From c9042c6174be487c58bbb473fa88765ad2846395 Mon Sep 17 00:00:00 2001
From: IntelOrca <ted@brambles.org>
Date: Tue, 26 Jan 2016 18:48:09 +0000
Subject: [PATCH] add code signing to AppVeyor CI

---
 appveyor.yml                                  |  25 ++++--
 distribution/windows/build.ps1                |   8 +-
 .../code-sign-key-openrct2.org.pfx.enc        | Bin 0 -> 4368 bytes
 scripts/ps/appveyor_run.ps1                   |  32 ++++++++
 scripts/ps/publish.ps1                        |  75 +++++++++++++++++-
 5 files changed, 128 insertions(+), 12 deletions(-)
 create mode 100644 distribution/windows/code-sign-key-openrct2.org.pfx.enc
 create mode 100644 scripts/ps/appveyor_run.ps1

diff --git a/appveyor.yml b/appveyor.yml
index c2beb58a80..4ec9361b08 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,12 +1,27 @@
 version: 0.0.4.{build}
-os: Previous Visual Studio 2015
+os: Visual Studio 2015
+environment:
+  ENCKEY:
+    secure: saYAIpqXzpq0U+JH+MNi/isRQ6Y51PZhm4BrnePDiAPptFO5htxFOLegrYqxdy67
+  CODE-SIGN-KEY-OPENRCT2.ORG.PFX.PASSWORD:
+    secure: bzYmf0ElxisSGyZnIjUOYQ==
+install:
+- nuget install secure-file -ExcludeVersion
+- secure-file\tools\secure-file -decrypt distribution\windows\code-sign-key-openrct2.org.pfx.enc -secret %enckey%
+- cinst nsis.portable -pre
+- ps: >-
+    curl "http://nsis.sourceforge.net/mediawiki/images/5/53/KillProcDll%26FindProcDll.zip" -OutFile nsisxtra.zip
+
+    7z x nsisxtra.zip
+
+    cp FindProcDLL.dll "C:\ProgramData\chocolatey\lib\nsis.portable\tools\nsis-3.0b1\Plugins\x86-ansi"
 build_script:
 - ps: >-
     .\setenv.ps1
 
-    install
-
-    publish -Server AppVeyor -BuildNumber $env:APPVEYOR_BUILD_NUMBER -GitBranch $env:APPVEYOR_REPO_BRANCH
+    appveyor_run
 artifacts:
 - path: .\artifacts\openrct2.zip
-  name: OpenRCT2
+  name: OpenRCT2-portable
+- path: .\artifacts\*.exe
+  name: OpenRCT2-installer
diff --git a/distribution/windows/build.ps1 b/distribution/windows/build.ps1
index 21d0d383e5..2dd5770727 100644
--- a/distribution/windows/build.ps1
+++ b/distribution/windows/build.ps1
@@ -1,9 +1,11 @@
 param (
     [Parameter(Position = 1)]
-    [string]$BuildNumber = "",
-    [string]$GitBranch = ""
+    [string]$VersionExtra = ""
 )
 
