copy solution for signing Windows .exe from bcc-code/bible-explorers (…

…#419) * copy solution for signing Windows .exe from bcc-code/bible-explorers * (temporarily) enable signing on PR * add debug logs * fix checking for filename * escape file path * next try * remove debug logs * don't publish for PRs
bcc-code · May 10, 2024 · cf4158d · cf4158d
1 parent eb38175
commit cf4158d
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 4 deletions.
diff --git a/.eslintignore b/.eslintignore
@@ -1,2 +1,3 @@
 dist-electron
-BMM.Web
+BMM.Web
+electron_sign_exe.js
diff --git a/.github/workflows/electron.yml b/.github/workflows/electron.yml
@@ -42,7 +42,7 @@ jobs:
         env:
           NUXT_PUBLIC_APPLICATION_INSIGHTS: ${{ vars.NUXT_PUBLIC_APPLICATION_INSIGHTS }}
 
-      - name: Building the Electron app for Mac
+      - name: Package the Electron app for Mac
         run: pnpm package:electron
         if: matrix.os == 'macos-latest'
         env:
@@ -53,9 +53,22 @@ jobs:
           APPLE_ID_PASSWORD: ${{secrets.BCCM_APPLE_APP_SPECIFIC_PASSWORD}}
           APPLE_TEAM_ID: KJ6LCYQ3A8
 
-      - name: Building the Electron app for Windows or Linux
+      - name: Package the Electron app for Linux
         run: pnpm package:electron
-        if: matrix.os != 'macos-latest'
+        if: matrix.os == 'ubuntu-latest'
+
+      - name: Install AzureSignTool
+        run: dotnet tool install -g AzureSignTool
+        if: matrix.os == 'windows-latest'
+        shell: bash
+
+      - name: Package the Electron app for Windows
+        run: pnpm package:electron
+        if: matrix.os == 'windows-latest'
+        env:
+          WINDOWS_DIRECTORY_ID: ${{ secrets.BCCM_WINDOWS_DIRECTORY_ID }}
+          WINDOWS_CLIENT_ID: ${{ secrets.BCCM_WINDOWS_CLIENT_ID }}
+          WINDOWS_CLIENT_SECRET: ${{ secrets.BCCM_WINDOWS_CLIENT_SECRET }}
 
       - name: Archive production artifacts
         uses: actions/upload-artifact@v3

diff --git a/electron_builder.js b/electron_builder.js
@@ -35,6 +35,10 @@ const config = {
   },
   win: {
     target: ["nsis", "zip"],
+    signingHashAlgorithms: ["sha256"],
+    sign: "./electron_sign_exe.js",
+    publisherName: "BCC MEDIA STI",
+    legalTrademarks: "(C) 2024 BCC MEDIA STI",
   },
   linux: {
     category: "Audio;Player",

diff --git a/electron_sign_exe.js b/electron_sign_exe.js
@@ -0,0 +1,23 @@
+const { execSync } = require("child_process");
+
+module.exports = async function (configuration) {
+  if (!configuration.path.includes(configuration.name + " Setup")) {
+    return;
+  }
+
+  const filePath = configuration.path;
+  const directoryId = process.env.WINDOWS_DIRECTORY_ID;
+  const clientId = process.env.WINDOWS_CLIENT_ID;
+  const clientSecret = process.env.WINDOWS_CLIENT_SECRET;
+
+  try {
+    execSync(
+      `AzureSignTool.exe sign -du "https://bmm.bcc.media" -kvu "https://bccm-code-sign2.vault.azure.net" -kvt ${directoryId} -kvi ${clientId} -kvs ${clientSecret} -kvc "HSM-CS" -tr "http://timestamp.digicert.com" -v "${filePath}"`,
+      { stdio: "inherit" },
+    );
+    console.log(`Successfully signed ${filePath}`);
+  } catch (error) {
+    console.error(`Failed to sign ${filePath}`);
+    throw error;
+  }
+};