Merge branch 'remote_sign' into main

daschuer · Dec 17, 2023 · 1d432c5 · 1d432c5
2 parents a6fc865 + 20bc73b
commit 1d432c5
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 54 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -119,6 +119,7 @@ jobs:
       APPLE_CODESIGN_IDENTITY: EF241CF990A9BE5477438AEE1F308F76F33FD100
       MACOS_CODESIGN_CERTIFICATE_P12_BASE64: ${{ secrets.MACOS_CODESIGN_CERTIFICATE_P12_BASE64 }}
       MACOS_CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CODESIGN_CERTIFICATE_PASSWORD }}
+      WINDOWS_CODESIGN_CERTIFICATE_PKIX_BASE64: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE_PKIX_BASE64 }}
 
     runs-on: ${{ matrix.os }}
     name: ${{ matrix.name }}
@@ -220,18 +221,11 @@ jobs:
           echo "CMAKE_ARGS_EXTRA=${CMAKE_ARGS_EXTRA} -DAPPLE_CODESIGN_IDENTITY=${APPLE_CODESIGN_IDENTITY}" >> "${GITHUB_ENV}"
 
       - name: "[Windows] Set up Windows code signing"
-        env:
-          WINDOWS_CODESIGN_CERTIFICATE_PATH: ${{ github.workspace }}\packaging\certificates\windows_sectigo_codesign_certificate.pfx
-          WINDOWS_CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_CERTIFICATE_PASSWORD }}
-          WINDOWS_CODESIGN_SECURE_FILE_SALT: ${{ secrets.WINDOWS_CODESIGN_SECURE_FILE_SALT }}
-          WINDOWS_CODESIGN_SECURE_FILE_SECRET: ${{ secrets.WINDOWS_CODESIGN_SECURE_FILE_SECRET }}
-        if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_SECURE_FILE_SALT != null && env.WINDOWS_CODESIGN_SECURE_FILE_SECRET != null
+        if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_CERTIFICATE_PKIX_BASE64 != null
         run: |
-          iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/fc44f5c5f2fb184fe738814f373c16cb69c30929/install.ps1'))
-          appveyor-tools/secure-file -decrypt "$Env:WINDOWS_CODESIGN_CERTIFICATE_PATH.enc" -secret "$Env:WINDOWS_CODESIGN_SECURE_FILE_SECRET" -salt "$Env:WINDOWS_CODESIGN_SECURE_FILE_SALT"
-          Add-Content -Path "$Env:GITHUB_ENV" -Value "WINDOWS_CODESIGN_CERTIFICATE_PATH=$Env:WINDOWS_CODESIGN_CERTIFICATE_PATH"
-          Add-Content -Path "$Env:GITHUB_ENV" -Value "WINDOWS_CODESIGN_CERTIFICATE_PASSWORD=$Env:WINDOWS_CODESIGN_CERTIFICATE_PASSWORD"
-          Add-Content -Path "$Env:GITHUB_ENV" -Value "CMAKE_ARGS_EXTRA=-DWINDOWS_CODESIGN=ON"
+          $decodedBytes = [System.Convert]::FromBase64String($Env:WINDOWS_CODESIGN_CERTIFICATE_PKIX_BASE64)
+          [System.IO.File]::WriteAllBytes("windows_codesign.cer", $decodedBytes)
+          Add-Content -Path "$Env:GITHUB_ENV" -Value "WINDOWS_CODESIGN_CERTIFICATE_PATH=../windows_codesign.cer"
 
       - name: "Set up build environment"
         id: buildenv
@@ -364,8 +358,9 @@ jobs:
           APPLE_TEAM_ID: JBLRSP95FC
 
       - name: "[Windows] Sign Package"
-        if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_CERTIFICATE_PATH != null && env.WINDOWS_CODESIGN_CERTIFICATE_PASSWORD != null
-        run: signtool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /f $Env:WINDOWS_CODESIGN_CERTIFICATE_PATH /p $Env:WINDOWS_CODESIGN_CERTIFICATE_PASSWORD *.msi
+        if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_CERTIFICATE_PATH != null
+        run: |
+          signtool sign /fd sha256 /f $Env:WINDOWS_CODESIGN_CERTIFICATE_PATH /v /dg . *.msi
         working-directory: build
 
       - name: "Prepare for deployment"
@@ -460,6 +455,31 @@ jobs:
           name: ${{ matrix.artifacts_name }}
           path: ${{ matrix.artifacts_path }}
 
+      - name: "Upload files for remote signing"
+        if: runner.os == 'Windows'
+        uses: actions/[email protected]
+        with:
+          name: Exe Signing Digest
+          path: |
+            build/*.exe.dig
+            build/*.exe.p7u
+
+      - name: "Upload files for remote signing"
+        if: runner.os == 'Windows'
+        uses: actions/[email protected]
+        with:
+          name: Msi Signing Digest
+          path: |
+            build/*.msi.dig
+            build/*.msi.p7u
+
+      - name: "Upload WIX project"
+        if: runner.os == 'Windows'
+        uses: actions/[email protected]
+        with:
+          name: WIX project
+          path: build/_CPack_Packages/win64/WIX
+
   update_manifest:
     name: "Update manifest file on download server"
     runs-on: ubuntu-latest

