Merge pull request #724 from particle-iot/feature/sc-126219/sign-cli-…

…executables-for-windows add sign script for win
particle-iot · Apr 2, 2024 · 5ae0108 · 5ae0108
2 parents cf69d8f + d131ded
commit 5ae0108
Show file tree

Hide file tree

Showing 3 changed files with 121 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,7 +8,7 @@ tag_filters: &tag_filters
 executors:
   linux:
     docker:
-      - image: particle/cimg-node-cross-compile:16.16-2
+      - image: particle/cimg-node-cross-compile:16.16-3
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_PASSWORD
@@ -63,6 +63,16 @@ commands:
       - run:
           name: Build Package
           command: npm run build
+  sign-win:
+    description: "A command to sign windows executable"
+    parameters:
+      node-version:
+        type: string
+    steps:
+      - run:
+          name: Sign Executable
+          command: |
+            npm run sign:win
 jobs:
   test-unix:
     parameters:
@@ -130,6 +140,8 @@ jobs:
     steps:
       - build-package:
           node-version: << parameters.node-version >>
+      - sign-win:
+          node-version: << parameters.node-version >>
       - store_artifacts:
           path: build
 

diff --git a/package.json b/package.json
@@ -153,6 +153,7 @@
     "coverage:e2e": "nyc npm run test:e2e:silent",
     "coverage:report": "nyc report --reporter=html",
     "build": "pkg .",
+    "sign:win": "node ./scripts/win-sign.js",
     "clean": "npm run clean:modules",
     "clean:modules": "rm -rf ./node_modules",
     "update-changelog": "VERSION=`node --print --eval \"require('./package.json').version\"` bash -c 'read -p \"Update CHANGELOG.md for version $VERSION and press ENTER when done.\"' && git add CHANGELOG.md",

diff --git a/scripts/win-sign.js b/scripts/win-sign.js
@@ -0,0 +1,107 @@
+#!/usr/bin/env node
+require('dotenv').config();
+const path = require('path');
+const fs = require('fs-extra');
+const execa = require('execa');
+const pkgJSON = require('../package.json');
+const log = require('../src/lib/log').info;
+const logErrorAndExit = require('../src/lib/log').error;
+const particleBuildName = 'particle-cli-win-x64';
+const BUILD_DIR = path.join(__dirname, '..', 'build');
+
+(async () => {
+	try {
+
+		log('Signing Windows Installers');
+
+		const signingParams = getSigningParams(pkgJSON, '/tmp');
+		const { p12, name, version, certificate } = signingParams;
+
+		log(`Saving windows signing certificate for ${name}@${version} to ${p12}`);
+
+		await fs.writeFile(p12, Buffer.from(certificate, 'base64'));
+		const bin = path.join(BUILD_DIR, `${particleBuildName}.exe`);
+		const unsigned = path.join(BUILD_DIR, `${particleBuildName}-unsigned.exe`);
+
+		log(`Signing .exe for ${name}@${version} on x64`);
+
+		await fs.move(bin, unsigned); // Move the original exe to a new file to sign it
+		await winSign({ unsigned, signed: bin }, signingParams);
+
+		log('removing temporal files');
+		await fs.remove(p12);
+
+	} catch (error) {
+		return logErrorAndExit(error);
+	}
+	log('All Done!');
+})();
+
+// UTILS //////////////////////////////////////////////////////////////////////
+function winSign(exe, params) {
+	const { p12, bin, homepage, password } = params;
+	const args = [
+		'sign',
+		'-pkcs12',
+		p12,
+		'-pass',
+		password,
+		'-n',
+		bin,
+		'-i',
+		homepage,
+		'-h',
+		'sha512',
+		'-ts',
+		'timestamp.digicert.com',
+		'-in',
+		exe.unsigned,
+		'-out',
+		exe.signed
+	];
+
+	return execa('osslsigncode', args);
+}
+
+function getSigningParams(pkgJSON, tmpDir) {
+	const { name, version } = pkgJSON;
+	const homepage = pkgJSON.homepage; // Directly using the package's homepage
+
+	if (!version || !homepage) {
+		throw new Error(`${name} package has malformed package.json - 'version', and 'homepage' fields are required`);
+	}
+	const envVars = getEnvVars();
+
+	if (!envVars.certificate.value || !envVars.password.value) {
+		throw new Error(`'${envVars.certificate.var}' and '${envVars.password.var}' environment variables must be set`);
+	}
+
+	const p12 = path.join(tmpDir, 'win-cert.p12');
+	const certificate = envVars.certificate.value;
+	const password = envVars.password.value;
+
+	return {
+		p12,
+		name,
+		version,
+		homepage,
+		certificate,
+		password
+	};
+}
+
+function getEnvVars() {
+	const certificate = 'PARTICLE_WINDOWS_SIGNING_CERT';
+	const password = 'PARTICLE_WINDOWS_SIGNING_PASS';
+
+	return {
+		certificate: {
+			var: certificate,
+			value: process.env[certificate]
+		},
+		password: {
+			var: password,
+			value: process.env[password]
+		}
+	};
+}