add code signing to AppVeyor CI

appveyor.yml

@@ -1,12 +1,27 @@
 version: 0.0.4.{build}
-os: Previous Visual Studio 2015
+os: Visual Studio 2015
+environment:
+  ENCKEY:
+    secure: saYAIpqXzpq0U+JH+MNi/isRQ6Y51PZhm4BrnePDiAPptFO5htxFOLegrYqxdy67
+  CODE-SIGN-KEY-OPENRCT2.ORG.PFX.PASSWORD:
+    secure: bzYmf0ElxisSGyZnIjUOYQ==
+install:
+- nuget install secure-file -ExcludeVersion
+- secure-file\tools\secure-file -decrypt distribution\windows\code-sign-key-openrct2.org.pfx.enc -secret %enckey%
+- cinst nsis.portable -pre
+- ps: >-
+    curl "http://nsis.sourceforge.net/mediawiki/images/5/53/KillProcDll%26FindProcDll.zip" -OutFile nsisxtra.zip
+
+    7z x nsisxtra.zip
+
+    cp FindProcDLL.dll "C:\ProgramData\chocolatey\lib\nsis.portable\tools\nsis-3.0b1\Plugins\x86-ansi"
 build_script:
 - ps: >-
     .\setenv.ps1
 
-    install
-
-    publish -Server AppVeyor -BuildNumber $env:APPVEYOR_BUILD_NUMBER -GitBranch $env:APPVEYOR_REPO_BRANCH
+    appveyor_run
 artifacts:
 - path: .\artifacts\openrct2.zip
-  name: OpenRCT2
+  name: OpenRCT2-portable
+- path: .\artifacts\*.exe
+  name: OpenRCT2-installer

distribution/windows/build.ps1

@@ -1,9 +1,11 @@
 param (
     [Parameter(Position = 1)]
-    [string]$BuildNumber = "",
-    [string]$GitBranch = ""
+    [string]$VersionExtra = ""
 )
 
 $path = Split-Path $Script:MyInvocation.MyCommand.Path
 Write-Host "Building Windows Installer (NSIS script)";
-makensis /DAPPV_BUILD=$BuildNumber /DAPPV_EXTRA=-$GitBranch-b$BuildNumber /DVERSION_INCLUDE=$path\win32.txt $path\install.nsi > $path\win32.log;
+Write-Host "  $VersionExtra";
+makensis   /DAPPV_EXTRA=-$VersionExtra        `
+           /DVERSION_INCLUDE=$path\win32.txt  `
+         $path\install.nsi > $path\win32.log;

scripts/ps/appveyor_run.ps1

@@ -0,0 +1,32 @@
+#########################################################
+# Script to build OpenRCT2 on AppVeyor
+#########################################################
+
+# Install dependencies
+install -Quiet
+
+# Build OpenRCT2
+publish build `
+        -Server      AppVeyor                   `
+        -BuildNumber $env:APPVEYOR_BUILD_NUMBER `
+        -GitBranch   $env:APPVEYOR_REPO_BRANCH  `
+        -CodeSign
+
+if ($LASTEXITCODE -ne 0)
+{
+    exit 1
+}
+
+# Create a Portable ZIP
+publish package                                 `
+        -Server      AppVeyor                   `
+        -BuildNumber $env:APPVEYOR_BUILD_NUMBER `
+        -GitBranch   $env:APPVEYOR_REPO_BRANCH
+
+# Create an Installer
+publish package                                 `
+        -Installer                              `
+        -Server      AppVeyor                   `
+        -BuildNumber $env:APPVEYOR_BUILD_NUMBER `
+        -GitBranch   $env:APPVEYOR_REPO_BRANCH  `
+        -CodeSign

scripts/ps/publish.ps1

@@ -11,7 +11,8 @@ param (
     [string]$Server  = "",
     [string]$BuildNumber = "",
     [string]$GitBranch = "",
-    [switch]$Installer = $false
+    [switch]$Installer = $false,
+    [switch]$CodeSign = $false
 )
 
 # Setup
@@ -59,7 +60,23 @@ function Do-Build()
 {
     Write-Host "Building OpenRCT2..." -ForegroundColor Cyan
     & "$scriptsPath\build.ps1" all -Rebuild
-    return $LASTEXITCODE
+    if ($LASTEXITCODE -ne 0)
+    {
+        Write-Host "Failed to build OpenRCT2" -ForegroundColor Red
+        return 1
+    }
+
+    if ($CodeSign)
+    {
+        $releaseDir = "$rootPath\bin"
+        $exePath    = "$releaseDir\openrct2.exe"
+        $dllPath    = "$releaseDir\openrct2.dll"
+
+        if (-not (Sign-Binary($exePath))) { return 1 }
+        if (-not (Sign-Binary($dllPath))) { return 1 }
+    }
+
+    return 0
 }
 
 # Package
@@ -121,7 +138,9 @@ function Do-Installer()
     New-Item -Force -ItemType Directory $artifactsDir > $null
 
     # Create installer
-    & "$installerDir\build.ps1" -BuildNumber $BuildNumber -GitBranch $GitBranch
+    $GitCommitSha1Short = (git rev-parse --short HEAD)
+    $VersionExtra       = "$GitBranch-$GitCommitSha1Short"
+    & "$installerDir\build.ps1" -VersionExtra $VersionExtra
     if ($LASTEXITCODE -ne 0)
     {
         Write-Host "Failed to create installer." -ForegroundColor Red
@@ -139,7 +158,14 @@ function Do-Installer()
         return 1
     }
 
-    Move-Item $binaries[0].FullName $artifactsDir
+    $installerPath = $binaries[0].FullName
+
+    if ($CodeSign)
+    {
+        if (-not (Sign-Binary($installerPath))) { return 1 }
+    }
+
+    Move-Item -Force $installerPath $artifactsDir
     return 0
 }
 
@@ -170,6 +196,47 @@ function Do-Task-All()
     return 0
 }
 
+function Sign-Binary($binaryPath)
+{
+    $pfxPath      = "$rootPath\distribution\windows\code-sign-key-openrct2.org.pfx"
+    $pfxPassword  = ${env:CODE-SIGN-KEY-OPENRCT2.ORG.PFX.PASSWORD}
+    $timestampUrl = "http://timestamp.comodoca.com/authenticode"
+
+    if (-not (Test-Path -PathType Leaf $pfxPath))
+    {
+        Write-Host "Unable to sign, code signature key was not found." -ForegroundColor Red
+        return 1
+    }
+
+    if ($pfxPassword -eq $null)
+    {
+        Write-Host "Unable to sign, %CODE-SIGN-KEY-OPENRCT2.ORG.PFX.PASSWORD% was not set." -ForegroundColor Red
+        return 1
+    }
+
+    # Resolve signtool path
+    $signtoolcmd = "signtool"
+    if (-not (AppExists($signtoolcmd)))
+    {
+        $signtoolcmd = "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\SignTool.exe"
+        if (-not (AppExists($signtoolcmd)))
+        {
+            Write-Host "Publish script requires signtool to be in PATH" -ForegroundColor Red
+            return 1
+        }
+    }
+
+    # Sign the binary
+    & $signtoolcmd sign /f $pfxPath /p $pfxPassword /t $timestampUrl $binaryPath
+    if ($LASTEXITCODE -ne 0)
+    {
+        Write-Host "Failed to sign binary." -ForegroundColor Red
+        return 1
+    }
+
+    return 0
+}
+
 # Script entry point
 switch ($Task)
 {