From 4876e9e98322c1675c340a131831389277241bec Mon Sep 17 00:00:00 2001 From: Vadim Peretokin Date: Sat, 7 Dec 2024 14:03:30 +0100 Subject: [PATCH] Infrastructure: Sign windows builds using Azure Trusted Signing (#7544) #### Brief overview of PR changes/additions Sign windows builds using Azure Trusted Signing, replacing the .p12 certificate used previously - according to the new industry practices. #### Motivation for adding to Mudlet Secure deployment of Mudlet on Windows #### Other info (issues closed, discussion etc) --------- Co-authored-by: Vadim Peretokin --- .github/workflows/build-mudlet-win.yml | 16 ++++++++++++- CI/deploy-mudlet-for-windows.sh | 32 +++++++++++++++++++++++++- 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-mudlet-win.yml b/.github/workflows/build-mudlet-win.yml index 4e41b40dc53..7f3fe548ee2 100644 --- a/.github/workflows/build-mudlet-win.yml +++ b/.github/workflows/build-mudlet-win.yml @@ -77,6 +77,20 @@ jobs: shell: msys2 {0} run: $GITHUB_WORKSPACE/CI/package-mudlet-for-windows.sh + - name: (Windows) Login to Azure + uses: azure/login@v2 + if: github.repository == 'Mudlet/Mudlet' + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Get Azure access token for code signing + shell: pwsh + if: github.repository == 'Mudlet/Mudlet' + run: | + $token = (az account get-access-token --resource https://codesigning.azure.net | ConvertFrom-Json).accessToken + "::add-mask::$token" + "AZURE_ACCESS_TOKEN=$token" | Add-Content -Path $env:GITHUB_ENV + - name: (Windows) Deploy shell: msys2 {0} env: @@ -85,7 +99,7 @@ jobs: DEPLOY_KEY_PASS: ${{secrets.DEPLOY_KEY_PASS}} DEPLOY_SSH_KEY: ${{secrets.DEPLOY_SSH_KEY}} DEPLOY_PATH: ${{secrets.DEPLOY_PATH}} - WIN_SIGNING_PASS: ${{secrets.WIN_SIGNING_PASS}} + AZURE_ACCESS_TOKEN: ${{ env.AZURE_ACCESS_TOKEN }} GITHUB_REPO_NAME: ${{ github.repository }} GITHUB_REPO_TAG: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }} GITHUB_SCHEDULED_BUILD: ${{ github.event_name == 'schedule' || github.event.inputs.scheduled == 'true' }} diff --git a/CI/deploy-mudlet-for-windows.sh b/CI/deploy-mudlet-for-windows.sh index f17a22cd41e..435ae4de51f 100644 --- a/CI/deploy-mudlet-for-windows.sh +++ b/CI/deploy-mudlet-for-windows.sh @@ -173,6 +173,7 @@ else echo "=== Creating a public test build ===" # Squirrel uses Start menu name from the binary, renaming it mv "$PACKAGE_DIR/mudlet.exe" "$PACKAGE_DIR/Mudlet PTB.exe" + echo "moved mudlet.exe to $PACKAGE_DIR/Mudlet PTB.exe" # ensure sha part always starts with a character due to a known issue VersionAndSha="${VERSION}-ptb-${BUILD_COMMIT}" @@ -186,6 +187,26 @@ else git clone https://github.com/Mudlet/installers.git "$GITHUB_WORKSPACE/installers" cd "$GITHUB_WORKSPACE/installers/windows" || exit 1 + echo "=== Setting up Java 21 for signing ===" + export JAVA_HOME="$(cygpath -u $JAVA_HOME_21_X64)" + export PATH="$JAVA_HOME/bin:$PATH" + + echo "=== Signing Mudlet and dll files ===" + if [[ "$PublicTestBuild" == "true" ]]; then + java.exe -jar $GITHUB_WORKSPACE/installers/windows/jsign-7.0-SNAPSHOT.jar --storetype TRUSTEDSIGNING \ + --keystore eus.codesigning.azure.net \ + --storepass ${AZURE_ACCESS_TOKEN} \ + --alias Mudlet/Mudlet \ + "$PACKAGE_DIR/Mudlet PTB.exe" "$PACKAGE_DIR/**/*.dll" + + else + java.exe -jar $GITHUB_WORKSPACE/installers/windows/jsign-7.0-SNAPSHOT.jar --storetype TRUSTEDSIGNING \ + --keystore eus.codesigning.azure.net \ + --storepass ${AZURE_ACCESS_TOKEN} \ + --alias Mudlet/Mudlet \ + "$PACKAGE_DIR/Mudlet.exe" "$PACKAGE_DIR/**/*.dll" + fi + echo "=== Installing Squirrel for Windows ===" nuget install squirrel.windows -ExcludeVersion @@ -224,7 +245,7 @@ else # Create NuGet package nuget pack "$NuSpec" -Version "$VersionAndSha" -BasePath "$SQUIRRELWIN" -OutputDirectory "$SQUIRRELWIN" - echo "=== Creating installers from Nuget package ===" + echo "=== Preparing to create installer ===" if [[ "$PublicTestBuild" == "true" ]]; then TestBuildString="-PublicTestBuild" InstallerIconFile="$GITHUB_WORKSPACE/src/icons/mudlet_ptb.ico" @@ -245,6 +266,7 @@ else fi # Execute Squirrel to create the installer + echo "=== Creating installers from Nuget package ===" ./squirrel.windows/tools/Squirrel --releasify "$nupkg_path" \ --releaseDir "$GITHUB_WORKSPACE/squirreloutput" \ --loadingGif "$GITHUB_WORKSPACE/installers/windows/splash-installing-2x.png" \ @@ -258,6 +280,14 @@ else installerExePath="${PACKAGE_DIR}/Mudlet-$VERSION$MUDLET_VERSION_BUILD-$BUILD_COMMIT-windows-$BUILD_BITNESS.exe" mv "$GITHUB_WORKSPACE/squirreloutput/Setup.exe" "${installerExePath}" + # Sign the final installer + echo "=== Signing installer ===" + java.exe -jar $GITHUB_WORKSPACE/installers/windows/jsign-7.0-SNAPSHOT.jar --storetype TRUSTEDSIGNING \ + --keystore eus.codesigning.azure.net \ + --storepass ${AZURE_ACCESS_TOKEN} \ + --alias Mudlet/Mudlet \ + "$installerExePath" + # Check if the setup executable exists if [[ ! -f "$installerExePath" ]]; then echo "=== ERROR: Squirrel failed to generate the installer! Build aborted. Squirrel log is:"