build(windows): Change to new signing solution for Win binaries

Implements #699
ptarmiganlabs · Feb 17, 2024 · 23d3977 · 23d3977
1 parent 0864fe4
commit 23d3977
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 16 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -186,9 +186,10 @@ jobs:
     env:
       DIST_FILE_NAME: butler-sos
       GITHUB_TOKEN: ${{ secrets.PAT }}
-      CODESIGN_PWD: ${{ secrets.WIN_CODESIGN_PWD}}
-      CODESIGN_INTERMEDIATE_BASE64: ${{ secrets.WIN_CODESIGN_INTERMEDIATE_BASE64 }}
-      CODESIGN_BASE64: ${{ secrets.WIN_CODESIGN_BASE64}}
+      # CODESIGN_PWD: ${{ secrets.WIN_CODESIGN_PWD}}
+      # CODESIGN_INTERMEDIATE_BASE64: ${{ secrets.WIN_CODESIGN_INTERMEDIATE_BASE64 }}
+      # CODESIGN_BASE64: ${{ secrets.WIN_CODESIGN_BASE64}}
+      CODESIGN_WIN_THUMBPRINT: ${{ secrets.WIN_CODESIGN_THUMBPRINT}}
     steps:
       - name: Release tag and upload url from previous job
         run: |

diff --git a/.github/workflows/insiders-build.yaml b/.github/workflows/insiders-build.yaml
@@ -10,30 +10,51 @@ jobs:
       matrix:
         os: [winsrv-2016, mac-build1, ubuntu-latest]
         include:
-          - os: winsrv-2016
+          - os: Windows
             build: |
               ./node_modules/.bin/esbuild src/bundle.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify
               pkg --output "./${env:DIST_FILE_NAME}.exe" -t node18-win-x64 ./build.cjs --config package.json --compress GZip
 
               dir
 
+              # # Extract signing certificate to files on disk
+              # New-Item -ItemType directory -Path certificate
+              # Set-Content -Path certificate\certificate.txt -Value $env:CODESIGN_BASE64
+              # certutil -decode certificate\certificate.txt certificate\certificate.pfx
+              # Set-Content -Path certificate\intermediate.txt -Value $env:CODESIGN_INTERMEDIATE_BASE64
+              # certutil -decode certificate\intermediate.txt certificate\intermediate.crt
+
+              # $processOptions = @{
+              #   FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
+              #   Wait = $true
+              #   ArgumentList = "sign", "/fd", "SHA256", "/p", "$env:CODESIGN_PWD", "/ac", "certificate\intermediate.crt", "/f", "certificate\certificate.pfx", "/tr", "http://timestamp.sectigo.com/rfc3161", "/td", "sha256", "./${env:DIST_FILE_NAME}.exe"
+              #   WorkingDirectory = "."
+              #   NoNewWindow = $true
+              # }
+              # Start-Process @processOptions
+
               # Sign the executable
-              New-Item -ItemType directory -Path certificate
-              Set-Content -Path certificate\certificate.txt -Value $env:CODESIGN_BASE64
-              certutil -decode certificate\certificate.txt certificate\certificate.pfx
-              Set-Content -Path certificate\intermediate.txt -Value $env:CODESIGN_INTERMEDIATE_BASE64
-              certutil -decode certificate\intermediate.txt certificate\intermediate.crt
+              # 1st signing
+              $processOptions1 = @{
+                FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
+                Wait = $true
+                ArgumentList = "sign", "/sha1", "$env:CODESIGN_WIN_THUMBPRINT", "/tr", "http://time.certum.pl", "/td", "sha256", "/fd", "sha1", "/v", "./${env:DIST_FILE_NAME}.exe"
+                WorkingDirectory = "."
+                NoNewWindow = $true
+              }
+              Start-Process @processOptions1
 
-              $processOptions = @{
+              # 2nd signing
+              $processOptions2 = @{
                 FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
                 Wait = $true
-                ArgumentList = "sign", "/fd", "SHA256", "/p", "$env:CODESIGN_PWD", "/ac", "certificate\intermediate.crt", "/f", "certificate\certificate.pfx", "/tr", "http://timestamp.sectigo.com/rfc3161", "/td", "sha256", "./${env:DIST_FILE_NAME}.exe"
+                ArgumentList = "sign", "/sha1", "$env:CODESIGN_WIN_THUMBPRINT", "/tr", "http://time.certum.pl", "/td", "sha256", "/fd", "sha256", "/v", "./${env:DIST_FILE_NAME}.exe"
                 WorkingDirectory = "."
                 NoNewWindow = $true
               }
-              Start-Process @processOptions
+              Start-Process @processOptions2
 
-              Remove-Item -Recurse -Force certificate
+              # Remove-Item -Recurse -Force certificate
 
               # # Create release binary
               # mkdir release-binaries-win
@@ -198,9 +219,10 @@ jobs:
           PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
           PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
           PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
-          CODESIGN_PWD: ${{ secrets.WIN_CODESIGN_PWD}}
-          CODESIGN_INTERMEDIATE_BASE64: ${{ secrets.WIN_CODESIGN_INTERMEDIATE_BASE64 }}
-          CODESIGN_BASE64: ${{ secrets.WIN_CODESIGN_BASE64}}
+          # CODESIGN_PWD: ${{ secrets.WIN_CODESIGN_PWD}}
+          # CODESIGN_INTERMEDIATE_BASE64: ${{ secrets.WIN_CODESIGN_INTERMEDIATE_BASE64 }}
+          # CODESIGN_BASE64: ${{ secrets.WIN_CODESIGN_BASE64}}
+          CODESIGN_WIN_THUMBPRINT: ${{ secrets.WIN_CODESIGN_THUMBPRINT}}
         run: |
           pwd
           ${{ matrix.build }}