diff --git a/.circleci/config.yml b/.circleci/config.yml index 17a37c5d3c..d6b6620bb6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -175,10 +175,83 @@ jobs: key: remixdesktop-windows-deps-{{ checksum "apps/remixdesktop/yarn.lock" }} paths: - apps/remixdesktop/node_modules + - persist_to_workspace: + root: apps/remixdesktop + paths: + - "release" + # see https://docs.digicert.com/en/software-trust-manager/ci-cd-integrations/script-integrations/github-integration-ksp.html + sign-remixdesktop-windows: + executor: win/default # executor type + working_directory: ~/remix-project + steps: + - checkout + - attach_workspace: + at: . + - run: + name: "Certificate-Setup" + shell: powershell.exe + command: | + cd C:\ + New-Item C:\CERT_FILE.p12.b64 + Set-Content -Path C:\CERT_FILE.p12.b64 -Value $env:SM_CLIENT_CERT_FILE_B64 + certutil -decode CERT_FILE.p12.b64 Certificate_pkcs12.p12 + cat Certificate_pkcs12.p12 + - restore_cache: + name: Restore smtools-windows-x64.msi + keys: + - dl-smtools-windows-x64.msi + - run: + name: "Client-Tool-Download" + shell: powershell.exe + command: | + cd C:\ + if (Test-Path 'c:\smtools-windows-x64.msi') { + echo 'File exists, skipping download...' + } else { + echo 'Downloading smtools-windows-x64.msi ...' + curl.exe -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:$env:SM_API_KEY" -o smtools-windows-x64.msi + } + - save_cache: + key: dl-smtools-windows-x64.msi + paths: + - c:\smtools-windows-x64.msi + - run: + name: "Client-Tool-Setup" + shell: powershell.exe + command: | + cd C:\ + msiexec.exe /i smtools-windows-x64.msi /quiet /qn | Wait-Process + & $env:SSM\smksp_cert_sync.exe + & $env:SSM\smctl.exe healthcheck + - run: + name: "Find Signtool" + shell: powershell.exe + command: | + Get-ChildItem -Path 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit' -Filter signtool.exe -Recurse + - run: + name: "Signtool-Signing" + shell: powershell.exe + command: | + & $env:Signtool sign /sha1 $env:SM_CODE_SIGNING_CERT_SHA1_HASH /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $env:RemixSetupExe + - run: + name: "Signtool-Verification" + shell: powershell.exe + command: | + $verify_output = $(& $env:Signtool verify /v /pa $env:RemixSetupExe) + echo ${verify_output} + if (!$verify_output.Contains("Number of files successfully Verified: 1")) { + echo 'Verification failed' + exit 1 + } - store_artifacts: - path: apps/remixdesktop/release/ + path: ~/remix-project/release/ destination: remixdesktop-windows - + environment: + SM_CLIENT_CERT_FILE: 'C:\Certificate_pkcs12.p12' + Signtool: 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe' + SSM: 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools' + RemixSetupExe: 'C:\Users\circleci\remix-project\release\Remix IDE.exe' + build-remixdesktop-mac: macos: xcode: 14.2.0 @@ -452,6 +525,9 @@ workflows: - build-remixdesktop-windows: requires: - build-desktop + - sign-remixdesktop-windows: + requires: + - build-remixdesktop-windows - build-remixdesktop-linux: requires: - build-desktop diff --git a/apps/remixdesktop/package.json b/apps/remixdesktop/package.json index 31734e09f6..855777b5c4 100644 --- a/apps/remixdesktop/package.json +++ b/apps/remixdesktop/package.json @@ -104,7 +104,8 @@ "target": [ "nsis" ], - "icon": "assets/icon.png" + "icon": "assets/icon.png", + "artifactName": "${productName}.${ext}" }, "linux": { "target": [