create separate job for signing

davegarthsimpson · davegarthsimpson · commit e7ddc2dbc83c · 2024-06-27T07:33:22.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -272,13 +272,6 @@ jobs:
     env:
       # Location of artifacts generated by build.
       BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts
-      IS_WINDOWS_CONFIG: ${{ matrix.config.name == 'Windows' }}
-      INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
-      # We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
-      # Keep in mind that this path could change when upgrading to a new runner version
-      SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x64/signtool.exe"
-      CERT_PASSWORD: ${{ secrets[matrix.config.certificate-password-secret] }}
-      CONTAINER_NAME: ${{ secrets[matrix.config.certificate-container] }}
     strategy:
       matrix:
         config: ${{ fromJson(needs.select-targets.outputs.build-matrix) }}
@@ -380,19 +373,8 @@ jobs:
 
           yarn --cwd electron-app rebuild
           yarn --cwd electron-app build
-          yarn --cwd electron-app 
-          
-      - name: Save Windows signing certificate to file
-        if: ${{ matrix.config.name == 'Windows' }}
-        run: |
-          echo "${{ secrets[matrix.config.certificate-secret] }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER }}
-
+          yarn --cwd electron-app
       
-      - name: Sign Windows EXE
-        if: ${{ matrix.config.name == 'Windows' }}
-        run: |
-          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v ${{ env.BUILD_ARTIFACTS_PATH }}/*."exe"
-          
       # Both macOS jobs generate a "channel update info file" with same path and name. The second job to complete would
       # overwrite the file generated by the first in the workflow artifact.
       - name: Stage channel file for merge
@@ -425,12 +407,61 @@ jobs:
         with:
           name: ${{ env.JOB_TRANSFER_ARTIFACT }}
           path: ${{ env.BUILD_ARTIFACTS_PATH }}
-          
+
+  sign-windows:
+    runs-on: [self-hosted, windows-sign-pc]
+    needs: build
+
+    defaults:
+      run:
+        shell: bash
+
+    env:
+      INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
+      # We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
+      # Keep in mind that this path could change when upgrading to a new runner version
+      SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
+
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: Windows_X86-64_interactive_installer
+
+      - name: Save artifact path to variable
+        run: |
+          # Find the artifact ending with 'Windows_64bit.exe' in the specified download directory
+          ARTIFACT_PATH=$(find . -name "*Windows_64bit.exe")
+          echo "ARTIFACT_PATH=${ARTIFACT_PATH}" >> $GITHUB_ENV
+
+      - name: Save Win signing certificate to file
+        run: echo "${{ secrets[matrix.config.certificate-secret] }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER }}
+
+      - name: Sign EXE
+        env:
+          CERT_PASSWORD: ${{ secrets[matrix.config.certificate-password-secret] }}
+          CONTAINER_NAME: ${{ secrets[matrix.config.certificate-container] }}
+          # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
+        run: |
+          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v ${{ env.ARTIFACT_PATH }}"
+      
+      # upload signed exe to artifacts overwriting existing
+      - name: Upload signed EXE
+        uses: actions/upload-artifact@v3
+        with:
+          name: Windows_X86-64_interactive_installer
+          path: ${{ env.ARTIFACT_PATH }}
+
+        # This step is needed because the self hosted runner does not delete files automatically
+      - name: Clean up EXE
+        run: rm ${{ env.ARTIFACT_PATH }}
+
   merge-channel-files:
     needs:
       - build-type-determination
       - select-targets
       - build
+      - sign-windows
     if: needs.select-targets.outputs.merge-channel-files == 'true'
     runs-on: ubuntu-latest
     permissions: {}
@@ -494,6 +525,7 @@ jobs:
     needs:
       - select-targets
       - build
+      - sign-windows
     if: always() && needs.build.result != 'skipped'
     runs-on: ubuntu-latest
 
@@ -518,6 +550,7 @@ jobs:
     needs:
       - build-type-determination
       - build
+      - sign-windows
     runs-on: ubuntu-latest
     outputs:
       BODY: ${{ steps.changelog.outputs.BODY }}
@@ -567,6 +600,7 @@ jobs:
       - build-type-determination
       - merge-channel-files
       - changelog
+      - sign-windows
     if: >
       always() &&
       needs.build-type-determination.result == 'success' &&
@@ -600,6 +634,7 @@ jobs:
       - build-type-determination
       - merge-channel-files
       - changelog
+      - sign-windows
     if: >
       always() &&
       needs.build-type-determination.result == 'success' &&
@@ -651,6 +686,7 @@ jobs:
       - publish
       - release
       - artifacts
+      - sign-windows
     if: always() && needs.build.result != 'skipped'
     runs-on: ubuntu-latest
 
