use eToken for signing, create a dedicated step for signing

umbynos · umbynos · commit 17c73d96256f · 2024-05-10T18:14:01.000+02:00
diff --git a/.github/workflows/check-certificates.yml b/.github/workflows/check-certificates.yml
@@ -38,7 +38,7 @@ jobs:
             certificate-secret: INSTALLER_CERT_MAC_P12  # Name of the secret that contains the certificate.
             password-secret: INSTALLER_CERT_MAC_PASSWORD  # Name of the secret that contains the certificate password.
           - identifier: Windows signing certificate
-            certificate-secret: INSTALLER_CERT_WINDOWS_PFX
+            certificate-secret: INSTALLER_CERT_WINDOWS_CER
             password-secret: INSTALLER_CERT_WINDOWS_PASSWORD
 
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,7 +45,7 @@ jobs:
       run:
         shell: bash
 
-# by default disable CGO, it's not needed (except on macos)
+    # by default disable CGO, it's not needed (except on macos)
     env:
       CGO_ENABLED: 0
 
@@ -371,9 +371,6 @@ jobs:
       # vars used by installbuilder
       INSTALLBUILDER_PATH: "/opt/installbuilder-23.11.0/bin/builder"
       INSTALLER_VARS: "project.outputDirectory=$PWD project.version=${GITHUB_REF##*/} workspace=$PWD realname=Arduino_Create_Agent"
-      # installbuilder will read this vars automatically (defined in installer.xml):
-      INSTALLER_CERT_WINDOWS_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
-      INSTALLER_CERT_WINDOWS_PFX: "/tmp/ArduinoCerts2020.pfx"
 
     strategy:
       fail-fast: false # if one os is failing continue nonetheless
@@ -424,11 +421,6 @@ jobs:
       - name: Save InstallBuilder license to file
         run: echo "${{ secrets.INSTALLER_LICENSE }}" > /tmp/license.xml
 
-      - name: Save Win signing certificate to file
-        run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_PFX }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_PFX}}
-        if: matrix.os == 'windows-2019'
-
-        # installbuilder reads the env vars with certs paths and use it to sign the installer.
       - name: Launch Bitrock installbuilder
         run: ${{ env.INSTALLBUILDER_PATH }} build installer.xml ${{ matrix.installbuilder-name }} --verbose --license /tmp/license.xml  --setvars ${{ env.INSTALLER_VARS }} architecture=${{ matrix.arch }}
 
@@ -443,6 +435,49 @@ jobs:
           path: ArduinoCreateAgent*
           if-no-files-found: error
 
+  # This job will sign the Windows installer
+  sign-windows:
+    runs-on: windows-sign-pc
+    needs: package
+
+    defaults:
+      run:
+        shell: bash
+
+    env:
+      INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
+      # We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
+      # Keep in mind that this path could change when upgrading to a new runner version
+      SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
+    
+    strategy:
+      matrix:
+        arch: [amd64, 386]
+    
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: ArduinoCreateAgent-windows-${{ matrix.arch }}
+      
+      - name: Save Win signing certificate to file
+        run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER}}
+
+      - name: Sign EXE
+        env:
+          CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
+          CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
+          # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
+        run: | 
+          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino Create Agent" -f ${{ env.INSTALLER_CERT_WINDOWS_CER}} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "ArduinoCreateAgent-${GITHUB_REF##*/}-windows-${{ matrix.arch }}-installer.exe"
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          if-no-files-found: error
+          name: ArduinoCreateAgent-windows-${{ matrix.arch }}-signed
+          path: ArduinoCreateAgent-${GITHUB_REF##*/}-windows-${{ matrix.arch }}-installer.exe
+
   # This job will generate a dmg mac installer, sign/notarize it.
   generate-sign-dmg:
     needs: notarize-macos
@@ -544,7 +579,7 @@ jobs:
   create-release:
     runs-on: ubuntu-20.04
     environment: production
-    needs: [build, package, generate-sign-dmg]
+    needs: [build, generate-sign-dmg, sign-windows]
 
     steps:
       - name: Checkout
@@ -563,7 +598,7 @@ jobs:
           mv -v ArduinoCreateAgent-linux-amd64/* release/
           cat ArduinoCreateAgent-osx-amd64/*.tar | tar -xvf - -i -C release/
           rm -v release/._ArduinoCreateAgent*.dmg
-          mv -v ArduinoCreateAgent-windows*/* release/
+          mv -v ArduinoCreateAgent-windows*-signed/* release/
 
       - name: VirusTotal Scan
         id: virustotal_step
