check sig

deansheather · deansheather · commit 12d1973d3558 · 2025-03-01T15:11:00.000+11:00
diff --git a/scripts/Publish.ps1 b/scripts/Publish.ps1
@@ -75,6 +75,12 @@ function Add-CoderSignature([string] $path) {
         --tsaurl $env:EV_TSA_URL `
         $path
     if ($LASTEXITCODE -ne 0) { throw "Failed to sign $path" }
+
+    # Verify that the output exe is authenticode signed
+    $sig = Get-AuthenticodeSignature $path
+    if ($sig.Status -ne "Valid") {
+        throw "File $path is not authenticode signed"
+    }
 }
 
 # CD to the root of the repo
diff --git a/scripts/Release.ps1 b/scripts/Release.ps1
@@ -1,48 +1,48 @@
 # Usage: Release.ps1 -version <version>
 param (
-  [Parameter(Mandatory = $true)]
-  [ValidatePattern("^\d+\.\d+\.\d+$")]
-  [string] $version,
+    [Parameter(Mandatory = $true)]
+    [ValidatePattern("^\d+\.\d+\.\d+$")]
+    [string] $version,
 
-  [Parameter(Mandatory = $true)]
-  [ValidatePattern("^\d+\.\d+\.\d+\.\d+$")]
-  [string] $assemblyVersion
+    [Parameter(Mandatory = $true)]
+    [ValidatePattern("^\d+\.\d+\.\d+\.\d+$")]
+    [string] $assemblyVersion
 )
 
 $ErrorActionPreference = "Stop"
 
 foreach ($arch in @("x64", "arm64")) {
-  Write-Host "::group::Publishing $arch"
-  try {
-    $archUpper = $arch.ToUpper()
+    Write-Host "::group::Publishing $arch"
+    try {
+        $archUpper = $arch.ToUpper()
 
-    $msiOutputPath = "publish/CoderDesktopCore-$version-$arch.msi"
-    Add-Content -Path $env:GITHUB_OUTPUT -Value "$($archUpper)_MSI_OUTPUT_PATH=$msiOutputPath"
-    Write-Host "MSI_OUTPUT_PATH=$msiOutputPath"
+        $msiOutputPath = "publish/CoderDesktopCore-$version-$arch.msi"
+        Add-Content -Path $env:GITHUB_OUTPUT -Value "$($archUpper)_MSI_OUTPUT_PATH=$msiOutputPath"
+        Write-Host "MSI_OUTPUT_PATH=$msiOutputPath"
 
-    $outputPath = "publish/CoderDesktop-$version-$arch.exe"
-    Add-Content -Path $env:GITHUB_OUTPUT -Value "$($archUpper)_OUTPUT_PATH=$outputPath"
-    Write-Host "OUTPUT_PATH=$outputPath"
+        $outputPath = "publish/CoderDesktop-$version-$arch.exe"
+        Add-Content -Path $env:GITHUB_OUTPUT -Value "$($archUpper)_OUTPUT_PATH=$outputPath"
+        Write-Host "OUTPUT_PATH=$outputPath"
 
-    $publishScript = Join-Path $PSScriptRoot "Publish.ps1"
-    & $publishScript `
-      -version $assemblyVersion `
-      -arch $arch `
-      -msiOutputPath $msiOutputPath `
-      -outputPath $outputPath `
-      -sign
-    if ($LASTEXITCODE -ne 0) { throw "Failed to publish" }
+        $publishScript = Join-Path $PSScriptRoot "Publish.ps1"
+        & $publishScript `
+            -version $assemblyVersion `
+            -arch $arch `
+            -msiOutputPath $msiOutputPath `
+            -outputPath $outputPath `
+            -sign
+        if ($LASTEXITCODE -ne 0) { throw "Failed to publish" }
 
-    # Verify that the output exe is authenticode signed
-    $sig = Get-AuthenticodeSignature $outputPath
-    if ($sig.Status -ne "Valid") {
-      throw "Output file is not authenticode signed"
+        # Verify that the output exe is authenticode signed
+        $sig = Get-AuthenticodeSignature $outputPath
+        if ($sig.Status -ne "Valid") {
+            throw "Output file is not authenticode signed"
+        }
+        else {
+            Write-Host "Output file is authenticode signed"
+        }
     }
-    else {
-      Write-Host "Output file is authenticode signed"
+    finally {
+        Write-Host "::endgroup::"
     }
-  }
-  finally {
-    Write-Host "::endgroup::"
-  }
 }
