use container for signing

davegarthsimpson · davegarthsimpson · commit 1fc326eaa2e7 · 2024-06-26T10:44:41.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -66,6 +66,8 @@ env:
         certificate-password-secret: INSTALLER_CERT_WINDOWS_PASSWORD
         # File extension for the certificate.
         certificate-extension: pfx
+        # Container for windows cert signing
+        certificate-container: INSTALLER_CERT_WINDOWS_CONTAINER
         # Quoting on the value is required here to allow the same comparison expression syntax to be used for this
         # and the companion needs.select-targets.outputs.merge-channel-files property (output values always have string
         # type).
@@ -270,6 +272,13 @@ jobs:
     env:
       # Location of artifacts generated by build.
       BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts
+      IS_WINDOWS_CONFIG: ${{ matrix.config.name == 'Windows' }}
+      INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
+      # We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
+      # Keep in mind that this path could change when upgrading to a new runner version
+      SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
+      CERT_PASSWORD: ${{ secrets[matrix.config.certificate-password-secret] }}
+      CONTAINER_NAME: ${{ secrets[matrix.config.certificate-container] }}
     strategy:
       matrix:
         config: ${{ fromJson(needs.select-targets.outputs.build-matrix) }}
@@ -352,7 +361,7 @@ jobs:
           CREATE_CLIENT_SECRET: ${{ secrets.CREATE_CLIENT_SECRET }}
         run: |
           # See: https://www.electron.build/code-signing
-          if [ $CAN_SIGN = false ]; then
+          if [ $CAN_SIGN = false ] || [ $IS_WINDOWS_CONFIG = true ]; then
             echo "Skipping the app signing: certificate not provided."
           else
             export CSC_LINK="${{ runner.temp }}/signing_certificate.${{ matrix.config.certificate-extension }}"
@@ -371,8 +380,19 @@ jobs:
 
           yarn --cwd electron-app rebuild
           yarn --cwd electron-app build
-          yarn --cwd electron-app package
+          yarn --cwd electron-app 
+          
+      - name: Save Windows signing certificate to file
+        if: ${{ matrix.config.name == 'Windows' }}
+        run: |
+          echo "${{ secrets[matrix.config.certificate-secret] }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER }}
 
+      
+      - name: Sign Windows EXE
+        if: ${{ matrix.config.name == 'Windows' }}
+        run: |
+          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v ${{ env.BUILD_ARTIFACTS_PATH }}/*."exe"
+          
       # Both macOS jobs generate a "channel update info file" with same path and name. The second job to complete would
       # overwrite the file generated by the first in the workflow artifact.
       - name: Stage channel file for merge