 $path = Split-Path $Script:MyInvocation.MyCommand.Path
 Write-Host "Building Windows Installer (NSIS script)";
-makensis /DAPPV_BUILD=$BuildNumber /DAPPV_EXTRA=-$GitBranch-b$BuildNumber /DVERSION_INCLUDE=$path\win32.txt $path\install.nsi > $path\win32.log;
+Write-Host "  $VersionExtra";
+makensis   /DAPPV_EXTRA=-$VersionExtra        `
+           /DVERSION_INCLUDE=$path\win32.txt  `
+         $path\install.nsi > $path\win32.log;
diff --git a/distribution/windows/code-sign-key-openrct2.org.pfx.enc b/distribution/windows/code-sign-key-openrct2.org.pfx.enc
new file mode 100644
index 0000000000000000000000000000000000000000..99f16381c5ba5ae2b40db625d6763c5685b5758b
GIT binary patch
literal 4368
zcmV+r5%2EkxE&NG6`V8-sWjO2rsdjgQQoD@RYDmBR8@-6=|^d+sVPwtj?qPZM?T9i
z{{-gny?(=@xDKE#P^6R+Z;SGQh{ly2+~)`He`TN4RfMP`pFV_(Yyg7cjY`*6hIwY(
z)Dd{Qq>b3+*&yC(A=<kDxmhe-nBQcKyY%;b8DVCwA=euL>O$$;J!jQ0waZ9^r5k}(
zWjf4;Q;|1}lJ-;*`xcG*hFQ$W4zy&kc9fR>iZr4ZQkIj;rh7x<_J>fFa*hakh95kJ
ztqlgabyu$bDpvQ+jqRQ0RM6CW_l+^)#l_VkzqfO?G|j4vB_6;Z1u<5{p$RIiOk1VI
zwOv94&7%@ppW$-Dtq)D~Y^js=S&7@q1x786`)jsw?$AU{a8h4OHoCsIP5<-bO0JT#
zGvbRQ#G~510&boZxUUDAO9Cvwc0_%(1a0EMAiKC|#B1O!>LZ;GO@E}=5Emnh)ReNl
z7y{BMxrhfGSI*O75t-PrEIm1Al4JN>&*hv=I!YGazl*!kBWgWQ^uxjBYm1#=kf)07
zCo+yrQW2$z?eUtzeYwfsh)ap^Q`Dnz8Q<d*3MAqd3{|*Q>#VjrmFPY>T!7D&T8#AY
z4ZSPm{LAdgZ-Xt@gewP8oL)_30XwKG)CTt`9e#gTZ;!qYwK`z3O^M~t^tIg#5J|f9
z+E=1VDHHWj=3zZ#^OqwG0T#}q`e@PNmqExLHi&1okR;Kf6@IL%`v1x(|G858U`0;|
zWo&!xaVQ-Z%Wz@d#c*Ow;(*dsdqXgZ@=*Gd*7h{hpjCMme+_4|#qQdPWt(h`kunSV
zX6IhU{I70XE>rxI#V_p$nC7-Oy<}7GwYJ<yy}~Ocn2Y78@le!VXVyH)Hp#Jf2965&
zSGNdJtN*koDm^u?G&d0skGO7?Y;Rwo9O$8?X73K2s2H9rB~~!fr*xmAYbThLWu<&+
z)c)cI7bG`1AqjRwQS_(zp`0^XvN5Q98_=_>bs{-67;e%v7Dj^BO_D-u?8RW(MSx9T
z8@f52RZHWYm!~Ax>ev@=dM*ZteB8%C!TYg0F}WoY4Sy?+_$(QW8Y;P<G!^sO__A1C
zYOfHc#<$<AoaL6Y!4eHkB$JpqHXQMh`TJtz*k0Xe&x1^P(@+0d-A}l7r|Zw8w(}c3
z%5VgQG`M3y9StPNU5E4POqt`cDeuAdQ=K-$X!j4qIalguK*7v~$z;oGa0*luj2!3q
z4HzmfFC~1Dm!Lh!h2cRvCRP^hT2m7(pQHDyD*H6@rFb?dHj6dJNy-Ug9j+|2-NzG-
z+ze}j;7pKGk4z!mgiWO!=kXw3aRy_JmFvB~q2TNcckYzcE^}ylY}aFNUEk7TLeyQ0
z@S+?$bvJO#oG6hTD!D1xMz=YQ=rHC=0OohJ#`duiq<i(Se2UKWm%N`Rm6N}R<=8vK
