Add SignPath signing to the Actions workflow

For Windows, provided by SignPath.io and with a certificate from the SignPath Foundation. Only Windows client builds for stable and beta releases are signed this way. The continuous development release, server and command-line tools are not, since we really don't need it for those. A link to the code signing policy is automatically prepended to the relevant release notes in the GitHub releases pages, but at the time of writing the link still 404s because it's not yet merged and deployed to the website.
drawpile · Oct 18, 2024 · 12885af · 12885af
1 parent 72c0a51
commit 12885af
Showing 1 changed file with 58 additions and 2 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -52,6 +52,7 @@ jobs:
             build_flags: -DINITSYS=systemd -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
             build_type: Release
             collect_symbols: false
+            signpath: false
             # This causes the AppImage to be generated, instead of just creating
             # the portable tree, because there seems to be no way to separate
             # these steps with linuxdeploy
@@ -100,6 +101,7 @@ jobs:
             sccache_triplet: x86_64-unknown-linux-musl
             build_type: Release
             collect_symbols: false
+            signpath: false
             packager: cmake --install build --config Release --prefix .
             cross_qt_args: >-
               "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
@@ -165,6 +167,7 @@ jobs:
             sccache_triplet: x86_64-unknown-linux-musl
             build_type: Release
             collect_symbols: false
+            signpath: false
             packager: cmake --install build --config Release --prefix .
             cross_qt_args: >-
               "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
@@ -230,6 +233,7 @@ jobs:
             build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
             build_type: Release
             collect_symbols: false
+            signpath: false
             sccache_triplet: x86_64-apple-darwin
             packager: cpack --verbose --config build/CPackConfig.cmake -C Release
 
@@ -241,6 +245,7 @@ jobs:
             build_flags: -DBUILD_PACKAGE_SUFFIX=arm64 -G Ninja
             build_type: Release
             collect_symbols: false
+            signpath: false
             sccache_triplet: aarch64-apple-darwin
             packager: cpack --verbose --config build/CPackConfig.cmake -C Release
 
@@ -253,6 +258,7 @@ jobs:
             build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
             build_type: RelWithDebInfo
             collect_symbols: true
+            signpath: true
             qt_pre_build: >
               choco install gperf jom winflexbison3 &&
               New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe &&
@@ -277,6 +283,7 @@ jobs:
             build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
             build_type: RelWithDebInfo
             collect_symbols: false
+            signpath: false
             qt_pre_build: >
               choco install gperf jom winflexbison3 &&
               New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe &&
@@ -299,6 +306,7 @@ jobs:
             build_flags: -DCARGO_TRIPLE=i686-pc-windows-msvc -DBUILD_PACKAGE_SUFFIX=x86 -G Ninja
             build_type: RelWithDebInfo
             collect_symbols: false
+            signpath: true
             qt_pre_build: >
               choco install gperf jom winflexbison3 &&
               New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe &&
@@ -478,7 +486,7 @@ jobs:
           }
         env:
           WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
-        if: runner.os == 'Windows'
+        if: runner.os == 'Windows' && matrix.packager && (!startsWith(github.ref, 'refs/tags/') || !matrix.signpath)
 
       - name: Generate project
         run: >
@@ -547,6 +555,51 @@ jobs:
           WINDOWS_PFX_TIMESTAMP_URL: 'http://timestamp.digicert.com'
         if: matrix.packager
 
+      - name: Upload artifacts for SignPath to sign
+        uses: actions/upload-artifact@v4
+        id: signpath-upload
+        with:
+          name: SignPath${{ matrix.component && format('-{0}', matrix.component) }}-${{ matrix.cross_os || runner.os }}-${{ matrix.arch }}-Qt${{ matrix.qt }}
+          path: |
+            Drawpile-*.msi
+            Drawpile-*.zip
+        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+
+      - name: Delete unsigned artifacts
+        id: signpath-delete-unsigned
+        shell: bash
+        run: rm -vf Drawpile-*.msi Drawpile-*.zip
+        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+
+      - name: Submit artifacts to SignPath to sign
+        uses: signpath/github-action-submit-signing-request@v1
+        id: signpath-sign
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: 'Drawpile'
+          signing-policy-slug: 'release-signing'
+          artifact-configuration-slug: 'client'
+          github-artifact-id: '${{ steps.signpath-upload.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: '.'
+          parameters: |
+            Version: "${{ github.ref_name }}"
+            Release_Tag: "${{ github.ref_name }}"
+        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+
+      - name: Delete unsigned executable uploaded for SignPath after signing
+        uses: actions/github-script@v7
+        id: signpath-exe-delete
+        with:
+          script: |
+            github.rest.actions.deleteArtifact({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              artifact_id: ${{ steps.signpath-upload.outputs.artifact-id }}
+            });
+        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+
       - name: Bundle PDBs
         run: >
           cmake "-DEXE_SEARCH_PATHS=build"
@@ -613,7 +666,10 @@ jobs:
 
       - name: Collect release notes
         if: startsWith(github.ref, 'refs/tags/')
-        run: awk -v RS='' '/^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} Version ${{ github.ref_name }}/,/^[[:digit:]]/' checkout/ChangeLog | tail '+2' > release-description
+        run: |
+          echo '**Code signing policy:** <https://drawpile.net/codesigningpolicy/>' > release-description
+          echo >> release-description
+          awk -v RS='' '/^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} Version ${{ github.ref_name }}/,/^[[:digit:]]/' checkout/ChangeLog | tail '+2' >> release-description
 
       - name: Write continuous release description
         if: "!startsWith(github.ref, 'refs/tags/')"