Skip to content

Commit

Permalink
[release-0.14] コード署名をeSignerCKAに (#1597)
Browse files Browse the repository at this point in the history
  • Loading branch information
Hiroshiba authored Oct 5, 2023
1 parent 65a4465 commit 89b749e
Show file tree
Hide file tree
Showing 4 changed files with 153 additions and 18 deletions.
78 changes: 60 additions & 18 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -213,18 +213,30 @@ jobs:
run: |
df -h
# build electronでコード署名するには環境変数を指定が必要だけど、
# コード署名しない場合に環境変数を定義するとエラーになるので、動的に環境変数を足す
- name: Define Code Signing Envs
if: startsWith(matrix.os, 'windows-') && github.event.inputs.code_signing == 'true'
shell: bash
run: |
# 複数行の文字列を環境変数に代入
echo 'CSC_LINK<<EOF' >> $GITHUB_ENV
echo "${{ secrets.CERT_BASE64 }}" >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
bash build/codesign_setup.bash
THUMBPRINT="$(head -n 1 $THUMBPRINT_PATH)"
SIGNTOOL_PATH="$(head -n 1 $SIGNTOOL_PATH_PATH)"
echo "::add-mask::$THUMBPRINT"
echo 'CSC_KEY_PASSWORD=${{ secrets.CERT_PASSWORD }}' >> $GITHUB_ENV
echo "WIN_CERTIFICATE_SHA1=$THUMBPRINT" >> $GITHUB_ENV
echo 'WIN_SIGNING_HASH_ALGORITHMS=["sha256"]' >> $GITHUB_ENV
echo "SIGNTOOL_PATH=$SIGNTOOL_PATH" >> $GITHUB_ENV
# NOTE: electron-builder 22.14.13 は指定したsigntoolを使わないので、ワークアラウンドとしてディレクトリを差し替える
CACHE_SIGNTOOL_DIR="$ELECTRON_BUILDER_CACHE/winCodeSign/winCodeSign-2.6.0/windows-10/x64"
mv "$CACHE_SIGNTOOL_DIR"{,.bak}
SIGNTOOL_DIR=$(dirname "$SIGNTOOL_PATH")
ln -s "$SIGNTOOL_DIR" "$CACHE_SIGNTOOL_DIR"
env:
ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
SIGNTOOL_PATH_PATH: /tmp/signtool_path.txt

# Build result will be exported to ${{ matrix.artifact_path }}
- name: Build Electron
Expand All @@ -243,8 +255,17 @@ jobs:
if: startsWith(matrix.os, 'windows-') && github.event.inputs.code_signing == 'true'
shell: bash
run: |
echo 'CSC_LINK=' >> $GITHUB_ENV
echo 'CSC_KEY_PASSWORD=' >> $GITHUB_ENV
bash build/codesign_cleanup.bash
echo 'WIN_CERTIFICATE_SHA1=' >> $GITHUB_ENV
echo 'WIN_SIGNING_HASH_ALGORITHMS=' >> $GITHUB_ENV
echo 'SIGNTOOL_PATH=' >> $GITHUB_ENV
# NOTE: ワークアラウンドで差し替えたディレクトリを元に戻す
CACHE_SIGNTOOL_DIR="$ELECTRON_BUILDER_CACHE/winCodeSign/winCodeSign-2.6.0/windows-10/x64"
rm -r "$CACHE_SIGNTOOL_DIR"
mv "$CACHE_SIGNTOOL_DIR"{.bak,}
env:
THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt

- name: Upload NoEngine Prepackage
uses: actions/upload-artifact@v3
Expand Down Expand Up @@ -654,18 +675,30 @@ jobs:
run: |
df -h
# build electronでコード署名するには環境変数を指定が必要だけど、
# コード署名しない場合に環境変数を定義するとエラーになるので、動的に環境変数を足す
- name: Define Code Signing Envs
if: endsWith(matrix.artifact_name, '-nsis-web') && github.event.inputs.code_signing == 'true'
shell: bash
run: |
# 複数行の文字列を環境変数に代入
echo 'CSC_LINK<<EOF' >> $GITHUB_ENV
echo "${{ secrets.CERT_BASE64 }}" >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
bash build/codesign_setup.bash
THUMBPRINT="$(head -n 1 $THUMBPRINT_PATH)"
SIGNTOOL_PATH="$(head -n 1 $SIGNTOOL_PATH_PATH)"
echo "::add-mask::$THUMBPRINT"
echo 'CSC_KEY_PASSWORD=${{ secrets.CERT_PASSWORD }}' >> $GITHUB_ENV
echo "WIN_CERTIFICATE_SHA1=$THUMBPRINT" >> $GITHUB_ENV
echo 'WIN_SIGNING_HASH_ALGORITHMS=["sha256"]' >> $GITHUB_ENV
echo "SIGNTOOL_PATH=$SIGNTOOL_PATH" >> $GITHUB_ENV
# NOTE: electron-builder 22.14.13 は指定したsigntoolを使わないので、ワークアラウンドとしてディレクトリを差し替える
CACHE_SIGNTOOL_DIR="$ELECTRON_BUILDER_CACHE/winCodeSign/winCodeSign-2.6.0/windows-10/x64"
mv "$CACHE_SIGNTOOL_DIR"{,.bak}
SIGNTOOL_DIR=$(dirname "$SIGNTOOL_PATH")
ln -s "$SIGNTOOL_DIR" "$CACHE_SIGNTOOL_DIR"
env:
ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
SIGNTOOL_PATH_PATH: /tmp/signtool_path.txt