zJF`?VW6Q##ZRa}<P7b?*H|RU%2AG%c17F4!lUT@Y;l*Fe-_{|(cudwA3dlk-n>0Rr
z$;4}Ydy()mmtu@S!q*1f!Ti9_qr|p5b&qfYCx-rN*yT!mC1Ib#4G`xYwP?9V2cGvq
zLL90FJjc{Q;*9clQb?^wYW_B4k4DP|Yk6{!aWcUUrzM+#Odz9*WV5~GpW*k?d_r)?
z4Rd&F(bbg;lUe<K5|3f~RVUpUy}lmMeBlFIw)3B8^NvTY+QUY6^J_~T8x6=>A8ID5
zlxa!;anP6w#_nb3GoRR~`20v-ZagEufGy`cm_O9C?mozKfeBh-1+^hZ%5lz8Wte^6
z%tF%KS5Dh|*2mhONub|Q1<|^1y8<{^xGY8U9of3dIdL<|85Y_&toO^+`O#XhWSeNt
zqlSawu*JatT(8En%3fWNSke_LV+!{Y>zn^=&TQ-FUu^+yx|c!`x~qZO3W$xQ@qmWo
z0fhVgNnki~w%NxM8>?JA)5b)ZLwne)h%V1s@XZR3Y8Geh_mPY!NQ|&fn@O!qxLrgM
z02N$*B9&}|rx**NmABx$3f#v5vOr(nsz?1UZl2U6j0O;P3@9KPm&7{F&oqxOT(Mq$
z#&$5~;OgbZUDF*jIDrfDw^sOF#=f^yVXI|t4s}ae3u+r4_2`M-Ex0uW?z?TkY4GkY
zzw&dGTjzWE&tFC@W^6eVJe!BNBy!nxg=r0%`nN0w&Y6aO58T_FgosWvTYE~<6K)Zx
z3Zx_{!6=&(#0-`{wChRHsgC-f?I7<Ix^{SnZ)Hx;9UKT;g?V4GcL(pZRSxYca}FmR
zW{B93ltLEaI`1f^u6!S%?tm{rD;CKHUy|3eIN;CU5aLwwh9;vnC*$G_HRJ!3HQ=Ns
z@z9dlL?&J{FI@={yrM8jxN!v7H686hw|8Mmdy(7)*VzOhmPNR%edJ`?m-j_Nq#eqP
zx0|?%km3u9pkDYpPiex_xeFg8!H>hq-pmmQmhQA)HYU$|8{{Wjzd!9m!g;?5rcxb^
zpi%%JKK@`+Z_CP$F(}8;;ZU+JZt~rE9bXdinO595cjqjpM^GMOA5$$BtG#S*)LW>2
z07LH;FR#y^jwkeP^axk&o;!h{2VVeys`_7-5%}ghS9A1(M>wy4qirWR<ewuvbtz?S
zUovxjZZIf`=Qp7-%R+Hfg|0kh4<zoH+>sb{5Rew}Vxl6ZzIK3K#^Gk!^c1odZX=M>
zzGAyFi1N@K`FZcp8vb@f(NO})nq@;JJq!30KHTO2fqSW`ezvBXOnMa9sQgz0H;|Tw
z=kJ-9)h_3d>O00wR8BatJ$dalFGx;6@6?L0H%a;#+T5GNS_W`V+mGDOZbfY{5MRG~
z^R4oKD)yYOI?v0vR9JAj_=a|^Q)?&)vqD}<<uwS_u+>g?V&+HM)J6{L^&jytVfFHv
zG3T;UN&fN}sBF6rBj-YY^M#J<;iZb!Ea8qF+07&1eZ4s(b1P7o#Z^!kB=K@msihr+
z#&~P|YS4^{wzL=TDOad$zw=lq?ebzStYJyN1Cl4E&EPZ_!<3zAffx@tZ-LCH+2k9u
z=1=$j`d$b^96C@i9(*}r^`v-&(XdQ2Hoh2M)IgJIZj}RNYi~kRv8gWoD#4@L&n|k*
z>T>kC`k#Ypb5Jn3{s2ALU7FDnfKnI!cE;%T0=Ew9iy`*<4k6lrNkuN@K8V`aHra;p
zV9KP_0q>Cr0wymK(H6XjSq**KHU)B}fIeucJtyXa77@usJwZPpoxBY$$ywpW_afU*
zGh<y_)FM-=lCbdpv;a`p8vWp90T0-Cr^eoq`>I8_zj`5<0wR$nRYU*n9?D79v*NBc
z5s#or%lQiBeHodxfo1Cre6^qd658KHdn<_bakAY@q>o(_b&|sjxn31RFTIod$WbR1
z21=H;%gvIN7kynK?4xE?O#+~H8x~9Vw=e+$UOkKT+!@2agyZ^d#f9~hY@&|Lp#Faj
zz(Ya0W=)}~$Y2zL78tK^cJ#&zu4oq1s24&w_4b_rgw{4(yw$PyH{eDA6YgiZX0plT
zd&8$=)YC1EoVA;6bERUo`SoMIAG-58xeMcT3gnSlR5qO~&z`)U%V$z19EC;G+s_65
znx*^@>~g98-xE!`{&aPHu~b1&eQ4+hi7F6%%`<Yj>v0(sAkNU5_<y*1U5oU>n;|i_