diff --git a/.github/workflows/sign-mixxx-exe.yml b/.github/workflows/sign-mixxx-exe.yml
@@ -0,0 +1,30 @@
+name: Sign mixxx.exe
+
+on:
+  workflow_dispatch:
+    inputs:
+      workflow_run_id:
+        description: "Enter the id of the workflow run that has creates the unsigned exe"
+        required: true
+      signed_digest:
+        description: "Enter signed digest, bas64 encoded"
+        required: true
+
+jobs:
+  build:
+    runs-on: windows-2019
+
+    steps:
+      - name: Print status
+        run: |
+          echo "Signing workflow ${{ github.event.inputs.workflow_run_id }} with"
+          echo "${{ github.event.inputs.signed_digest }}"
+
+      - name: "Download WIX project"
+        uses: actions/download-artifact@v4
+        with:
+          name: WIX project
+          run-id: ${{ github.event.inputs.workflow_run_id }}
+
+      - name: Display structure of downloaded files
+        run: ls -R
diff --git a/.github/workflows/sign-mixxx-msi.yml b/.github/workflows/sign-mixxx-msi.yml
@@ -0,0 +1,20 @@
+name: Sign mixxx.msi
+
+on:
+  workflow_dispatch:
+    inputs:
+      workflow_run_id:
+        description: "Enter the id of the workflow run that has creates the unsigned exe"
+        required: true
+      signed_digest:
+        description: "Enter signed digest, bas64 encoded"
+        required: true
+
+jobs:
+  build:
+    runs-on: windows-2019
+
+    steps:
+      - name: Print Parameter Value
+        run: |
+          echo "The parameter value is ${{ github.event.inputs.parameter_name }}"
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1703,56 +1703,23 @@ if(WIN32)
 endif()
 
 if(WIN32)
-  option(WINDOWS_CODESIGN "Sign Windows executables and libraries with digital certificate" OFF)
-  mark_as_advanced(WINDOWS_CODESIGN)
-  if(WINDOWS_CODESIGN)
-    set(WINDOWS_CODESIGN_CERTIFICATE_PATH "$ENV{WINDOWS_CODESIGN_CERTIFICATE_PATH}" CACHE STRING "Path to signtool certificate")
-    set(WINDOWS_CODESIGN_CERTIFICATE_PASSWORD "$ENV{WINDOWS_CODESIGN_CERTIFICATE_PASSWORD}" CACHE STRING "Password of signtool certificate")
-    if("${WINDOWS_CODESIGN_CERTIFICATE_PATH}" STREQUAL "" AND "${WINDOWS_CODESIGN_CERTIFICATE_PASSWORD}" STREQUAL "")
-        set(WINDOWS_CODESIGN_ARGS /td sha256 /fd sha256 /tr http://timestamp.sectigo.com /a CACHE STRING "parameters for signtool (list)")
-    else()
-        set(WINDOWS_CODESIGN_ARGS /td sha256 /fd sha256 /tr http://timestamp.sectigo.com /f ${WINDOWS_CODESIGN_CERTIFICATE_PATH} /p ${WINDOWS_CODESIGN_CERTIFICATE_PASSWORD} CACHE STRING "parameters for signtool (list)")
-    endif()
+  if(DEFINED ENV{WINDOWS_CODESIGN_CERTIFICATE_PATH} AND NOT DEFINED WINDOWS_CODESIGN_CERTIFICATE_PATH)
+    set(WINDOWS_CODESIGN_CERTIFICATE_PATH "$ENV{WINDOWS_CODESIGN_CERTIFICATE_PATH}")
+  endif()
+
+  if(WINDOWS_CODESIGN_CERTIFICATE_PATH)
     find_program(SIGNTOOL_EXECUTABLE signtool)
     if(NOT SIGNTOOL_EXECUTABLE)
       message(FATAL_ERROR "signtool is not found. Signing executables not possible")
     endif()
     message(STATUS "Found signtool: ${SIGNTOOL_EXECUTABLE}")
 
-    # Check if we're able to sign an executable
-    if(NOT DEFINED WINDOWS_CODESIGN_OK)
-      file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/testsign.c "int main(){return 0;}")
-      file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/testsign)
-      try_compile(
-        RESULT ${CMAKE_CURRENT_BINARY_DIR}/testsign ${CMAKE_CURRENT_BINARY_DIR}/testsign.c
-        COPY_FILE ${CMAKE_CURRENT_BINARY_DIR}/testsign.exe
-      )
-      execute_process(
-        COMMAND ${SIGNTOOL_EXECUTABLE} sign ${WINDOWS_CODESIGN_ARGS} ${CMAKE_CURRENT_BINARY_DIR}/testsign.exe
-        RESULT_VARIABLE ERR OUTPUT_QUIET
-      )
-      if(ERR EQUAL 0)
-        message(STATUS "Windows codesigning via signtool is working")
-        set(WINDOWS_CODESIGN_OK 1 CACHE INTERNAL "Can sign executables")
-      else()
-        message(FATAL_ERROR "Could NOT codesign test sample (signtool failed)")
-        set(WINDOWS_CODESIGN_OK 0 CACHE INTERNAL "Invalid or missing certificate")
-      endif()
-    endif()
-    mark_as_advanced(SIGNTOOL_EXECUTABLE SIGNTOOL_ARGS)
-  endif()
-
-  macro(windows_codesign_target CODESIGN_TARGET)
     add_custom_command(
-        TARGET "${CODESIGN_TARGET}" POST_BUILD
-        COMMAND ${SIGNTOOL_EXECUTABLE} sign ${WINDOWS_CODESIGN_ARGS} $<TARGET_FILE:${CODESIGN_TARGET}>
-        COMMENT "Signining target ${CODESIGN_TARGET}"
+        TARGET mixxx POST_BUILD
+        COMMAND ${SIGNTOOL_EXECUTABLE} sign /f ${WINDOWS_CODESIGN_CERTIFICATE_PATH} /fd sha256 /v /dg . mixxx.exe
+        COMMENT "Create Digest and unsigned PKCS7 for mixxx"
         VERBATIM
     )
-  endmacro()
-
-  if(WINDOWS_CODESIGN)
-    windows_codesign_target(mixxx)
   endif()
 endif()