WIP Win signing

.github/workflows/build-publish-apps.yml

@@ -14,7 +14,7 @@ on:
 
 env:
   CUT_RELEASE_PR: ${{ github.event_name == 'pull_request' && (contains(github.event.pull_request.title, 'Cut release v')) }}
-  BUILD_RELEASE: false
+  BUILD_RELEASE: true
   BUCKET_NAME: 'dl.kittycad.io'
   BUCKET_FOLDER: 'releases/modeling-app/test/electron'
   WEBSITE_DIR: 'dl.zoo.dev/releases/modeling-app/test/electron' 
@@ -139,22 +139,22 @@ jobs:
         shell: cmd
 
       - name: Make the app for arm64
-        if: ${{ env.BUILD_RELEASE == 'false' }}
+        # if: ${{ env.BUILD_RELEASE == 'false' }}
         # run: "yarn electron-forge make --arch arm64"
         run: yarn electron-builder --config --arm64
 
-      - name: Publish the app for arm64 (dry run)
-        if: ${{ env.BUILD_RELEASE == 'true' }}
-        run: "yarn electron-forge publish --arch arm64 --dry-run"
+      # - name: Publish the app for arm64 (dry run)
+      #   if: ${{ env.BUILD_RELEASE == 'true' }}
+      #   run: "yarn electron-forge publish --arch arm64 --dry-run"
 
-      - name: Sign Windows arm64 builds using Signtool
-        # if: ${{ env.BUILD_RELEASE == 'true' && matrix.os == 'windows-2022' }}
-        if: false
-        env:
-          FILE: "D:\\a\\modeling-app\\modeling-app\\out\\make\\squirrel.windows\\arm64\\Zoo Modeling App-*Setup.exe"
-        run: |
-          signtool.exe sign /sha1 ${{ env.WINDOWS_CERTIFICATE_THUMBPRINT }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "${{ env.FILE }}"
-          signtool.exe verify /v /pa "${{ env.FILE }}"
+      # - name: Sign Windows arm64 builds using Signtool
+      #   # if: ${{ env.BUILD_RELEASE == 'true' && matrix.os == 'windows-2022' }}
+      #   if: false
+      #   env:
+      #     FILE: "D:\\a\\modeling-app\\modeling-app\\out\\make\\squirrel.windows\\arm64\\Zoo Modeling App-*Setup.exe"
+      #   run: |
+      #     signtool.exe sign /sha1 ${{ env.WINDOWS_CERTIFICATE_THUMBPRINT }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "${{ env.FILE }}"
+      #     signtool.exe verify /v /pa "${{ env.FILE }}"
 
       # - uses: actions/upload-artifact@v3
       #   with:
@@ -166,22 +166,22 @@ jobs:
           # out/publish-dry-run/*/*
 
       - name: Make the app for x64
-        if: ${{ env.BUILD_RELEASE == 'false' }}
+        # if: ${{ env.BUILD_RELEASE == 'false' }}
         # run: "yarn electron-forge make --arch x64"
         run: "yarn electron-builder --config --x64"
 
-      - name: Publish the app for x64 (dry run)
-        if: ${{ env.BUILD_RELEASE == 'true' }}
-        run: "yarn electron-forge publish --arch x64 --dry-run"
+      # - name: Publish the app for x64 (dry run)
+      #   if: ${{ env.BUILD_RELEASE == 'true' }}
+      #   run: "yarn electron-forge publish --arch x64 --dry-run"
 
-      - name: Sign Windows x64 builds using Signtool
-        # if: ${{ env.BUILD_RELEASE == 'true' && matrix.os == 'windows-2022' }}
-        if: false
-        env:
-          FILE: "D:\\a\\modeling-app\\modeling-app\\out\\make\\squirrel.windows\\x64\\Zoo Modeling App-*Setup.exe"
-        run: |
-          signtool.exe sign /sha1 ${{ env.WINDOWS_CERTIFICATE_THUMBPRINT }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "${{ env.FILE }}"
-          signtool.exe verify /v /pa "${{ env.FILE }}"
+      # - name: Sign Windows x64 builds using Signtool
+      #   # if: ${{ env.BUILD_RELEASE == 'true' && matrix.os == 'windows-2022' }}
+      #   if: false
+      #   env:
+      #     FILE: "D:\\a\\modeling-app\\modeling-app\\out\\make\\squirrel.windows\\x64\\Zoo Modeling App-*Setup.exe"
+      #   run: |
+      #     signtool.exe sign /sha1 ${{ env.WINDOWS_CERTIFICATE_THUMBPRINT }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "${{ env.FILE }}"
+      #     signtool.exe verify /v /pa "${{ env.FILE }}"
 
       - uses: actions/upload-artifact@v3
         with:

electron-builder.yml

@@ -11,10 +11,13 @@ mac:
   category: public.app-category.developer-tools
   target: dmg
 
+# mac only
+afterSign: scripts/notarize.js
+
 win:
   target: nsis
+  sign: scripts/signWin.js,
+  signingHashAlgorithms": ["sha256"]
 
 linux:
   target: appimage
-
-afterSign: "notarize.js"

scripts/signWin.js

@@ -0,0 +1,29 @@
+// From https://github.com/OpenBuilds/OpenBuilds-CONTROL/blob/4800540ffaa517925fc2cff26670809efa341ffe/signWin.js
+const {
+    execSync
+} = require('node:child_process')
+
+exports.default = async configuration => {
+    if (!process.env.SM_API_KEY) {
+        console.error("Signing using signWin.js script: failed: SM_API_KEY ENV VAR NOT FOUND");
+        return
+    }
+
+    if (!process.env.WINDOWS_CERTIFICATE_THUMBPRINT) {
+        console.error("Signing using signWin.js script: failed: FINGERPRINT ENV VAR NOT FOUND");
+        return
+    }
+
+    if (!configuration.path) {
+        throw new Error(`Signing using signWin.js script: failed: TARGET PATH NOT FOUND`)
+    }
+
+    try {
+        execSync(`smctl sign --fingerprint="${process.env.WINDOWS_CERTIFICATE_THUMBPRINT}" --input "${String(configuration.path)}"`, {
+            stdio: 'inherit',
+        })
+        console.log("Signing using signWin.js script: successful");
+    } catch (error) {
+        console.error("Signing using signWin.js script: failed:", error);
+    }
+}