z^3J9rP0CZwrD?N(rZYoxq#dM&m5cg7_eRrPtf<ezG)N}cznnqE%nvk*`M}0-U1JU5
zLaE7h{Gf_ela&6rG3pWwb8`c7T51I?1GjhLMMEjO6Ysk~Lg*twm;0pR_Qw~<bXs_v
zm<US_n`KEZHSPCGV~DpC@sB?0Oe#<ctLZCkHL$AFlIK-Ybfgw>1}Mm1vCjL!0-Hi}
zw5Vs-OZkL2TJC&91=V4&aL68R4{XXC3)jeUWS70I@f-Dsx&bBxg@L(uXUu=dt7^3S
ze%h%9Ng|K6T>%lz9$K(U06y^o)j+yww{KM;eeUGV7I*Je`VlP3nuHJ$`f8=p(L-3M
z0wQQm4<1*NxhIu?z6xT+@~ILx4462`H{c@?es)MpcZjNhA%bx>Z$`Aw*+k>6fOKS!
z0ZG9uqrOp>3AMKM>RK|W(Xzri2-ccBd%(x8`*}EhL7Bt7xWOHT4(-ZNFiyE|Bv48o
zzQCBEpd&bP3)MpaVq0lMO|JNTm7M)Btk0i)8!RfD2z8Z7Le^_@TBI(okJSLP+aJ^N
z3tO^~cGfhLkgUKUhMIVrG3qsD06tNT{wCgesKMyI@Lu@N27w@G47d5Ue11OZitJ_v
zm)gM0U5KcJMBR&D!Wf0<*Ea4fdYki)(GGYqQx4B`q487YsMhiCb^A^_Qg4UVXPB=Z
z_81uEvn!`GP*|XD@Y9!SZq=gD)tc&kPG}arC?kfy(>#7xMrtfnEYn|i8#ER^SBV6%
z({>p^H+mo{=ct%m|IIMmF%#IU9)xG;Vsr=GY^?U-4^}g(>?Pf`HKCH@-Un%ts(C=I
zNl<!dgJWKzk&fp%Y!=C#bMQytG^h%-vIW?ejdHg%E!GjL>92;dR5z2A1LB0S{xWwG
z9UwRpoFcS9bRGlK%eKt+8i6Ge4MBIG#y2^AJk+ImWox=KU(dG6N*z&Z{8}-FG=T)J
zVX`_l-o8Kn9{jL}4AUc_Rc<gSd3yr9eb(kQ31!|i80z6UDHLgOqDgoXPKTAn7T&*#
zrk6?8+1~h#g~LPGV?BSv;5^;h^?J_RL%`_d|EpRKVMMuZd6E3p^Vvpf5^)Lq|LJ|`
zpIjR?q*ttm`YSQ=Yv<x--F^Y~4z2Z;BZS~j{+@idy-)Qj@EXT)s~1M(b(SUKp~|~W
z$3re02YsOeLn1fVB%f5f_#EUMlZ91P97Z(O*Ky;ZS7@5NIn9@fTY3OPi=k45E_|fY
z$uI~mu!3|@;{v7=mnF@C0Av!YZ8-+dMFPE}XC7)6T{E8nA_`%n42wZ2wj<)N%<iUc
zVas4k&tj#bn7jS+`A-`paI%|AThG*8@LY8|ReTMD^`y(wp;1=eKo~(+hs9L{109bl
zUD&WHL_E40P=5EB0!-)iJN__&h0%E!JD5?@A51bUxHrdPsff@L&@}AQp<IJr*}vx#
z-dyTnm1y4X`udImIcVby16{7jI2U-BK5IjQ)c4~=@(ZUhi*gS7i4LPQv{yV~vC2qr
zj+YhpWFOS1>iFChjSJv&IGQVsBc0jF6aNqJG0dlisv|VXg9t2-7dh};W@;<#)2<;u
zO%zFLRIP*uv#k-7K|9AG>B%F6gOPa!IK^$^2|+3C7vy4jP(TJV6=*dJ`edwOavREH
zn<3ndttOp!UkR<>Nk@pW!vS0?H$#X%dC%MCb*ALWxaYuaoO&V1hOOh^!yCZbt;FR=
zYHzZ7JOdV3dh&fB3ZE_&c6YR66b?A&5_%po=6FAPLZZaotrn?IP+rf_2O6CKSc#k7
zKn38ywK6(^y)CZ7LwtGb!%hl#k{*Dfwx20eOPZyL<xbH=XG;0VsRTz1Uhlx|4ppsx
zN+ux7UH5Wwy(P1SjL_G40Z_{PxaZqd7#n!e0#JGe=|y9`j1Y1Yu8vu)+T$|@F9(VS
zf1AUb%!FP<+Qqqq{9dn<V9&2{^n$nBy)M(OwtQrFiH!z27X9v_Xgdwae(HC%b*l@C
zPYX7GH0w_n?<zWzuUw;UOG2;i?CCSweFEe*J_a{H51s1+oUy+9PqlvmLsdyR>VfC4
z0Rm?>eZ_9Ocg^2a2#loQb7d9-KKv*8DXybKb9cvOh9b<{_>1CYXu+MHbX;DvkhS?I
K8B3MZD}2J`mWDV0

