Merge pull request desktop#17648 from desktop/acs

Sign using ACS

Author: niik

.github/workflows/ci.yml

@@ -21,16 +21,21 @@ on:
       environment:
         type: string
         required: true
+      sign:
+        type: boolean
+        default: true
+        required: false
     secrets:
+      AZURE_CODE_SIGNING_TENANT_ID:
+      AZURE_CODE_SIGNING_CLIENT_ID:
+      AZURE_CODE_SIGNING_CLIENT_SECRET:
       DESKTOP_OAUTH_CLIENT_ID:
       DESKTOP_OAUTH_CLIENT_SECRET:
       APPLE_ID:
       APPLE_ID_PASSWORD:
       APPLE_TEAM_ID:
       APPLE_APPLICATION_CERT:
       APPLE_APPLICATION_CERT_PASSWORD:
-      WINDOWS_CERT_PFX:
-      WINDOWS_CERT_PASSWORD:
 
 jobs:
   lint:
@@ -123,17 +128,22 @@ jobs:
       - name: Run script tests
         if: matrix.arch == 'x64'
         run: yarn test:script
-      - name: Install Windows code signing certificate
-        if: ${{ runner.os == 'Windows' }}
-        shell: bash
-        env:
-          CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
-        run: base64 -d <<<"$CERT_CONTENTS" > ./script/windows-certificate.pfx
+      - name: Install Azure Code Signing Client
+        if: ${{ runner.os == 'Windows' && inputs.sign }}
+        run: |
+          $acsZip = Join-Path $env:RUNNER_TEMP "acs.zip"
+          $acsDir = Join-Path $env:RUNNER_TEMP "acs"
+          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $acsZip -Verbose
+          Expand-Archive $acsZip -Destination $acsDir -Force -Verbose
+          # Replace ancient signtool in electron-winstall with one that supports ACS
+          Copy-Item -Path "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\*" -Include signtool.exe,signtool.exe.manifest,Microsoft.Windows.Build.Signing.mssign32.dll.manifest,mssign32.dll,Microsoft.Windows.Build.Signing.wintrust.dll.manifest,wintrust.dll,Microsoft.Windows.Build.Appx.AppxSip.dll.manifest,AppxSip.dll,Microsoft.Windows.Build.Appx.AppxPackaging.dll.manifest,AppxPackaging.dll,Microsoft.Windows.Build.Appx.OpcServices.dll.manifest,OpcServices.dll -Destination "node_modules\electron-winstaller\vendor" -Verbose
       - name: Package production app
         run: yarn package
         env:
           npm_config_arch: ${{ matrix.arch }}
-          WINDOWS_CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_CODE_SIGNING_TENANT_ID }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CODE_SIGNING_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CODE_SIGNING_CLIENT_SECRET }}
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
         if: ${{ inputs.upload-artifacts }}

script/package.ts

@@ -23,11 +23,18 @@ import { existsSync, rmSync, writeFileSync } from 'fs'
 import { getVersion } from '../app/package-info'
 import { rename } from 'fs/promises'
 import { join } from 'path'
+import { assertNonNullable } from '../app/src/lib/fatal-error'
 
 const distPath = getDistPath()
 const productName = getProductName()
 const outputDir = getDistRoot()
 
+const assertExistsSync = (path: string) => {
+  if (!existsSync(path)) {
+    throw new Error(`Expected ${path} to exist`)
+  }
+}
+
 if (process.platform === 'darwin') {
   packageOSX()
 } else if (process.platform === 'win32') {
@@ -107,8 +114,23 @@ function packageWindows() {
   }
 
   if (isGitHubActions() && isPublishable()) {
-    const certificatePath = path.join(__dirname, 'windows-certificate.pfx')
-    options.signWithParams = `/f ${certificatePath} /p ${process.env.WINDOWS_CERT_PASSWORD} /tr http://timestamp.digicert.com /td sha256 /fd sha256`
+    assertNonNullable(process.env.RUNNER_TEMP, 'Missing RUNNER_TEMP env var')
+
+    const acsPath = join(process.env.RUNNER_TEMP, 'acs')
+    const dlibPath = join(acsPath, 'bin', 'x64', 'Azure.CodeSigning.Dlib.dll')
+
+    assertExistsSync(dlibPath)
+
+    const metadataPath = join(acsPath, 'metadata.json')
+    const acsMetadata = {
+      Endpoint: 'https://eus.codesigning.azure.net/',
+      CodeSigningAccountName: 'github-desktop',
+      CertificateProfileName: 'desktop',
+      CorrelationId: `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`,
+    }
+    writeFileSync(metadataPath, JSON.stringify(acsMetadata))
+
+    options.signWithParams = `/v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "${dlibPath}" /dmdf "${metadataPath}"`
   }
 
   console.log('Packaging for Windows…')