From d41305dd9a3a008933fd91ee7164e61bd31f5d2b Mon Sep 17 00:00:00 2001
From: Jean Ribeiro <contact@jeanribeiro.dev>
Date: Mon, 6 Nov 2023 19:54:31 -0300
Subject: [PATCH] WIP

---
 .github/workflows/build-and-release.yml     |  4 +-
 .github/workflows/build.yml                 |  2 +-
 .github/workflows/reusable_build.yml        | 50 +++++++++++++++++----
 .github/workflows/reusable_release.yml      |  2 +-
 packages/desktop/customSign.js              |  9 ++++
 packages/desktop/electron-builder-config.ts |  1 +
 6 files changed, 55 insertions(+), 13 deletions(-)
 create mode 100644 packages/desktop/customSign.js

diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
index 7754577e7b..c6806ab4d8 100644
--- a/.github/workflows/build-and-release.yml
+++ b/.github/workflows/build-and-release.yml
@@ -54,13 +54,13 @@ jobs:
         needs: [setup]
         strategy:
             matrix:
-                os: [ubuntu-20.04, windows-2019, macos-11]
+                os: [ubuntu-20.04, windows-2022, macos-11]
             fail-fast: true
         with:
             os: ${{ matrix.os }}
             version: ${{ needs.setup.outputs.version }}
             stage: ${{ inputs.stage || needs.setup.outputs.stage }}
-            sign: ${{ matrix.os != 'windows-2019' }}
+            sign: ${{ matrix.os != 'windows-2022' }}
             upload: true
         secrets: inherit
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 268fd2a2c6..aa26e55cc8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,7 +10,7 @@ on:
         options:
           - macos-11
           - ubuntu-20.04
-          - windows-2019
+          - windows-2022
       stage:
         description: 'Stage'
         required: true
diff --git a/.github/workflows/reusable_build.yml b/.github/workflows/reusable_build.yml
index 5bbdff22b8..18dcbc9d74 100644
--- a/.github/workflows/reusable_build.yml
+++ b/.github/workflows/reusable_build.yml
@@ -51,15 +51,48 @@ jobs:
 
             - name: Install LLVM and Clang (Windows) # required for bindgen to work, see https://github.com/rust-lang/rust-bindgen/issues/1797
               uses: KyleMayes/install-llvm-action@32c4866ebb71e0949e8833eb49beeebed48532bd
-              if: inputs.os == 'windows-2019'
+              if: inputs.os == 'windows-2022'
               with:
                   version: '11.0'
                   directory: ${{ runner.temp }}/llvm
 
             - name: Set LIBCLANG_PATH (Windows)
               run: echo "LIBCLANG_PATH=$((gcm clang).source -replace "clang.exe")" >> $env:GITHUB_ENV
-              if: inputs.os == 'windows-2019'
+              if: inputs.os == 'windows-2022'
 
+            - name: Set up certificate (Windows)
+              if: ${{ inputs.sign && inputs.os == 'windows-2022' }}
+              run: |
+                echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
+              shell: bash 
+
+            - name: Set variables for signing (Windows)
+              if: ${{ inputs.sign && inputs.os == 'windows-2022' }}
+              run: |
+                echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
+                echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
+                echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
+                echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
+                echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
+                echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
+                echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
+              shell: bash
+
+            - name: Install DigiCert KeyLocker KSP (Windows)
+              if: ${{ inputs.sign && inputs.os == 'windows-2022' }}
+              run: |
+                curl -X GET  "https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download" -H "x-api-key:${{ secrets.SM_API_KEY }}" -o Keylockertools-windows-x64.msi
+                msiexec /i Keylockertools-windows-x64.msi /quiet /qn
+                smksp_registrar.exe list
+                smctl.exe keypair ls
+                C:\\Windows\\System32\\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+              shell: cmd
+
+            - name: Sync Certificates with KeyLocker KSP (Windows)
+              if: ${{ inputs.sign && inputs.os == 'windows-2022' }}
+              run: smctl windows certsync
+              shell: cmd
+            
             - name: Set deployment target (MacOS)
               run: echo "MACOSX_DEPLOYMENT_TARGET=10.14" >> $GITHUB_ENV # TODO: set this to 10.12 once rocksDB issue is fixed
               if: inputs.os == 'macos-11'
@@ -78,11 +111,11 @@ jobs:
 