literal 0
HcmV?d00001

diff --git a/scripts/ps/appveyor_run.ps1 b/scripts/ps/appveyor_run.ps1
new file mode 100644
index 0000000000..97724a7197
--- /dev/null
+++ b/scripts/ps/appveyor_run.ps1
@@ -0,0 +1,32 @@
+#########################################################
+# Script to build OpenRCT2 on AppVeyor
+#########################################################
+
+# Install dependencies
+install -Quiet
+
+# Build OpenRCT2
+publish build `
+        -Server      AppVeyor                   `
+        -BuildNumber $env:APPVEYOR_BUILD_NUMBER `
+        -GitBranch   $env:APPVEYOR_REPO_BRANCH  `
+        -CodeSign
+
+if ($LASTEXITCODE -ne 0)
+{
+    exit 1
+}
+
+# Create a Portable ZIP
+publish package                                 `
+        -Server      AppVeyor                   `
+        -BuildNumber $env:APPVEYOR_BUILD_NUMBER `
+        -GitBranch   $env:APPVEYOR_REPO_BRANCH
+
+# Create an Installer
+publish package                                 `
+        -Installer                              `
+        -Server      AppVeyor                   `
+        -BuildNumber $env:APPVEYOR_BUILD_NUMBER `
+        -GitBranch   $env:APPVEYOR_REPO_BRANCH  `
+        -CodeSign
diff --git a/scripts/ps/publish.ps1 b/scripts/ps/publish.ps1
index 4e83208408..ce77846642 100644
--- a/scripts/ps/publish.ps1
+++ b/scripts/ps/publish.ps1
@@ -11,7 +11,8 @@ param (
     [string]$Server  = "",
     [string]$BuildNumber = "",
     [string]$GitBranch = "",
-    [switch]$Installer = $false
+    [switch]$Installer = $false,
+    [switch]$CodeSign = $false
 )
 
