Make builds using the new ssl.com code signing certificate

brimdata · Apr 17, 2024 · 3e64826 · 3e64826
1 parent e3c0d26
commit 3e64826
Show file tree

Hide file tree

Showing 10 changed files with 146 additions and 55 deletions.
diff --git a/.github/actions/build-zui/action.yml b/.github/actions/build-zui/action.yml
@@ -8,9 +8,13 @@ inputs:
     required: true
 
   # Windows Inputs
-  csc_key_password:
+  ssl_com_username:
     required: true
-  csc_link:
+  ssl_com_password:
+    required: true
+  ssl_com_totp_secret:
+    required: true
+  ssl_com_credential_id:
     required: true
 
   # Mac Inputs
@@ -47,16 +51,45 @@ runs:
         security find-identity -p codesigning -v
       shell: bash
 
+    - name: Checkout esigner-codesign repository
+      if: runner.os == 'Windows'
+      uses: actions/checkout@v3
+      with:
+       repository: 'SSLcom/esigner-codesign'
+       path: esigner-codesign
+
+    - name: Make values from package.json available in Actions steps
+      id: zui-package
+      uses: RadovanPelka/github-action-json@v1.0.1
+      with:
+        path: apps/zui/package.json
+
     - name: Build & Publish
       run: ${{ inputs.cmd }}
       shell: bash
       env:
         GH_TOKEN: ${{ inputs.gh_token }}
-        WIN_CSC_KEY_PASSWORD: ${{ inputs.csc_key_password }}
-        WIN_CSC_LINK: ${{ inputs.csc_link }}
         APPLE_ID: ${{ inputs.apple_id }}
         APPLE_ID_PASSWORD: ${{ inputs.apple_id_password }}
         APPLE_TEAM_ID: ${{ inputs.apple_team_id }}
+        CODE_SIGN_SCRIPT_PATH: ${{ github.workspace }}/esigner-codesign/dist/index.js
+        INPUT_COMMAND: sign
+        INPUT_FILE_PATH: ${{ github.workspace }}/dist/apps/zui/${{ fromJSON(steps.zui-package.outputs.productName) }} Setup ${{ fromJSON(steps.zui-package.outputs.version) }}.exe
+        INPUT_OVERRIDE: true
+        INPUT_MALWARE_BLOCK: false
+        INPUT_CLEAN_LOGS: false
+        INPUT_JVM_MAX_MEMORY: 1024M
+        INPUT_ENVIRONMENT_NAME: PROD
+        INPUT_USERNAME: ${{ inputs.ssl_com_username }}
+        INPUT_PASSWORD: ${{ inputs.ssl_com_password }}
+        INPUT_TOTP_SECRET: ${{ inputs.ssl_com_totp_secret }}
+        INPUT_CREDENTIAL_ID: ${{ inputs.ssl_com_credential_id }}
+
+    - name: Check for successful signing with SignTool
+      if: runner.os == 'Windows'
+      run: |
+        "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" verify /pa "${{ github.workspace }}/dist/apps/zui/${{ fromJSON(steps.zui-package.outputs.productName) }} Setup ${{ fromJSON(steps.zui-package.outputs.version) }}.exe"
+      shell: cmd
 
     - name: Check notorization with gatekeeper
       if: runner.os == 'macOS'

diff --git a/.github/workflows/build-insiders.yml b/.github/workflows/build-insiders.yml
@@ -56,8 +56,10 @@ jobs:
           cmd: yarn nx package-insiders zui
           gh_token: ${{ secrets.PAT_TOKEN }}
           # Windows
-          csc_key_password: ${{ secrets.WINDOWS_SIGNING_PASSPHRASE }}
-          csc_link: ${{ secrets.WINDOWS_SIGNING_PFX_BASE64 }}
+          ssl_com_username: ${{ secrets.WINDOWS_SIGNING_SSL_COM_USERNAME }}
+          ssl_com_password: ${{ secrets.WINDOWS_SIGNING_SSL_COM_PASSWORD }}
+          ssl_com_totp_secret: ${{ secrets.WINDOWS_SIGNING_SSL_COM_TOTP_SECRET }}
+          ssl_com_credential_id: ${{ secrets.WINDOWS_SIGNING_SSL_COM_CREDENTIAL_ID }}
           # Mac
           apple_id: ${{ secrets.APPLEID_USER }}
           apple_id_password: ${{ secrets.APPLEID_PASSWORD }}

