Merge pull request #4447 from ethereum/desktop-win-build

win build sign

.circleci/config.yml

@@ -175,9 +175,82 @@ jobs:
           key: remixdesktop-windows-deps-{{ checksum "apps/remixdesktop/yarn.lock" }}
           paths:
             - apps/remixdesktop/node_modules
+      - persist_to_workspace:
+            root: apps/remixdesktop
+            paths:
+              - "release"
+  # see https://docs.digicert.com/en/software-trust-manager/ci-cd-integrations/script-integrations/github-integration-ksp.html    
+  sign-remixdesktop-windows:
+    executor: win/default # executor type
+    working_directory: ~/remix-project
+    steps:
+      - checkout
+      - attach_workspace:
+         at: .
+      - run:
+          name: "Certificate-Setup"
+          shell: powershell.exe
+          command: |
+            cd C:\
+            New-Item C:\CERT_FILE.p12.b64
+            Set-Content -Path C:\CERT_FILE.p12.b64 -Value $env:SM_CLIENT_CERT_FILE_B64
+            certutil -decode CERT_FILE.p12.b64 Certificate_pkcs12.p12
+            cat Certificate_pkcs12.p12
+      - restore_cache:
+          name: Restore smtools-windows-x64.msi
+          keys:
+            - dl-smtools-windows-x64.msi
+      - run:
+          name: "Client-Tool-Download"
+          shell: powershell.exe 
+          command: |
+            cd C:\
+            if (Test-Path 'c:\smtools-windows-x64.msi') {              
+              echo 'File exists, skipping download...'
+            } else {
+              echo 'Downloading smtools-windows-x64.msi ...'
+              curl.exe -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:$env:SM_API_KEY" -o smtools-windows-x64.msi
+            }
+      - save_cache:
+          key: dl-smtools-windows-x64.msi
+          paths:
+            - c:\smtools-windows-x64.msi
+      - run:
+          name: "Client-Tool-Setup"
+          shell: powershell.exe 
+          command: |
+            cd C:\
+            msiexec.exe /i smtools-windows-x64.msi /quiet /qn | Wait-Process
+            & $env:SSM\smksp_cert_sync.exe
+            & $env:SSM\smctl.exe healthcheck
+      - run:
+          name: "Find Signtool"
+          shell: powershell.exe
+          command: |
+            Get-ChildItem -Path 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit' -Filter signtool.exe -Recurse
+      - run:
+          name: "Signtool-Signing"
+          shell: powershell.exe
+          command: |
+            & $env:Signtool sign /sha1 $env:SM_CODE_SIGNING_CERT_SHA1_HASH /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $env:RemixSetupExe
+      - run:
+          name: "Signtool-Verification"
+          shell: powershell.exe
+          command: |
+            $verify_output = $(& $env:Signtool verify /v /pa $env:RemixSetupExe)
+            echo ${verify_output}
+            if (!$verify_output.Contains("Number of files successfully Verified: 1")) {
+              echo 'Verification failed'
+              exit 1
+            }
       - store_artifacts:
-          path: apps/remixdesktop/release/
+          path: ~/remix-project/release/
           destination: remixdesktop-windows
+    environment:
+      SM_CLIENT_CERT_FILE: 'C:\Certificate_pkcs12.p12'
+      Signtool: 'C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe'
+      SSM: 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools'
+      RemixSetupExe: 'C:\Users\circleci\remix-project\release\Remix IDE.exe'
         
   build-remixdesktop-mac:
     macos:
@@ -452,6 +525,9 @@ workflows:
       - build-remixdesktop-windows:
           requires:
             - build-desktop
+      - sign-remixdesktop-windows:
+          requires:
+            - build-remixdesktop-windows
       - build-remixdesktop-linux:
           requires:
             - build-desktop

apps/remixdesktop/package.json

@@ -104,7 +104,8 @@
       "target": [
         "nsis"
       ],
-      "icon": "assets/icon.png"
+      "icon": "assets/icon.png",
+      "artifactName": "${productName}.${ext}"
     },
     "linux": {
       "target": [