Let tauri-action perform Windows signing (#535)

* Check if tauri-action could sign Windows builds automatically Fixes #533 * Cleanup * Change to sha256 * Clean up
2023-09-16 04:48:32 -04:00
parent f592d8db84
commit 58d7e59ca4
2 changed files with 30 additions and 55 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -134,7 +134,33 @@ jobs:
        run: |
          rustup target add aarch64-apple-darwin

-      - name: Build the app for the current platform (no upload)
+      - name: Prepare Windows certificate and variables
+        if: matrix.os == 'windows-latest'
+        run: | 
+          echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 
+          cat /d/Certificate_pkcs12.p12 
+          echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" 
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" 
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" 
+          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" 
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" 
+          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH 
+          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH 
+          echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH 
+        shell: bash 
+
+      - name: Setup Windows certicate with SSM KSP
+        if: matrix.os == 'windows-latest'
+        run: | 
+          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi 
+          msiexec /i smtools-windows-x64.msi /quiet /qn 
+          smksp_registrar.exe list 
+          smctl.exe keypair ls 
+          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user 
+          smksp_cert_sync.exe 
+        shell: cmd 
+
+      - name: Build and sign the app for the current platform
        uses: tauri-apps/tauri-action@v0
        env:
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
@ -147,61 +173,10 @@ jobs:
          path: ${{ matrix.os == 'macos-latest' && 'src-tauri/target/universal-apple-darwin/release/bundle/*/*' || 'src-tauri/target/release/bundle/*/*' }}


-  sign-windows-msi:
-    runs-on: windows-latest
-    if: github.event_name == 'release'
-    needs: [build-test-web, build-apps]
-    env:
-      VERSION_NO_V: ${{ needs.build-test-web.outputs.version }}
-    steps:
-
-      - uses: actions/download-artifact@v3
-
-      - name: Setup Certificate 
-        run: | 
-          echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 
-          cat /d/Certificate_pkcs12.p12 
-        shell: bash 
-
-      - name: Set variables 
-        id: variables 
-        run: | 
-          echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" 
-          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" 
-          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" 
-          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" 
-          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" 
-          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH 
-          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH 
-          echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH 
-        shell: bash 
-
-      - name: Setup SSM KSP on windows latest 
-        run: | 
-          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi 
-          msiexec /i smtools-windows-x64.msi /quiet /qn 
-          smksp_registrar.exe list 
-          smctl.exe keypair ls 
-          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user 
-          smksp_cert_sync.exe 
-        shell: cmd 
-
-      - name: Signing using Signtool 
-        run: | 
-          signtool.exe sign /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "artifact\msi\*.msi"
-          signtool.exe verify /v /pa "artifact\msi\*.msi"
-      
-      # TODO: for the updater, investigate if we need to also replace what's in the .zip, and what to do about the .sig file
-
-      - uses: actions/upload-artifact@v3
-        with:
-          path:  artifact/*
-
-
  publish-apps-release:
    runs-on: ubuntu-20.04
    if: github.event_name == 'release'
-    needs: [build-test-web, build-apps, sign-windows-msi]
+    needs: [build-test-web, build-apps]
    env:
      VERSION_NO_V: ${{ needs.build-test-web.outputs.version }}
      PUB_DATE: ${{ github.event.release.created_at }}
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@ -71,9 +71,9 @@
      "shortDescription": "",
      "targets": "all",
      "windows": {
-        "certificateThumbprint": null,
+        "certificateThumbprint": "F4C9A52FF7BC26EE5E054946F6B11DEEA94C748D",
        "digestAlgorithm": "sha256",
-        "timestampUrl": ""
+        "timestampUrl": "http://timestamp.digicert.com"
      }
    },
    "security": {