             - name: Enable verbose output for electron-builder (macOS/Linux)
               run: echo "DEBUG=electron-builder" >> $GITHUB_ENV
-              if: inputs.os != 'windows-2019'
+              if: inputs.os != 'windows-2022'
 
             - name: Enable verbose output for electron-builder (Windows)
               run: echo "DEBUG=electron-builder" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-              if: inputs.os == 'windows-2019'
+              if: inputs.os == 'windows-2022'
 
             - name: Set up .npmrc file to use GitHub Packages
               run: |
@@ -130,12 +163,11 @@ jobs:
             - name: Build signed Electron app (Windows)
               run: yarn compile:${env:STAGE}:win
               env:
-                  CSC_LINK: ${{ secrets.WIN_CERT_BASE64 }}
-                  CSC_KEY_PASSWORD: ${{ secrets.WIN_CERT_PASSWORD }}
+                  CERTIFICATE_FINGERPRINT: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
                   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   PRIVATE_REPO_ACCESS_TOKEN: ${{ vars.PRIVATE_REPO_ACCESS_TOKEN }} # TODO: Remove following lines after we're open source
               working-directory: packages/desktop
-              if: ${{ inputs.sign && inputs.os == 'windows-2019' }}
+              if: ${{ inputs.sign && inputs.os == 'windows-2022' }}
 
             - name: Build unsigned Electron app (Windows)
               run: yarn compile:${env:STAGE}:win
@@ -143,7 +175,7 @@ jobs:
                   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   PRIVATE_REPO_ACCESS_TOKEN: ${{ vars.PRIVATE_REPO_ACCESS_TOKEN }} # TODO: Remove following lines after we're open source
               working-directory: packages/desktop
-              if: ${{ ! inputs.sign && inputs.os == 'windows-2019' }}
+              if: ${{ ! inputs.sign && inputs.os == 'windows-2022' }}
 
             - name: Build Electron app (Linux)
               run: yarn compile:${STAGE}:linux
@@ -181,7 +213,7 @@ jobs:
             - name: Compute checksums (Windows)
               run: Get-ChildItem "." -Filter bloom-desktop-* | Foreach-Object { $(Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash | Set-Content ($_.FullName + '.sha256') }
               working-directory: packages/desktop/out
-              if: inputs.os == 'windows-2019'
+              if: inputs.os == 'windows-2022'
 
             - name: Upload artifacts
               if: inputs.upload
diff --git a/.github/workflows/reusable_release.yml b/.github/workflows/reusable_release.yml
index b3ad104afa..99fd768ca8 100644
--- a/.github/workflows/reusable_release.yml
+++ b/.github/workflows/reusable_release.yml
@@ -31,7 +31,7 @@ jobs:
             - name: Downloading artifacts
               uses: actions/download-artifact@v2
               with:
-                  name: bloom-desktop-windows-2019
+                  name: bloom-desktop-windows-2022
                   path: assets
 
             - name: Downloading artifacts
diff --git a/packages/desktop/customSign.js b/packages/desktop/customSign.js
new file mode 100644
index 0000000000..5e9691bba0
--- /dev/null
+++ b/packages/desktop/customSign.js
@@ -0,0 +1,9 @@
+'use strict'
+
+exports.default = async function (configuration) {
+    if (configuration.path) {
+        require('child_process').execSync(
+            `smctl sign --fingerprint=${process.env.CERTIFICATE_FINGERPRINT} --input "${String(configuration.path)}"`
+        )
+    }
+}
diff --git a/packages/desktop/electron-builder-config.ts b/packages/desktop/electron-builder-config.ts
index 7d359b0722..06befe7e5e 100644
--- a/packages/desktop/electron-builder-config.ts
+++ b/packages/desktop/electron-builder-config.ts
@@ -103,6 +103,7 @@ const prodConfig: Configuration = {
         target: 'nsis',
         timeStampServer: 'http://timestamp.sectigo.com',
         rfc3161TimeStampServer: 'http://timestamp.sectigo.com',
+        sign: './customSign.js',
     },
     linux: {
         target: ['AppImage'],