ci: add esigner script

Author: invisal

.eslintignore

@@ -31,4 +31,6 @@ npm-debug.log.*
 # eslint ignores hidden directories by default:
 # https://github.com/eslint/eslint/issues/8429
 .erb
-.eslintrc.js
+.eslintrc.js
+
+sign.js

.github/workflows/release.yaml renamed to .github/workflows/mac-release.yaml

@@ -7,12 +7,7 @@ on:
 
 jobs:
   publish:
-    runs-on: ${{ matrix.os }}
-
-    strategy:
-      matrix:
-        os: [macos-latest, windows-2022]
-
+    runs-on: macos-latest
     steps:
       - name: Checkout git repo
         uses: actions/checkout@v3

.github/workflows/win-release.yaml

@@ -0,0 +1,45 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  publish:
+    runs-on: windows-latest
+
+    steps:
+      - name: Checkout git repo
+        uses: actions/checkout@v3
+
+      - name: Install Node and NPM
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+          cache: npm
+
+      - name: Download eSigner Signing Tool
+        run: Invoke-WebRequest -OutFile esigner.zip -Uri https://invisal.s3.ap-southeast-1.amazonaws.com/CodeSignTool-v1.2.7-windows.zip
+
+      - name: Unpack eSigner Signing Tool
+        run: Expand-Archive esigner.zip ./CodeSignTool-v1.2.7-windows
+
+      - name: Install and build
+        run: |
+          npm install
+          npm run postinstall
+          npm run build
+
+      - name: Publish releases
+        env:
+          # These values are used for auto updates signing
+          WINDOWS_SIGN_USER_NAME: ${{ secrets.WINDOWS_SIGN_USER_NAME }}
+          WINDOWS_SIGN_USER_PASSWORD: ${{ secrets.WINDOWS_SIGN_USER_PASSWORD }}
+          WINDOWS_SIGN_CREDENTIAL_ID: ${{ secrets.WINDOWS_SIGN_CREDENTIAL_ID }}
+          WINDOWS_SIGN_USER_TOTP: ${{ secrets.WINDOWS_SIGN_USER_TOTP }}
+
+          # This is used for uploading release assets to github
+          GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          npm exec electron-builder -- --publish always

package-lock.json

@@ -193,6 +193,10 @@
       ]
     },
     "win": {
+      "signingHashAlgorithms": [
+        "sha256"
+      ],
+      "sign": "./sign.js",
       "target": [
         "nsis",
         "portable"

package.json

@@ -0,0 +1,2 @@
+*
+!.gitignore

release/temp/.gitignore

@@ -0,0 +1,44 @@
+const path = require('path');
+const fs = require('fs');
+const childProcess = require('child_process');
+
+const TEMP_DIR = path.join(__dirname, 'release', 'temp');
+
+if (!fs.statSync(TEMP_DIR).isDirectory()) {
+  fs.mkdirSync(TEMP_DIR);
+}
+
+function sign(configuration) {
+  // credentials from ssl.com
+  const USER_NAME = process.env.WINDOWS_SIGN_USER_NAME;
+  const USER_PASSWORD = process.env.WINDOWS_SIGN_USER_PASSWORD;
+  const CREDENTIAL_ID = process.env.WINDOWS_SIGN_CREDENTIAL_ID;
+  const USER_TOTP = process.env.WINDOWS_SIGN_USER_TOTP;
+
+  if (USER_NAME && USER_PASSWORD && USER_TOTP && CREDENTIAL_ID) {
+    console.log(`Signing ${configuration.path}`);
+    const { base, dir } = path.parse(configuration.path);
+    // CodeSignTool can't sign in place without verifying the overwrite with a
+    // y/m interaction so we are creating a new file in a temp directory and
+    // then replacing the original file with the signed file.
+    const tempFile = path.join(TEMP_DIR, base);
+    const setDir = `cd ./CodeSignTool-v1.2.7-windows`;
+    const signFile = `CodeSignTool sign -input_file_path="${configuration.path}" -output_dir_path="${TEMP_DIR}" -credential_id="${CREDENTIAL_ID}" -username="${USER_NAME}" -password="${USER_PASSWORD}" -totp_secret="${USER_TOTP}"`;
+    const moveFile = `move "${tempFile}" "${dir}"`;
+    childProcess.execSync(`${setDir} && ${signFile} && ${moveFile}`, {
+      stdio: 'inherit',
+    });
+  } else {
+    console.warn(`sign.js - Can't sign file ${
+      configuration.path
+    }, missing value for:
+${USER_NAME ? '' : 'WINDOWS_SIGN_USER_NAME'}
+${USER_PASSWORD ? '' : 'WINDOWS_SIGN_USER_PASSWORD'}
+${CREDENTIAL_ID ? '' : 'WINDOWS_SIGN_CREDENTIAL_ID'}
+${USER_TOTP ? '' : 'WINDOWS_SIGN_USER_TOTP'}
+`);
+    process.exit(1);
+  }
+}
+
+exports.default = sign;