From 1b2a7269ad33845e92f3728a30f7f16064933192 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Thu, 5 Oct 2023 12:36:56 +0900 Subject: [PATCH] =?UTF-8?q?[release-0.14]=20=E3=82=B3=E3=83=BC=E3=83=89?= =?UTF-8?q?=E7=BD=B2=E5=90=8D=E3=82=92eSignerCKA=E3=81=AB=20(#755)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 5 ++-- build_util/codesign.bash | 58 ++++++++++++++++++++++++++++--------- poetry.lock | 18 ++++++------ pyproject.toml | 2 +- requirements-dev.txt | 2 +- requirements-license.txt | 2 +- requirements-test.txt | 2 +- requirements.txt | 2 +- 8 files changed, 61 insertions(+), 30 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eabc386ff..5a12f4b72 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -540,8 +540,9 @@ jobs: run: | bash build_util/codesign.bash "dist/run/run.exe" env: - CERT_BASE64: ${{ secrets.CERT_BASE64 }} - CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} + ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }} + ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }} + ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }} - name: Upload artifact uses: actions/upload-artifact@v3 diff --git a/build_util/codesign.bash b/build_util/codesign.bash index f8f79f99c..5c80cf55f 100644 --- a/build_util/codesign.bash +++ b/build_util/codesign.bash @@ -1,13 +1,20 @@ +#!/usr/bin/env bash # !!! コードサイニング証明書を取り扱うので取り扱い注意 !!! +# eSignerCKAを使ってコード署名する + set -eu -if [ ! -v CERT_BASE64 ]; then - echo "CERT_BASE64が未定義です" +if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名 + echo "ESIGNERCKA_USERNAMEが未定義です" + exit 1 +fi +if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード + echo "ESIGNERCKA_PASSWORDが未定義です" exit 1 fi -if [ ! -v CERT_PASSWORD ]; then - echo "CERT_PASSWORDが未定義です" +if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret + echo "ESIGNERCKA_TOTP_SECRETが未定義です" exit 1 fi @@ -17,33 +24,56 @@ if [ $# -ne 1 ]; then fi target_file_glob="$1" -# 証明書 -CERT_PATH=cert.pfx -echo -n "$CERT_BASE64" | base64 -d - > $CERT_PATH +# eSignerCKAのセットアップ +INSTALL_DIR='..\eSignerCKA' +if [ ! -d "$INSTALL_DIR" ]; then + curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip" + unzip -o SSL.COM-eSigner-CKA_1.0.6.zip + mv ./*eSigner*CKA_*.exe eSigner_CKA_Installer.exe + powershell " + & ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR='$INSTALL_DIR' | Out-Null + & '$INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$INSTALL_DIR\master.key' -r + & '$INSTALL_DIR\eSignerCKATool.exe' unload + " + rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe +fi + +# 証明書を読み込む +powershell "& '$INSTALL_DIR\eSignerCKATool.exe' load" + +# shellcheck disable=SC2016 +THUMBPRINT=$( + powershell ' + $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 + echo "$($CodeSigningCert.Thumbprint)" + ' +) # 指定ファイルに署名する function codesign() { TARGET="$1" - SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) - powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $CERT_PATH /p $CERT_PASSWORD '$TARGET'" + # shellcheck disable=SC2012 + SIGNTOOL=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない + powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /sha1 '$THUMBPRINT' '$TARGET'" } # 指定ファイルが署名されているか function is_signed() { TARGET="$1" SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) - powershell "& '$SIGNTOOL' verify /pa '$TARGET'" || return 1 + powershell "& '$SIGNTOOL' verify /pa '$TARGET'" >/dev/null 2>&1 || return 1 } # 署名されていなければ署名 -ls $target_file_glob | while read target_file; do +# shellcheck disable=SC2012,SC2086 +ls $target_file_glob | while read -r target_file; do if is_signed "$target_file"; then echo "署名済み: $target_file" else - echo "署名: $target_file" + echo "署名開始: $target_file" codesign "$target_file" fi done -# 証明書を消去 -rm $CERT_PATH +# 証明書を破棄 +powershell "& '$INSTALL_DIR\eSignerCKATool.exe' unload" diff --git a/poetry.lock b/poetry.lock index e1df2115e..d824a1952 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1620,8 +1620,8 @@ files = [ [[package]] name = "pyopenjtalk" -version = "0.2.0+f4ade29" -description = "A python wrapper for OpenJTalk" +version = "0.3.2" +description = "" category = "main" optional = false python-versions = "*" @@ -1629,21 +1629,21 @@ files = [] develop = false [package.dependencies] -cython = ">=0.21.0" -numpy = ">=1.8.0" +numpy = ">=1.20.0" six = "*" tqdm = "*" [package.extras] +dev = ["black (>=19.19b0,<=20.8)", "click (<8.1.0)", "flake8 (>=3.7,<4)", "flake8-bugbear", "importlib-metadata (<5.0)", "isort (>=4.3,<5.2.0)", "mypy (<=0.910)", "pysen", "types-decorator", "types-setuptools"] docs = ["Jinja2 (>=3.0.1)", "ipython", "jupyter", "nbsphinx (>=0.8.6)", "pandoc", "sphinx_rtd_theme"] -lint = ["black (>=19.19b0,<=20.8)", "flake8 (>=3.7,<4)", "flake8-bugbear", "isort (>=4.3,<5.2.0)", "mypy (<=0.910)", "pysen", "types-setuptools"] +marine = ["marine (>=0.0.5)"] test = ["pytest", "scipy"] [package.source] type = "git" -url = "https://github.com/VOICEVOX/pyopenjtalk" -reference = "f4ade29ef9a4f43d8605103cb5bacc29e0b2ccae" -resolved_reference = "f4ade29ef9a4f43d8605103cb5bacc29e0b2ccae" +url = "https://github.com/VOICEVOX/pyopenjtalk.git" +reference = "b35fc89fe42948a28e33aed886ea145a51113f88" +resolved_reference = "b35fc89fe42948a28e33aed886ea145a51113f88" [[package]] name = "pyrsistent" @@ -2529,4 +2529,4 @@ testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools" [metadata] lock-version = "2.0" python-versions = "~3.8" -content-hash = "e4a1cfc336b0406d1779f3027d65187e74982c9ac329c784410584da97e55227" +content-hash = "fb1ef80970b8bdc2a83cb0f622c1b2c76f4cb865e9c59e22ebbbbc488d02dc04" diff --git a/pyproject.toml b/pyproject.toml index c828714cf..944854dd7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -51,7 +51,7 @@ pyworld = "^0.3.0" appdirs = "^1.4.4" requests = "^2.28.1" jinja2 = "^3.1.2" -pyopenjtalk = {git = "https://github.com/VOICEVOX/pyopenjtalk", rev = "f4ade29ef9a4f43d8605103cb5bacc29e0b2ccae"} +pyopenjtalk = {git = "https://github.com/VOICEVOX/pyopenjtalk.git", rev = "b35fc89fe42948a28e33aed886ea145a51113f88"} [tool.poetry.group.dev.dependencies] cython = "^0.29.24" diff --git a/requirements-dev.txt b/requirements-dev.txt index 529e0235c..3c9ca9b32 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -54,7 +54,7 @@ pycparser==2.21 ; python_version >= "3.8" and python_version < "3.9" pydantic==1.10.2 ; python_version >= "3.8" and python_version < "3.9" pyinstaller-hooks-contrib==2022.14 ; python_version >= "3.8" and python_version < "3.9" pyinstaller==5.3 ; python_version >= "3.8" and python_version < "3.9" -pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk@f4ade29ef9a4f43d8605103cb5bacc29e0b2ccae ; python_version >= "3.8" and python_version < "3.9" +pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk.git@b35fc89fe42948a28e33aed886ea145a51113f88 ; python_version >= "3.8" and python_version < "3.9" pyrsistent==0.19.3 ; python_version >= "3.8" and python_version < "3.9" python-multipart==0.0.5 ; python_version >= "3.8" and python_version < "3.9" pywin32-ctypes==0.2.0 ; python_version >= "3.8" and python_version < "3.9" and sys_platform == "win32" diff --git a/requirements-license.txt b/requirements-license.txt index cbf29e014..aa2df7e74 100644 --- a/requirements-license.txt +++ b/requirements-license.txt @@ -18,7 +18,7 @@ pip-licenses==3.5.5 ; python_version >= "3.8" and python_version < "3.9" ptable==0.9.2 ; python_version >= "3.8" and python_version < "3.9" pycparser==2.21 ; python_version >= "3.8" and python_version < "3.9" pydantic==1.10.2 ; python_version >= "3.8" and python_version < "3.9" -pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk@f4ade29ef9a4f43d8605103cb5bacc29e0b2ccae ; python_version >= "3.8" and python_version < "3.9" +pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk.git@b35fc89fe42948a28e33aed886ea145a51113f88 ; python_version >= "3.8" and python_version < "3.9" python-multipart==0.0.5 ; python_version >= "3.8" and python_version < "3.9" pyworld==0.3.0 ; python_version >= "3.8" and python_version < "3.9" pyyaml==6.0 ; python_version >= "3.8" and python_version < "3.9" diff --git a/requirements-test.txt b/requirements-test.txt index c1084d2ca..4c221c538 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -39,7 +39,7 @@ pycodestyle==2.7.0 ; python_version >= "3.8" and python_version < "3.9" pycparser==2.21 ; python_version >= "3.8" and python_version < "3.9" pydantic==1.10.2 ; python_version >= "3.8" and python_version < "3.9" pyflakes==2.3.1 ; python_version >= "3.8" and python_version < "3.9" -pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk@f4ade29ef9a4f43d8605103cb5bacc29e0b2ccae ; python_version >= "3.8" and python_version < "3.9" +pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk.git@b35fc89fe42948a28e33aed886ea145a51113f88 ; python_version >= "3.8" and python_version < "3.9" pysen[lint]==0.10.2 ; python_version >= "3.8" and python_version < "3.9" pytest==6.2.5 ; python_version >= "3.8" and python_version < "3.9" python-multipart==0.0.5 ; python_version >= "3.8" and python_version < "3.9" diff --git a/requirements.txt b/requirements.txt index ebf92b618..5c52e523d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ markupsafe==2.1.1 ; python_version >= "3.8" and python_version < "3.9" numpy==1.20.0 ; python_version >= "3.8" and python_version < "3.9" pycparser==2.21 ; python_version >= "3.8" and python_version < "3.9" pydantic==1.10.2 ; python_version >= "3.8" and python_version < "3.9" -pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk@f4ade29ef9a4f43d8605103cb5bacc29e0b2ccae ; python_version >= "3.8" and python_version < "3.9" +pyopenjtalk @ git+https://github.com/VOICEVOX/pyopenjtalk.git@b35fc89fe42948a28e33aed886ea145a51113f88 ; python_version >= "3.8" and python_version < "3.9" python-multipart==0.0.5 ; python_version >= "3.8" and python_version < "3.9" pyworld==0.3.0 ; python_version >= "3.8" and python_version < "3.9" pyyaml==6.0 ; python_version >= "3.8" and python_version < "3.9"