Add a PKCS12 Windows code signing certificate and sign exe/msi artifa…

…cts. This certificate is encrypted with AppVeyor's "secure files" tool: https://www.appveyor.com/docs/how-to/secure-files/ The secret, salt and password in appveyor.yml are encrypted with AppVeyor's repository-specific public key. During AppVeyor builds, the environment variables are set to the decrypted value of the secret, salt, and password which allows us to decrypt the PKCS12 file and then decrypt the private key within the PKCS12 file. The private key in the PKCS12 file itself is encrypted with PBE-SHA1-3DES, since apparently Windows does not support AES.
mixxxdj · Jul 13, 2020 · 4d7422a · 4d7422a
1 parent d00aa15
commit 4d7422a
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/appveyor.yml b/appveyor.yml
@@ -165,7 +165,13 @@ for:
     ENVIRONMENTS_PATH: C:\mixxx-buildserver
     MSVC_PATH: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Community"
     PATH: 'C:\Python37-x64;C:\Python37-x64\Scripts;%PATH%'
-
+    CODESIGN_CERTIFICATE_PATH: build\certificates\windows_sectigo_codesign_certificate.pfx
+    CODESIGN_CERTIFICATE_SECURE_FILE_SECRET:
+      secure: 1xzNVbLop/5/ySSgZxPzyOz5cm8nVMLEIEW4x0XOJjI=
+    CODESIGN_CERTIFICATE_SECURE_FILE_SALT:
+      secure: tw+bg3qfia7+WQdBdXtC301Z9Dv7yQ6SwpWcFJav9YC4zwyyGztev6pAbGE93sln4VO0WRCJ+4/KTviBMPXvXQ==
+    CODESIGN_CERTIFICATE_PASSWORD:
+      secure: EiAsLAgrsS+N3rr71AAkXPCrxIe2vLvlOvCipnTw6pg=
 
   install:
     - set /P ENVIRONMENT_NAME=<build/windows/golden_environment
@@ -183,6 +189,13 @@ for:
       )
     - choco install ninja
     - python -m pip install git+https://github.com/frerich/clcache.git
+    # Decrypt the code signing certificate.
+    - ps: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1'))
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        appveyor-tools\secure-file -decrypt %CODESIGN_CERTIFICATE_PATH%.enc -secret %CODESIGN_CERTIFICATE_SECURE_FILE_SECRET% -salt %CODESIGN_CERTIFICATE_SECURE_FILE_SALT%
+      ) else (
+        echo "Skipping certificate decryption because we are in a pull request."
+      )
 
   before_build:
     - FOR /D %%G IN (%WINLIB_PATH%\Qt-*) DO SET QT_PATH=%%G
@@ -235,8 +248,18 @@ for:
       ..
     - cmake --build .
     - cmake --build . --target install
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        signtool sign /f ..\%CODESIGN_CERTIFICATE_PATH% /p %CODESIGN_CERTIFICATE_PASSWORD% *.exe
+      ) else (
+        echo "Skipping codesigning *.exe because we are in a pull request."
+      )
     # Generate WIX installer
     - cpack -G "WIX"
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        signtool sign /f ..\%CODESIGN_CERTIFICATE_PATH% /p %CODESIGN_CERTIFICATE_PASSWORD% *.msi
+      ) else (
+        echo "Skipping codesigning *.msi because we are in a pull request."
+      )
 
   test_script:
     # Calling mixxx-test under bash to have standard output and use stdbuf to

diff --git a/build/certificates/windows_sectigo_codesign_certificate.pfx.enc b/build/certificates/windows_sectigo_codesign_certificate.pfx.enc