.=,% /DVERSION_STR=%VERSION% /DMSI_FILE=%MSI_FILE:\=\\% /fo %PLAT_DIR%\rsrc.res setup\resource.rc || goto :error
+	rc /DFILENAME=%SETUP_FILENAME% /DVERSION_ARRAY=%VERSION:.=,% /DVERSION_STR=%VERSION% /DMSI_FILE=%MSI_FILE:\=\\% /Fo %PLAT_DIR%\rsrc.res setup\resource.rc || goto :error
 	cl /Fe%PLAT_DIR%\setup.exe /Fo%PLAT_DIR%\setup.obj /utf-8 setup\setup.c /link /subsystem:windows %PLAT_DIR%\rsrc.res shlwapi.lib msi.lib user32.lib advapi32.lib || goto :error
 	goto :eof