feat: Sign Windows binaries

fixes https://github.com/containers/podman-desktop/issues/120 Change-Id: I8834b8cf6f1052fd6602e56f569cc733e940dfa9 Signed-off-by: Florent Benoit <fbenoit@redhat.com>
2026-04-21 17:47:22 +00:00 · 2022-08-09 15:02:27 +02:00 · 2022-08-09 15:02:27 +02:00 · d9776757ba
commit d9776757ba
parent 850ba45f1d
3 changed files with 66 additions and 2 deletions
--- a/.electron-builder.config.js
+++ b/.electron-builder.config.js
@ -16,6 +16,8 @@
 * SPDX-License-Identifier: Apache-2.0
 ***********************************************************************/

+const exec = require('child_process').exec;
+
 if (process.env.VITE_APP_VERSION === undefined) {
  const now = new Date();
  process.env.VITE_APP_VERSION = `${now.getUTCFullYear() - 2000}.${now.getUTCMonth() + 1}.${now.getUTCDate()}-${
@ -44,6 +46,7 @@ const config = {
  },
  win: {
    target: ['portable', 'nsis'],
+    sign: configuration => azureCodeSign(configuration.path),
  },
  flatpak: {
    license: 'LICENSE',
@ -107,4 +110,45 @@ const config = {
  },*/
 };

+const azureCodeSign = filePath => {
+  if (!process.env.AZURE_KEY_VAULT_URL) {
+    console.log('Skipping code signing, no environment variables set for that.');
+    return Promise.resolve();
+  }
+
+  return new Promise((resolve, reject) => {
+    const {
+      AZURE_KEY_VAULT_TENANT_ID,
+      AZURE_KEY_VAULT_CLIENT_ID,
+      AZURE_KEY_VAULT_SECRET,
+      AZURE_KEY_VAULT_URL,
+      AZURE_KEY_VAULT_CERTIFICATE,
+    } = process.env;
+
+    // eslint-disable-next-line no-console
+    console.log('Signing file', filePath);
+    const command = `AzureSignTool sign -kvu ${AZURE_KEY_VAULT_URL} -kvi ${AZURE_KEY_VAULT_CLIENT_ID} -kvt ${AZURE_KEY_VAULT_TENANT_ID} -kvs ${AZURE_KEY_VAULT_SECRET} -kvc ${AZURE_KEY_VAULT_CERTIFICATE} -tr http://timestamp.digicert.com -v '${filePath}'`;
+    exec(command, { shell: 'powershell.exe' }, (e, stdout, stderr) => {
+      if (e instanceof Error) {
+        console.log(e);
+        reject(e);
+        return;
+      }
+
+      if (stderr) {
+        reject(new Error(stderr));
+        return;
+      }
+
+      if (stdout.indexOf('Signing completed successfully') > -1) {
+        // eslint-disable-next-line no-console
+        console.log(stdout);
+        resolve();
+      } else {
+        reject(new Error(stdout));
+      }
+    });
+  });
+};
+
 module.exports = config;
--- a/.github/workflows/next-build.yaml
+++ b/.github/workflows/next-build.yaml
@ -119,7 +119,7 @@ jobs:
          flatpak install flathub --user -y org.freedesktop.Platform/x86_64/21.08

      - name: Set macOS environment variables
-        if: ${{ matrix.os=='macos-11' }}
+        if: startsWith(matrix.os, 'macos')
        run: |
          echo "CSC_LINK=${{secrets.CSC_LINK}}" >> $GITHUB_ENV
          echo "CSC_KEY_PASSWORD=${{secrets.CSC_KEY_PASSWORD}}" >> $GITHUB_ENV
@ -127,6 +127,16 @@ jobs:
          echo "APPLE_ID_PASSWORD=${{secrets.APPLE_ID_PASSWORD}}" >> $GITHUB_ENV
          echo "APPLE_TEAM_ID=${{secrets.APPLE_TEAM_ID}}" >> $GITHUB_ENV

+      - name: Install Azure SignTool on Windows
+        if: startsWith(matrix.os, 'windows')
+        run: |
+          dotnet tool install --global AzureSignTool --version 3.0.0
+          echo "AZURE_KEY_VAULT_CERTIFICATE=${{secrets.AZURE_KEY_VAULT_CERTIFICATE}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "AZURE_KEY_VAULT_CLIENT_ID=${{secrets.AZURE_KEY_VAULT_CLIENT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "AZURE_KEY_VAULT_SECRET=${{secrets.AZURE_KEY_VAULT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "AZURE_KEY_VAULT_TENANT_ID=${{secrets.AZURE_KEY_VAULT_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "AZURE_KEY_VAULT_URL=${{secrets.AZURE_KEY_VAULT_URL}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+
      - name: Run Build
        timeout-minutes: 20
        run: yarn compile:next
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -117,7 +117,7 @@ jobs:
          flatpak install flathub --user -y org.freedesktop.Platform/x86_64/21.08

      - name: Set macOS environment variables
-        if: ${{ matrix.os=='macos-11' }}
+        if: startsWith(matrix.os, 'macos')
        run: |
          echo "CSC_LINK=${{secrets.CSC_LINK}}" >> $GITHUB_ENV
          echo "CSC_KEY_PASSWORD=${{secrets.CSC_KEY_PASSWORD}}" >> $GITHUB_ENV
@ -125,6 +125,16 @@ jobs:
          echo "APPLE_ID_PASSWORD=${{secrets.APPLE_ID_PASSWORD}}" >> $GITHUB_ENV
          echo "APPLE_TEAM_ID=${{secrets.APPLE_TEAM_ID}}" >> $GITHUB_ENV

+      - name: Install Azure SignTool on Windows
+        if: startsWith(matrix.os, 'windows')
+        run: |
+          dotnet tool install --global AzureSignTool --version 3.0.0
+          echo "AZURE_KEY_VAULT_CERTIFICATE=${{secrets.AZURE_KEY_VAULT_CERTIFICATE}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "AZURE_KEY_VAULT_CLIENT_ID=${{secrets.AZURE_KEY_VAULT_CLIENT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "AZURE_KEY_VAULT_SECRET=${{secrets.AZURE_KEY_VAULT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "AZURE_KEY_VAULT_TENANT_ID=${{secrets.AZURE_KEY_VAULT_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "AZURE_KEY_VAULT_URL=${{secrets.AZURE_KEY_VAULT_URL}}" | Out-File -FilePath $env:GITHUB_ENV -Append
+
      - name: Run Build
        timeout-minutes: 20
        run: yarn compile:next