attempt sign of all windows files

Author: davegarthsimpson

.github/workflows/build.yml

@@ -75,12 +75,16 @@ env:
       artifacts:
         - path: '*Windows_64bit.exe'
           name: Windows_X86-64_interactive_installer
-        - path: '*Windows_64bit_signed.exe'
-          name: Windows_X86-64_interactive_installer_signed
+        - path: '*Windows_64bit_unsigned.exe'
+          name: Windows_X86-64_interactive_installer_unsigned
         - path: '*Windows_64bit.msi'
           name: Windows_X86-64_MSI
+        - path: '*Windows_64bit_unsigned.msi'
+          name: Windows_X86-64_MSI_unsigned
         - path: '*Windows_64bit.zip'
           name: Windows_X86-64_zip
+        - path: '*Windows_64bit_unsigned.zip'
+          name: Windows_X86-64_zip_unsigned
     - config:
         name: Linux
         runs-on: ubuntu-latest
@@ -433,38 +437,59 @@ jobs:
           name: ${{ env.JOB_TRANSFER_ARTIFACT }}
           path: ${{ env.BUILD_ARTIFACTS_PATH }}
 
-      - name: Save artifact path to variable
+      - name: Find and process artifacts
         shell: bash
         run: |
-          ARTIFACT=$(find "${{ env.BUILD_ARTIFACTS_PATH }}" -name "*Windows_64bit.exe" | head -n 1)
-          # Convert to Windows-style path with forward slashes
-          FULL_PATH=$(cygpath -w $ARTIFACT | sed 's|\\|/|g')
-          echo "ARTIFACT_PATH=$FULL_PATH" >> $GITHUB_ENV
+          shopt -s nullglob
+          for ARTIFACT in "${{ env.BUILD_ARTIFACTS_PATH }}"/*_unsigned.{exe,zip,msi}; do
+            echo "Processing $ARTIFACT"
+            FILENAME=$(basename "$ARTIFACT")
+            BASE_NAME="${FILENAME%.*}"
+            EXTENSION="${FILENAME##*.}"
+            # Remove '_unsigned' from the base name
+            SIGNED_BASE_NAME="${BASE_NAME%_unsigned}"
+            
+            # Sign and rename EXE and MSI files
+            if [[ "$EXTENSION" == "exe" || "$EXTENSION" == "msi" ]]; then
+              echo "Signing $ARTIFACT"
+              "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "$ARTIFACT"
+              SIGNED_ARTIFACT_PATH="${{ env.BUILD_ARTIFACTS_PATH }}/${SIGNED_BASE_NAME}.${EXTENSION}"
+              mv "$ARTIFACT" "$SIGNED_ARTIFACT_PATH"
+              echo "Renamed $ARTIFACT to $SIGNED_ARTIFACT_PATH"
+            fi
+            
+            # Unzip, Sign, and Rezip ZIP file without '_unsigned' in the name
+            if [[ "$EXTENSION" == "zip" ]]; then
+              TEMP_DIR=$(mktemp -d)
+              unzip "$ARTIFACT" -d "$TEMP_DIR"
+              find "$TEMP_DIR" -type f -name '*.exe' -exec "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v {} \;
+              SIGNED_ARTIFACT_PATH="${{ env.BUILD_ARTIFACTS_PATH }}/${SIGNED_BASE_NAME}.${EXTENSION}"
+              pushd "$TEMP_DIR"
+              zip -r "$SIGNED_ARTIFACT_PATH" .
+              popd
+              rm -rf "$TEMP_DIR"
+              echo "Processed and re-zipped $ARTIFACT"
+            fi
+          done
 
-      - name: Save Win signing certificate to file
-        run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER }}
+      - name: Upload signed EXE
+        uses: actions/upload-artifact@v3
+        with:
+          name: Windows_X86-64_interactive_installer
+          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*Windows_64bit.exe
 
-      - name: Sign EXE
-        env:
-          CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
-          CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
-          # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
-        run: |
-          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v ${{ env.ARTIFACT_PATH }}
-      
-      - name: Rename signed EXE
-        shell: bash
-        run: |
-          BASE_NAME=$(echo "${{ env.ARTIFACT_PATH }}" | sed 's/.exe$//')
-          SIGNED_EXE_PATH="${BASE_NAME}_signed.exe"
-          mv "${{ env.ARTIFACT_PATH }}" "$SIGNED_EXE_PATH"
-          echo "SIGNED_ARTIFACT_PATH=$SIGNED_EXE_PATH" >> $GITHUB_ENV
-  
-      - name: Upload artifacts with signed EXE
+      - name: Upload signed MSI
         uses: actions/upload-artifact@v3
         with:
-          name: Windows_X86-64_interactive_installer_signed
-          path: ${{ env.SIGNED_ARTIFACT_PATH }}
+          name: Windows_X86-64_MSI
+          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*Windows_64bit.msi
+
+
+      - name: Upload signed ZIP
+        uses: actions/upload-artifact@v3
+        with:
+          name: Windows_X86-64_zip
+          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*Windows_64bit.zip
 
         # This step is needed because the self hosted runner does not delete files automatically
       - name: Clean up artifacts

electron-app/scripts/package.js

@@ -100,7 +100,7 @@ async function getArtifactName(version) {
   switch (platform) {
     case 'win32': {
       if (arch === 'x64') {
-        return `${name}_${version}_Windows_64bit.\$\{ext}`;
+        return `${name}_${version}_Windows_64bit_unsigned.\$\{ext}`;
       }
       throw new Error(`Unsupported platform, arch: ${platform}, ${arch}`);
     }