fix(packaging): track icon source art; pipe-delimit CIM_SIGN_PARAMS

- Commit docs/samples/icon.png so make_icon.py can regenerate the committed icon.ico / app_icon.png from source. - build.ps1 split CIM_SIGN_PARAMS on '|' not ' ', so a cert subject name with spaces (e.g. /n|CIMTechniques, Inc.) reaches signtool intact when signing is enabled. Doc example updated to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 11:23:49 -04:00
parent df5466b7f6
commit 24ad18df42
4 changed files with 8 additions and 5 deletions
--- a/docs/RELEASE-PACKAGING.md
+++ b/docs/RELEASE-PACKAGING.md
@@ -64,9 +64,10 @@ Setup.exe) and is gated on env vars, so it is a no-op until configured:
 1. Acquire the OV cert / enrol in Azure Trusted Signing; install the token or HSM client.
 2. Set the build environment:
   - `CIM_SIGN_CERT=1`
-   - `CIM_SIGN_PARAMS=<signtool cert-selection args>`, e.g.
-     `/n "CIMTechniques, Inc."` (cert store by subject name) or
-     `/f cert.pfx /p <password>` (file-based).
+   - `CIM_SIGN_PARAMS=<signtool cert-selection args>`, **pipe-delimited** so a value may
+     contain spaces. Examples: `/n|CIMTechniques, Inc.` (cert store by subject name),
+     `/sha1|<thumbprint>` (by thumbprint — no spaces), or `/f|cert.pfx|/p|<password>`
+     (file-based). build.ps1 splits on `|`, so do not wrap values in quotes.
 3. Re-run `packaging\build.ps1`. It signs with SHA-256 + RFC-3161 timestamping
   (`http://timestamp.digicert.com`) so signatures stay valid after the cert expires.
 4. Verify: right-click each artifact → Properties → **Digital Signatures** shows
--- a/docs/samples/icon.png
+++ b/docs/samples/icon.png
--- a/packaging/build.ps1
+++ b/packaging/build.ps1
@@ -28,7 +28,9 @@ Write-Host "==> Building CIMTechniques Service Suite $ver"
 function Invoke-Sign([string]$target) {
    if ($env:CIM_SIGN_CERT) {
        Write-Host "==> Signing $target"
-        $extra = if ($env:CIM_SIGN_PARAMS) { $env:CIM_SIGN_PARAMS -split ' ' } else { @() }
+        # CIM_SIGN_PARAMS is PIPE-delimited (not space) so a value can contain spaces,
+        # e.g. CIM_SIGN_PARAMS='/n|CIMTechniques, Inc.' -> '/n','CIMTechniques, Inc.'.
+        $extra = if ($env:CIM_SIGN_PARAMS) { $env:CIM_SIGN_PARAMS -split '\|' } else { @() }
        & signtool sign /fd SHA256 /tr "http://timestamp.digicert.com" /td SHA256 @extra $target
        if ($LASTEXITCODE -ne 0) { throw "signtool failed for $target" }
    } else {
--- a/packaging/installer.iss
+++ b/packaging/installer.iss
@@ -3,7 +3,7 @@
 ; Prerequisite: build the app first with PyInstaller (see packaging\suite.spec), which
 ; produces packaging\dist\CIM-Service-Suite\. Then compile this script with Inno Setup:
 ;     "C:\Program Files (x86)\Inno Setup 6\ISCC.exe" packaging\installer.iss
-; Output: packaging\Output\CIM-Service-Suite-Setup.exe
+; Output: packaging\Output\CIM-Service-Suite-<version>-Setup.exe
 ;
 ; This installs the self-contained PyInstaller folder to Program Files with a
 ; Start-menu shortcut. No VB6 runtime / OCX registration required.