 # Setup
@@ -59,7 +60,23 @@ function Do-Build()
 {
     Write-Host "Building OpenRCT2..." -ForegroundColor Cyan
     & "$scriptsPath\build.ps1" all -Rebuild
-    return $LASTEXITCODE
+    if ($LASTEXITCODE -ne 0)
+    {
+        Write-Host "Failed to build OpenRCT2" -ForegroundColor Red
+        return 1
+    }
+
+    if ($CodeSign)
+    {
+        $releaseDir = "$rootPath\bin"
+        $exePath    = "$releaseDir\openrct2.exe"
+        $dllPath    = "$releaseDir\openrct2.dll"
+
+        if (-not (Sign-Binary($exePath))) { return 1 }
+        if (-not (Sign-Binary($dllPath))) { return 1 }
+    }
+
+    return 0
 }
 
 # Package
@@ -121,7 +138,9 @@ function Do-Installer()
     New-Item -Force -ItemType Directory $artifactsDir > $null
 
     # Create installer
-    & "$installerDir\build.ps1" -BuildNumber $BuildNumber -GitBranch $GitBranch
+    $GitCommitSha1Short = (git rev-parse --short HEAD)
+    $VersionExtra       = "$GitBranch-$GitCommitSha1Short"
+    & "$installerDir\build.ps1" -VersionExtra $VersionExtra
     if ($LASTEXITCODE -ne 0)
     {
         Write-Host "Failed to create installer." -ForegroundColor Red
@@ -139,7 +158,14 @@ function Do-Installer()
         return 1
     }
 
-    Move-Item $binaries[0].FullName $artifactsDir
+    $installerPath = $binaries[0].FullName
+
+    if ($CodeSign)
+    {
+        if (-not (Sign-Binary($installerPath))) { return 1 }
+    }
+
+    Move-Item -Force $installerPath $artifactsDir
     return 0
 }
 
@@ -170,6 +196,47 @@ function Do-Task-All()
     return 0
 }
 
+function Sign-Binary($binaryPath)
+{
+    $pfxPath      = "$rootPath\distribution\windows\code-sign-key-openrct2.org.pfx"
+    $pfxPassword  = ${env:CODE-SIGN-KEY-OPENRCT2.ORG.PFX.PASSWORD}
+    $timestampUrl = "http://timestamp.comodoca.com/authenticode"
+
+    if (-not (Test-Path -PathType Leaf $pfxPath))
+    {
+        Write-Host "Unable to sign, code signature key was not found." -ForegroundColor Red
+        return 1
+    }
+
+    if ($pfxPassword -eq $null)
+    {
+        Write-Host "Unable to sign, %CODE-SIGN-KEY-OPENRCT2.ORG.PFX.PASSWORD% was not set." -ForegroundColor Red
+        return 1
+    }
+
+    # Resolve signtool path
+    $signtoolcmd = "signtool"
+    if (-not (AppExists($signtoolcmd)))
+    {
+        $signtoolcmd = "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\SignTool.exe"
+        if (-not (AppExists($signtoolcmd)))
+        {
+            Write-Host "Publish script requires signtool to be in PATH" -ForegroundColor Red
+            return 1
+        }
+    }
+
+    # Sign the binary
+    & $signtoolcmd sign /f $pfxPath /p $pfxPassword /t $timestampUrl $binaryPath
+    if ($LASTEXITCODE -ne 0)
+    {
+        Write-Host "Failed to sign binary." -ForegroundColor Red
+        return 1
+    }
+
+    return 0
+}
+
 # Script entry point
 switch ($Task)
 {