core: windows signing with esigner (#352)

.github/workflows/publish.yml

@@ -51,26 +51,37 @@ jobs:
       - run: yarn compile
 
       - run: yarn build --mac --publish always
+        if: runner.os == 'macOS'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CSC_LINK: ${{ secrets.OSX_CSC_LINK }}
           CSC_KEY_PASSWORD: ${{ secrets.OSX_CSC_KEY_PASSWORD }}
           OSX_NOTARIZE: "TRUE"
           OSX_APPLE_ID: ${{ secrets.OSX_APPLE_ID }}
           OSX_APPLE_ID_PASSWORD: ${{ secrets.OSX_APPLE_ID_PASSWORD }}
-        if: runner.os == 'macOS'
+
+      # download 'SSLcom/esigner-codesign' to a folder called 'esigner-codesign' in the root of the project
+      - name: Checkout esigner-codesign repository (Windows)
+        if: runner.os == 'windows'
+        uses: actions/checkout@v3
+        with:
+          repository: 'SSLcom/esigner-codesign'
+          path: esigner-codesign
 
       - run: yarn build --win --publish always
+        if: runner.os == 'Windows'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
-          CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
-        if: runner.os == 'Windows'
+          CODE_SIGN_SCRIPT_PATH: "${{ github.workspace }}/esigner-codesign/dist/index.js"
+          CODE_SIGN_SSLCOM_USERNAME: ${{ secrets.SSLCOM_USERNAME }}
+          CODE_SIGN_SSLCOM_PASSWORD: ${{ secrets.SSLCOM_PASSWORD }}
+          CODE_SIGN_SSLCOM_TOTP_SECRET: ${{ secrets.SSLCOM_TOTP_SECRET }}
+          CODE_SIGN_SSLCOM_CREDENTIAL_ID: ${{ secrets.SSLCOM_CREDENTIAL_ID }}
 
       - run: yarn build --linux --publish always
+        if: runner.os == 'Linux'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        if: runner.os == 'Linux'
 
   publish:
     needs: build

buildcfg/sslcom-sign.js

@@ -0,0 +1,44 @@
+const { execSync } = require('child_process');
+
+function sign(configuration) {
+	console.log("Requested signing for ", configuration.path);
+
+	// Only proceed if the versioned exe file is in the configuration path - skip signing everything else
+	if (!configuration.path.includes("Celo Terminal")) {
+		console.log("Configuration path does not include the versioned exe, signing skipped.");
+		return true;
+	}
+
+
+	try {
+		// Execute the sign script synchronously
+		const scriptPath = process.env.CODE_SIGN_SCRIPT_PATH;
+		process.env["INPUT_COMMAND"] = "sign"
+		process.env["INPUT_FILE_PATH"] = configuration.path
+		process.env["INPUT_OVERRIDE"] = "true"
+		process.env["INPUT_MALWARE_BLOCK"] = "false"
+		process.env["INPUT_CLEAN_LOGS"] = "false"
+		process.env["INPUT_JVM_MAX_MEMORY"] = "1024M"
+		process.env["INPUT_ENVIRONMENT_NAME"] = "PROD"
+		process.env["INPUT_USERNAME"] = process.env.CODE_SIGN_SSLCOM_USERNAME
+		process.env["INPUT_PASSWORD"] = process.env.CODE_SIGN_SSLCOM_PASSWORD
+		process.env["INPUT_TOTP_SECRET"] = process.env.CODE_SIGN_SSLCOM_TOTP_SECRET
+		process.env["INPUT_CREDENTIAL_ID"] = process.env.CODE_SIGN_SSLCOM_CREDENTIAL_ID
+
+		const output = execSync(`node "${scriptPath}"`).toString();
+		console.log(`Script output: ${output}`);
+	} catch (error) {
+		console.error(`Error executing script: ${error.message}`);
+		if (error.stdout) {
+			console.log(`Script stdout: ${error.stdout.toString()}`);
+		}
+		if (error.stderr) {
+			console.error(`Script stderr: ${error.stderr.toString()}`);
+		}
+		return false;
+	}
+
+	return true; // Return true at the end of successful signing
+}
+
+exports.default = sign;

electron-builder.yml

@@ -25,6 +25,8 @@ mac:
 
 win:
   artifactName: ${productName}-${version}-${os}-x64.${ext}
+  signingHashAlgorithms: ["sha256"]
+  sign: "./buildcfg/sslcom-sign.js"
   target:
     - target: nsis
       arch: ["x64"]