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,8 +25,10 @@ jobs:
           cmd: yarn nx package-zui zui
           gh_token: ${{ secrets.GITHUB_TOKEN }}
           # Windows
-          csc_key_password: ${{ secrets.WINDOWS_SIGNING_PASSPHRASE }}
-          csc_link: ${{ secrets.WINDOWS_SIGNING_PFX_BASE64 }}
+          ssl_com_username: ${{ secrets.WINDOWS_SIGNING_SSL_COM_USERNAME }}
+          ssl_com_password: ${{ secrets.WINDOWS_SIGNING_SSL_COM_PASSWORD }}
+          ssl_com_totp_secret: ${{ secrets.WINDOWS_SIGNING_SSL_COM_TOTP_SECRET }}
+          ssl_com_credential_id: ${{ secrets.WINDOWS_SIGNING_SSL_COM_CREDENTIAL_ID }}
           # Mac
           apple_id: ${{ secrets.APPLEID_USER }}
           apple_id_password: ${{ secrets.APPLEID_PASSWORD }}

diff --git a/.github/workflows/release-insiders.yml b/.github/workflows/release-insiders.yml
@@ -56,8 +56,10 @@ jobs:
           cmd: yarn nx release-insiders zui
           gh_token: ${{ secrets.PAT_TOKEN }}
           # Windows
-          csc_key_password: ${{ secrets.WINDOWS_SIGNING_PASSPHRASE }}
-          csc_link: ${{ secrets.WINDOWS_SIGNING_PFX_BASE64 }}
+          ssl_com_username: ${{ secrets.WINDOWS_SIGNING_SSL_COM_USERNAME }}
+          ssl_com_password: ${{ secrets.WINDOWS_SIGNING_SSL_COM_PASSWORD }}
+          ssl_com_totp_secret: ${{ secrets.WINDOWS_SIGNING_SSL_COM_TOTP_SECRET }}
+          ssl_com_credential_id: ${{ secrets.WINDOWS_SIGNING_SSL_COM_CREDENTIAL_ID }}
           # Mac
           apple_id: ${{ secrets.APPLEID_USER }}
           apple_id_password: ${{ secrets.APPLEID_PASSWORD }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,8 +25,10 @@ jobs:
           cmd: yarn nx release-zui zui
           gh_token: ${{ secrets.GITHUB_TOKEN }}
           # Windows
-          csc_key_password: ${{ secrets.WINDOWS_SIGNING_PASSPHRASE }}
-          csc_link: ${{ secrets.WINDOWS_SIGNING_PFX_BASE64 }}
+          ssl_com_username: ${{ secrets.WINDOWS_SIGNING_SSL_COM_USERNAME }}
+          ssl_com_password: ${{ secrets.WINDOWS_SIGNING_SSL_COM_PASSWORD }}
+          ssl_com_totp_secret: ${{ secrets.WINDOWS_SIGNING_SSL_COM_TOTP_SECRET }}
+          ssl_com_credential_id: ${{ secrets.WINDOWS_SIGNING_SSL_COM_CREDENTIAL_ID }}
           # Mac
           apple_id: ${{ secrets.APPLEID_USER }}
           apple_id_password: ${{ secrets.APPLEID_PASSWORD }}

