build: sign binaries with azure key codesign tool

shabados · Oct 22, 2023 · 372f41a · 372f41a
1 parent c3acc9d
commit 372f41a
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 0 deletions.
diff --git a/.github/workflows/continuous-deployment.yml b/.github/workflows/continuous-deployment.yml
@@ -21,5 +21,22 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Install AzureSignTool
+        run: dotnet tool install --global AzureSignTool
+
+      - uses: azure/login@v1
+        with:
+          creds: ${{ secrets.TOOLS__AZURE_CREDENTIALS }}
+
+      - name: Set Azure token on environment
+        run: |
+          $az_token=$(az account get-access-token --scope https://vault.azure.net/.default --query accessToken --output tsv)
+          echo "::add-mask::$az_token"
+          echo "AZURE_KEY_VAULT_ACCESS_TOKEN=$az_token" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
       - name: Build Electron app
         run: npm run build:win
+        env:
+          AZURE_KEY_VAULT_TIMESTAMP_URL: ${{ secrets.AZURE_KEY_VAULT_TIMESTAMP_URL }}
+          AZURE_KEY_VAULT_CERTIFICATE_NAME: ${{ secrets.AZURE_KEY_VAULT_CERTIFICATE_NAME }}
+          AZURE_KEY_VAULT_URL: ${{ secrets.AZURE_KEY_VAULT_URL }}
diff --git a/electron-builder.yml b/electron-builder.yml
@@ -13,6 +13,7 @@ asarUnpack:
   - resources/**
 win:
   executableName: library
+  sign: ./scripts/sign.js
 nsis:
   artifactName: ${name}-${version}-setup.${ext}
   shortcutName: ${productName}

diff --git a/scripts/sign.js b/scripts/sign.js
@@ -0,0 +1,34 @@
+const {
+  AZURE_KEY_VAULT_TIMESTAMP_URL,
+  AZURE_KEY_VAULT_ACCESS_TOKEN,
+  AZURE_KEY_VAULT_URL,
+  AZURE_KEY_VAULT_CERTIFICATE_NAME,
+} = process.env
+
+Object.entries({
+  AZURE_KEY_VAULT_TIMESTAMP_URL,
+  AZURE_KEY_VAULT_ACCESS_TOKEN,
+  AZURE_KEY_VAULT_URL,
+  AZURE_KEY_VAULT_CERTIFICATE_NAME,
+}).forEach(([key, value]) => {
+  if (!value) throw new Error(`Missing environment variable ${key}`)
+})
+
+const { execSync } = require('child_process')
+
+const sign = async ({ path }) => {
+  execSync(
+    [
+      'AzureSignTool',
+      'sign',
+      `-kva ${AZURE_KEY_VAULT_ACCESS_TOKEN}`,
+      `-kvu ${AZURE_KEY_VAULT_URL}`,
+      `-kvc ${AZURE_KEY_VAULT_CERTIFICATE_NAME}`,
+      `-tr ${AZURE_KEY_VAULT_TIMESTAMP_URL}`,
+      path,
+    ].join(' '),
+    { stdio: 'inherit' }
+  )
+}
+
+exports.default = sign