Infrastructure: Sign windows builds using Azure Trusted Signing (Mudl…

…et#7544)  #### Brief overview of PR changes/additions Sign windows builds using Azure Trusted Signing, replacing the .p12 certificate used previously - according to the new industry practices. #### Motivation for adding to Mudlet Secure deployment of Mudlet on Windows #### Other info (issues closed, discussion etc) --------- Co-authored-by: Vadim Peretokin <[email protected]>
SlySven · Dec 7, 2024 · 4876e9e · 4876e9e
1 parent 21f4189
commit 4876e9e
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/.github/workflows/build-mudlet-win.yml b/.github/workflows/build-mudlet-win.yml
@@ -77,6 +77,20 @@ jobs:
       shell: msys2 {0}
       run: $GITHUB_WORKSPACE/CI/package-mudlet-for-windows.sh
 
+    - name: (Windows) Login to Azure
+      uses: azure/login@v2
+      if: github.repository == 'Mudlet/Mudlet'
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+    - name: Get Azure access token for code signing
+      shell: pwsh
+      if: github.repository == 'Mudlet/Mudlet'
+      run: |
+        $token = (az account get-access-token --resource https://codesigning.azure.net | ConvertFrom-Json).accessToken
+        "::add-mask::$token"
+        "AZURE_ACCESS_TOKEN=$token" | Add-Content -Path $env:GITHUB_ENV
+
     - name: (Windows) Deploy
       shell: msys2 {0}
       env:
@@ -85,7 +99,7 @@ jobs:
         DEPLOY_KEY_PASS: ${{secrets.DEPLOY_KEY_PASS}}
         DEPLOY_SSH_KEY: ${{secrets.DEPLOY_SSH_KEY}}
         DEPLOY_PATH: ${{secrets.DEPLOY_PATH}}
-        WIN_SIGNING_PASS: ${{secrets.WIN_SIGNING_PASS}}
+        AZURE_ACCESS_TOKEN: ${{ env.AZURE_ACCESS_TOKEN }}
         GITHUB_REPO_NAME: ${{ github.repository }}
         GITHUB_REPO_TAG: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}
         GITHUB_SCHEDULED_BUILD: ${{ github.event_name == 'schedule' || github.event.inputs.scheduled == 'true' }}

diff --git a/CI/deploy-mudlet-for-windows.sh b/CI/deploy-mudlet-for-windows.sh
@@ -173,6 +173,7 @@ else
     echo "=== Creating a public test build ==="
     # Squirrel uses Start menu name from the binary, renaming it
     mv "$PACKAGE_DIR/mudlet.exe" "$PACKAGE_DIR/Mudlet PTB.exe"
+    echo "moved mudlet.exe to $PACKAGE_DIR/Mudlet PTB.exe"
     # ensure sha part always starts with a character due to a known issue
     VersionAndSha="${VERSION}-ptb-${BUILD_COMMIT}"
 
@@ -186,6 +187,26 @@ else
   git clone https://github.com/Mudlet/installers.git "$GITHUB_WORKSPACE/installers"
   cd "$GITHUB_WORKSPACE/installers/windows" || exit 1
 
+  echo "=== Setting up Java 21 for signing ==="
+  export JAVA_HOME="$(cygpath -u $JAVA_HOME_21_X64)"
+  export PATH="$JAVA_HOME/bin:$PATH"
+
+  echo "=== Signing Mudlet and dll files ==="
+  if [[ "$PublicTestBuild" == "true" ]]; then
+    java.exe -jar $GITHUB_WORKSPACE/installers/windows/jsign-7.0-SNAPSHOT.jar --storetype TRUSTEDSIGNING \
+        --keystore eus.codesigning.azure.net \
+        --storepass ${AZURE_ACCESS_TOKEN} \
+        --alias Mudlet/Mudlet \
+        "$PACKAGE_DIR/Mudlet PTB.exe" "$PACKAGE_DIR/**/*.dll"
+
+  else
+    java.exe -jar $GITHUB_WORKSPACE/installers/windows/jsign-7.0-SNAPSHOT.jar --storetype TRUSTEDSIGNING \
+      --keystore eus.codesigning.azure.net \
+      --storepass ${AZURE_ACCESS_TOKEN} \
+      --alias Mudlet/Mudlet \
+      "$PACKAGE_DIR/Mudlet.exe" "$PACKAGE_DIR/**/*.dll"
+  fi
+
   echo "=== Installing Squirrel for Windows ==="
   nuget install squirrel.windows -ExcludeVersion
 
@@ -224,7 +245,7 @@ else
   # Create NuGet package
   nuget pack "$NuSpec" -Version "$VersionAndSha" -BasePath "$SQUIRRELWIN" -OutputDirectory "$SQUIRRELWIN"
 
-  echo "=== Creating installers from Nuget package ==="
+  echo "=== Preparing to create installer ==="
   if [[ "$PublicTestBuild" == "true" ]]; then
     TestBuildString="-PublicTestBuild"
     InstallerIconFile="$GITHUB_WORKSPACE/src/icons/mudlet_ptb.ico"
@@ -245,6 +266,7 @@ else
   fi
 
   # Execute Squirrel to create the installer
+  echo "=== Creating installers from Nuget package ==="
   ./squirrel.windows/tools/Squirrel --releasify "$nupkg_path" \
     --releaseDir "$GITHUB_WORKSPACE/squirreloutput" \
     --loadingGif "$GITHUB_WORKSPACE/installers/windows/splash-installing-2x.png" \
@@ -258,6 +280,14 @@ else
   installerExePath="${PACKAGE_DIR}/Mudlet-$VERSION$MUDLET_VERSION_BUILD-$BUILD_COMMIT-windows-$BUILD_BITNESS.exe"
   mv "$GITHUB_WORKSPACE/squirreloutput/Setup.exe" "${installerExePath}"
 
+  # Sign the final installer
+  echo "=== Signing installer ==="
+  java.exe -jar $GITHUB_WORKSPACE/installers/windows/jsign-7.0-SNAPSHOT.jar --storetype TRUSTEDSIGNING \
+      --keystore eus.codesigning.azure.net \
+      --storepass ${AZURE_ACCESS_TOKEN} \
+      --alias Mudlet/Mudlet \
+      "$installerExePath"
+
   # Check if the setup executable exists
   if [[ ! -f "$installerExePath" ]]; then
     echo "=== ERROR: Squirrel failed to generate the installer! Build aborted. Squirrel log is:"