# NOTE: prepackage can be removed before splitting nsis-web archive
- name: Build Electron
Expand All @@ -688,8 +721,17 @@ jobs:
if: endsWith(matrix.artifact_name, '-nsis-web') && github.event.inputs.code_signing == 'true'
shell: bash
run: |
echo 'CSC_LINK=' >> $GITHUB_ENV
echo 'CSC_KEY_PASSWORD=' >> $GITHUB_ENV
bash build/codesign_cleanup.bash
echo 'WIN_CERTIFICATE_SHA1=' >> $GITHUB_ENV
echo 'WIN_SIGNING_HASH_ALGORITHMS=' >> $GITHUB_ENV
echo 'SIGNTOOL_PATH=' >> $GITHUB_ENV
# NOTE: ワークアラウンドで差し替えたディレクトリを元に戻す
CACHE_SIGNTOOL_DIR="$ELECTRON_BUILDER_CACHE/winCodeSign/winCodeSign-2.6.0/windows-10/x64"
rm -r "$CACHE_SIGNTOOL_DIR"
mv "$CACHE_SIGNTOOL_DIR"{.bak,}
env:
THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt

- name: Show disk space (debug info)
shell: bash
Expand Down
20 changes: 20 additions & 0 deletions build/codesign_cleanup.bash
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!

# eSignerCKAで読み込んだコードサイニング証明書を破棄する

set -eu

if [ ! -v THUMBPRINT_PATH ]; then # THUMBPRINTの出力先
echo "THUMBPRINT_PATHが未定義です"
exit 1
fi

if [ ! -v ESIGNERCKA_INSTALL_DIR ]; then # eSignerCKAのインストール先
ESIGNERCKA_INSTALL_DIR='..\eSignerCKA'
fi

# 証明書を破棄
powershell "& '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' unload"

# THUMBPRINTを削除
rm "$THUMBPRINT_PATH"
61 changes: 61 additions & 0 deletions build/codesign_setup.bash
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!

# eSignerCKAを使ってコードサイニング証明書を読み込む
# electronから利用するためにTHUMBPRINTとsigntoolのパスを出力する

set -eu

if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名
echo "ESIGNERCKA_USERNAMEが未定義です"
exit 1
fi
if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード
echo "ESIGNERCKA_PASSWORDが未定義です"
exit 1
fi
if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret
echo "ESIGNERCKA_TOTP_SECRETが未定義です"
exit 1
fi
if [ ! -v THUMBPRINT_PATH ]; then # THUMBPRINTの出力先
echo "THUMBPRINT_PATHが未定義です"
exit 1
fi
if [ ! -v SIGNTOOL_PATH_PATH ]; then # 対応しているsigntoolのパスの出力先
echo "SIGNTOOL_PATH_PATHが未定義です"
exit 1
fi

if [ ! -v ESIGNERCKA_INSTALL_DIR ]; then
ESIGNERCKA_INSTALL_DIR='..\eSignerCKA'
fi

# eSignerCKAのセットアップ
if [ ! -d "$ESIGNERCKA_INSTALL_DIR" ]; then
curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip"
unzip -o SSL.COM-eSigner-CKA_1.0.6.zip
mv *eSigner*CKA_*.exe eSigner_CKA_Installer.exe
powershell "
& ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR="$ESIGNERCKA_INSTALL_DIR" | Out-Null
& '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$ESIGNERCKA_INSTALL_DIR\master.key' -r
& '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' unload
"
rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe
fi

# 証明書を読み込む
powershell "& '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' load"

THUMBPRINT=$(
powershell '
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
echo "$($CodeSigningCert.Thumbprint)"
'
)

# THUMBPRINTを出力
echo "$THUMBPRINT" >"$THUMBPRINT_PATH"

# 対応しているsigntoolのパスを出力
SIGNTOOL_PATH=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない
echo "$SIGNTOOL_PATH" >"$SIGNTOOL_PATH_PATH"
12 changes: 12 additions & 0 deletions vue.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ const LINUX_EXECUTABLE_NAME = process.env.LINUX_EXECUTABLE_NAME;
// ${productName}-${version}.${ext}
const MACOS_ARTIFACT_NAME = process.env.MACOS_ARTIFACT_NAME;

// コード署名証明書
const WIN_CERTIFICATE_SHA1 = process.env.WIN_CERTIFICATE_SHA1;
const WIN_SIGNING_HASH_ALGORITHMS = process.env.WIN_SIGNING_HASH_ALGORITHMS
? JSON.parse(process.env.WIN_SIGNING_HASH_ALGORITHMS)
: undefined;

const isMac = process.platform === "darwin";

module.exports = {
Expand Down Expand Up @@ -76,6 +82,12 @@ module.exports = {
arch: ["x64"],
},
],
certificateSha1:
WIN_CERTIFICATE_SHA1 !== "" ? WIN_CERTIFICATE_SHA1 : undefined,
signingHashAlgorithms:
WIN_SIGNING_HASH_ALGORITHMS !== ""
? WIN_SIGNING_HASH_ALGORITHMS
: undefined,
},
directories: {
buildResources: "build",
Expand Down

0 comments on commit 89b749e

Please sign in to comment.