ci: use key locker to sign neuron for windows (nervosnetwork#2913)

Author: Keith-CY

.github/workflows/package.yml

@@ -51,6 +51,39 @@ jobs:
         env:
           ACTIONS_ALLOW_UNSECURE_COMMANDS: "true"
 
+      - name: Setup Certificate
+        if: matrix.os == 'windows-2019'
+        run: |
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_BASE64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
+        shell: bash
+
+      - name: Set variables
+        if: matrix.os == 'windows-2019'
+        run: |
+          echo "SM_KEYPAIR_NAME=${{ secrets.SM_KEYPAIR_ALIAS }}" >> "$GITHUB_ENV"
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
+          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
+          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
+          echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
+        shell: bash
+
+      - name: Setting up the client tools
+        if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }}
+        run: |
+          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
+          msiexec /i smtools-windows-x64.msi /quiet /qn
+          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+        shell: cmd
+
+      - name: Certificates Sync
+        if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }}
+        run: |
+          smctl windows certsync
+        shell: cmd
+
       - name: Install libudev
         if: matrix.os == 'ubuntu-20.04'
         run: |
@@ -88,8 +121,6 @@ jobs:
           bash ./scripts/release.sh win
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CSC_LINK: ${{ secrets.WIN_CERTIFICATE_BASE64 }}
-          CSC_KEY_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PASSWORD }}
 
       - name: Package for Linux
         if: matrix.os == 'ubuntu-20.04'

.github/workflows/package_for_test.yml

@@ -62,6 +62,39 @@ jobs:
         env:
           ACTIONS_ALLOW_UNSECURE_COMMANDS: "true"
 
+      - name: Setup Certificate
+        if: matrix.os == 'windows-2019'
+        run: |
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_BASE64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
+        shell: bash
+
+      - name: Set variables
+        if: matrix.os == 'windows-2019'
+        run: |
+          echo "SM_KEYPAIR_NAME=${{ secrets.SM_KEYPAIR_ALIAS }}" >> "$GITHUB_ENV"
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
+          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
+          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
+          echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
+        shell: bash
+
+      - name: Setting up the client tools
+        if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }}
+        run: |
+          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
+          msiexec /i smtools-windows-x64.msi /quiet /qn
+          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+        shell: cmd
+
+      - name: Certificates Sync
+        if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }}
+        run: |
+          smctl windows certsync
+        shell: cmd
+
       - name: Install libudev
         if: matrix.os == 'ubuntu-20.04'
         run: |
@@ -101,19 +134,7 @@ jobs:
           SKIP_NOTARIZE: true
 
       - name: Package for Windows
-        if: ${{ matrix.os == 'windows-2019' && env.WIN_CERTIFICATE_BASE64 != '' }}
-        run: |
-          bash ./scripts/download-ckb.sh win
-          yarn build
-          bash ./scripts/copy-ui-files.sh
-          bash ./scripts/package-for-test.sh win
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CSC_LINK: ${{ secrets.WIN_CERTIFICATE_BASE64 }}
-          CSC_KEY_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PASSWORD }}
-
-      - name: Package for Windows for skip code sign
-        if: ${{ matrix.os == 'windows-2019' && env.WIN_CERTIFICATE_BASE64 == '' }}
+        if: matrix.os == 'windows-2019'
         run: |
           bash ./scripts/download-ckb.sh win
           yarn build

packages/neuron-wallet/electron-builder.yml

@@ -49,6 +49,9 @@ win:
     - target: nsis
       arch:
         - x64
+  sign: scripts/customSign.js
+  signingHashAlgorithms:
+    - sha256
 
 mac:
   artifactName: "${productName}-v${version}-${os}-${arch}.${ext}"

packages/neuron-wallet/scripts/customSign.js

@@ -0,0 +1,16 @@
+const { execSync } = require('node:child_process')
+
+exports.default = async configuration => {
+  if (!process.env.SM_API_KEY) {
+    console.info(`Skip signing because SM_API_KEY and  not configured`)
+    return
+  }
+
+  if (!configuration.path) {
+    throw new Error(`Path of application is not found`)
+  }
+
+  execSync(`smctl sign --keypair-alias="${process.env.SM_KEYPAIR_NAME}" --input "${String(configuration.path)}"`, {
+    stdio: 'inherit',
+  })
+}