ci(windows): wire SignPath test-signing for portable bundle

Add SignPath artifact configuration (windows-portable-v1) signing only the first-party binaries orca-slicer.exe and OrcaSlicer.dll, plus verification and inventory scripts. The Windows build job uploads the unsigned portable bundle, submits it to SignPath (test-signing), verifies the returned signatures, and rebuilds the installer/zip from the signed binaries. project-slug matches the SignPath project (OrcaSlicer).
2026-06-26 05:32:15 +00:00 · 2026-05-29 23:41:39 +08:00
parent 6b55e324c9
commit ebdfa74ce8
6 changed files with 206 additions and 8 deletions
--- a/scripts/verify-authenticode.ps1
+++ b/scripts/verify-authenticode.ps1
@@ -0,0 +1,73 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)]
+    [ValidateScript({ Test-Path -LiteralPath $_ -PathType Container })]
+    [string]$ArtifactDirectory,
+
+    [string[]]$Files = @(
+        "orca-slicer.exe",
+        "OrcaSlicer.dll"
+    ),
+
+    [string]$SignToolPath
+)
+
+$ErrorActionPreference = "Stop"
+
+function Resolve-SignToolPath {
+    param(
+        [string]$ExplicitPath
+    )
+
+    if ($ExplicitPath) {
+        if (Test-Path -LiteralPath $ExplicitPath -PathType Leaf) {
+            return (Resolve-Path -LiteralPath $ExplicitPath).Path
+        }
+
+        throw "SignTool was not found at '$ExplicitPath'."
+    }
+
+    $fromPath = Get-Command -Name "signtool.exe" -ErrorAction SilentlyContinue
+    if ($fromPath) {
+        return $fromPath.Source
+    }
+
+    $candidateRoots = @(
+        "${env:ProgramFiles(x86)}\Windows Kits\10\bin",
+        "${env:ProgramFiles}\Windows Kits\10\bin"
+    ) | Where-Object { $_ -and (Test-Path -LiteralPath $_ -PathType Container) }
+
+    foreach ($root in $candidateRoots) {
+        $candidate = Get-ChildItem -LiteralPath $root -Recurse -Filter "signtool.exe" -File -ErrorAction SilentlyContinue |
+            Where-Object { $_.FullName -match "\\(x64|arm64)\\signtool\.exe$" } |
+            Sort-Object -Property FullName -Descending |
+            Select-Object -First 1
+
+        if ($candidate) {
+            return $candidate.FullName
+        }
+    }
+
+    throw "signtool.exe was not found. Install the Windows SDK or pass -SignToolPath."
+}
+
+$artifactRoot = (Resolve-Path -LiteralPath $ArtifactDirectory).Path
+$signtool = Resolve-SignToolPath -ExplicitPath $SignToolPath
+
+Write-Host "Using SignTool: $signtool"
+Write-Host "Verifying Authenticode signatures in: $artifactRoot"
+
+foreach ($relativePath in $Files) {
+    $filePath = Join-Path $artifactRoot $relativePath
+    if (-not (Test-Path -LiteralPath $filePath -PathType Leaf)) {
+        throw "Expected signed file was not found: $filePath"
+    }
+
+    Write-Host "Verifying $relativePath"
+    & $signtool verify /pa /all /tw /v $filePath
+    if ($LASTEXITCODE -ne 0) {
+        throw "SignTool verification failed for '$relativePath' with exit code $LASTEXITCODE."
+    }
+}
+
+Write-Host "Authenticode verification passed."