Setup kiwix-destkop signature on Windows.

Fix #713
2024-08-29 14:28:00 +02:00 · 2024-08-29 14:28:00 +02:00 · de90c6fefc
parent 52d757c660
commit de90c6fefc
2 changed files with 48 additions and 3 deletions
--- a/.github/workflows/releaseNigthly.yml
+++ b/.github/workflows/releaseNigthly.yml
@ -52,6 +52,37 @@ jobs:
        echo "${{secrets.ssh_key}}" > $SSH_KEY
      env:
        SSH_KEY: ${{ runner.temp }}/id_rsa
+    - name: Install and configure eSigner CKA and Windows SDK
+      if: github.event_name == 'push'
+      env:
+        ESIGNER_URL: https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.7/SSL.COM-eSigner-CKA_1.0.7.zip
+      run: |
+          Set-StrictMode -Version 'Latest'
+
+          # Download and Unzip eSignerCKA Setup
+          Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip "$env:ESIGNER_URL"
+          Expand-Archive -Force eSigner_CKA_Setup.zip
+          Remove-Item eSigner_CKA_Setup.zip
+          Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
+
+          # Install eSignerCKA
+          New-Item -ItemType Directory -Force -Path "C:\esigner"
+          ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\esigner” /TYPE=automatic | Out-Null
+          Remove-Item "eSigner_CKA_Installer.exe"
+
+          # Configure the CKA with SSL.com credentials
+          C:\esigner\eSignerCKATool.exe config -mode product -user "${{ secrets.ESIGNER_USERNAME }}" -pass "${{ secrets.ESIGNER_PASSWORD }}" -totp "${{ secrets.ESIGNER_TOTP_SECRET }}" -key "C:\esigner\master.key" -r
+          C:\esigner\eSignerCKATool.exe unload
+          C:\esigner\eSignerCKATool.exe load
+
+          # Find certificate
+          $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
+          echo Certificate: $CodeSigningCert
+
+          # Extract thumbprint and subject name
+          $Thumbprint = $CodeSigningCert.Thumbprint
+          echo "SIGNTOOL_THUMBPRINT=$Thumbprint" >> $env:GITHUB_ENV
+
    - name: Ensure base deps
      run: |
        python .github\\scripts\\ensure_base_deps.py
--- a/scripts/package_kiwix-desktop_windows.py
+++ b/scripts/package_kiwix-desktop_windows.py
@ -1,6 +1,6 @@
 #!/usr/bin/env python3

-import sys, subprocess, shutil, argparse
+import sys, subprocess, shutil, argparse, os
 from pathlib import Path

 parser = argparse.ArgumentParser()
@ -48,9 +48,23 @@ ssl_directory = Path("C:/") / "Program Files" / "OpenSSL"
 shutil.copy2(ssl_directory / "libcrypto-1_1-x64.dll", out_dir)
 shutil.copy2(ssl_directory / "libssl-1_1-x64.dll", out_dir)

-# [TODO] Sign binary
 if args.sign:
-    pass
+    # We assume here that signtool and certificate are properly configured.
+    # Env var `SIGNTOOL_THUMBPRINT` must contain thumbprint of the certificate to use.
+    command = [
+        "signtool.exe",
+        "sign",
+        "/fd",
+        "sha256",
+        "/tr",
+        "http://ts.ssl.com",
+        "/td",
+        "sha256",
+        "/sha1",
+        os.environ["SIGNTOOL_THUMBPRINT"],
+        str(out_dir / "kiwix-desktop.exe"),
+    ]
+    subprocess.run(command, check=True)

 print(
    f"""Create archive