diff --git a/apps/zui/electron-builder-config.js b/apps/zui/electron-builder-config.js
@@ -0,0 +1,73 @@
+const { execSync } = require('child_process');
+const zuiPackage = require('./package.json')
+
+const config = {
+  appId: "io.brimdata.zui",
+  asar: true,
+  asarUnpack: ["zdeps", "LICENSE.txt", "acknowledgments.txt", "**/*.node"],
+  directories: {output: "../../dist/apps/zui"},
+  protocols: [{name: "zui", "schemes": ["zui"]}],
+  win: {target: ["nsis"]},
+  linux: {target: ["deb", "rpm"]},
+  rpm: {depends: ["openssl"]},
+  deb: {depends: ["openssl"]},
+  nsis: {oneClick: false, perMachine: false},
+  forceCodeSigning: true,
+  afterSign: "electron-builder-notarize",
+  publish: {
+    provider: "github"
+  },
+  files: [
+    "dist/**",
+    "out/**",
+    "build/**",
+    "zdeps/**",
+    "LICENSE.txt",
+    "acknowledgments.txt",
+    "package.json"
+  ],
+}
+
+// Code below for code signing with SSL.com cert in electron-builder via GitHub
+// Actions taken from:
+// https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1994110062
+if (process.env.CODE_SIGN_SCRIPT_PATH) {
+  const version = zuiPackage.version;
+  const productName = zuiPackage.productName;
+  const versionedExe = `${productName} Setup ${version}.exe`;
+
+  config.win.sign = (configuration) => {
+    console.log("Requested signing for ", configuration.path);
+
+    // Only proceed if the versioned exe file is in the configuration path - skip signing everything else
+    if (!configuration.path.includes(versionedExe)) {
+      console.log("Configuration path does not include the versioned exe, signing skipped.");
+      return true;
+    }
+
+    const scriptPath = process.env.CODE_SIGN_SCRIPT_PATH;
+
+    try {
+      // Execute the sign script synchronously
+      const output = execSync(`node "${scriptPath}"`).toString();
+      console.log(`Script output: ${output}`);
+    } catch (error) {
+      console.error(`Error executing script: ${error.message}`);
+      if (error.stdout) {
+        console.log(`Script stdout: ${error.stdout.toString()}`);
+      }
+      if (error.stderr) {
+        console.error(`Script stderr: ${error.stderr.toString()}`);
+      }
+      return false;
+    }
+
+    return true; // Return true at the end of successful signing
+  };
+
+  // Sign only for Windows 10 and above
+  config.win.signingHashAlgorithms = ["sha256"];
+
+}
+
+module.exports = config;
diff --git a/apps/zui/electron-builder-insiders-config.js b/apps/zui/electron-builder-insiders-config.js
@@ -0,0 +1,16 @@
+const config = {
+  extends: "./electron-builder-config.js",
+  appId: "io.brimdata.zui-insiders",
+  mac: {
+    icon: "build/insiders/icon.icns"
+  },
+  win: {
+    icon: "build/insiders/icon.ico"
+  },
+  publish: {
+    provider: "github",
+    releaseType: "release"
+  }
+}
+
+module.exports = config;
diff --git a/apps/zui/electron-builder-insiders.json b/apps/zui/electron-builder-insiders.json
diff --git a/apps/zui/electron-builder.json b/apps/zui/electron-builder.json
diff --git a/apps/zui/package.json b/apps/zui/package.json
@@ -27,10 +27,10 @@
     "tsc": "tsc",
     "postinstall": "node scripts/post-install",
     "prepare": "husky install",
-    "package-zui": "electron-builder --publish never",
-    "release-zui": "electron-builder",
-    "package-insiders": "electron-builder --config electron-builder-insiders.json --publish never",
-    "release-insiders": "electron-builder --config electron-builder-insiders.json --publish always"
+    "package-zui": "electron-builder --config electron-builder-config.js --publish never",
+    "release-zui": "electron-builder --config electron-builder-config.js",
+    "package-insiders": "electron-builder --config electron-builder-insiders-config.js --publish never",
+    "release-insiders": "electron-builder --config electron-builder-insiders-config.js --publish always"
   },
   "dependencies": {
     "keytar": "^7.7.0",