Concordium · DOBEN · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025
diff --git a/.github/workflows/release-genesis-creator.yml b/.github/workflows/release-genesis-creator.yml
@@ -7,62 +7,200 @@ on:
     tags:
       - genesis-creator/*.*.*
 
+  workflow_dispatch:
+
 jobs:
   build:
-    name: build ${{ matrix.platform }}
+    name: Build and Sign Macos
     strategy:
       fail-fast: true
-      matrix:
-        platform: [macos-latest, ubuntu-latest, windows-latest]
-    runs-on: ${{ matrix.platform }}
+    runs-on: macos-latest
     environment: release-unprivileged
     steps:
-      - name: Support longpaths on Windows
-        if: matrix.platform == 'windows-latest'
-        run: git config --system core.longpaths true
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Build
         run: cargo build --locked --release --package genesis-creator
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-${{ matrix.platform }}
-          path: |
-            target/release/genesis-creator
-            target/release/genesis-creator.exe
 
-  # Attach binaries to the release identified by the tag.
-  release:
-    permissions:
-      contents: write
-    needs: build
-    runs-on: ubuntu-latest
+    - name: Import Apple signing certificates into a keychain)
+        env:
+          # Base64 encoding of the p12 certificate for Apple code signing.
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
+          BUILD_INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_INSTALLER_CERTIFICATE_BASE64 }}
+          # Password for the p12 certificate for Apple code signing.
+          BUILD_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_BUILD_CERTIFICATE_PASSWORD }}
+          BUILD_INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_BUILD_INSTALLER_CERTIFICATE_PASSWORD }}
+          # Random string to use as the keychain password.
+          KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/apple_build_certificate.p12
+          INSTALLER_CERTIFICATE_PATH=$RUNNER_TEMP/apple_build_installer_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate and provisioning profile from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+          echo -n "$BUILD_INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o $INSTALLER_CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$BUILD_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security import $INSTALLER_CERTIFICATE_PATH -P "$BUILD_INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+      - name: Sign macOS executable
+        env:
+          KEYCHAIN_PATH: ${KEYCHAIN_PATH}
+          BINARY_PATH: target/release/genesis-creator
+          CODESIGN_IDENTITY: "Developer ID Application: Your Name (TEAMID)"  # replace with your Apple Developer identity
+        run: |
+          echo "Signing $BINARY_PATH using keychain $KEYCHAIN_PATH"
+
+          # Ensure the keychain is unlocked
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Sign the binary
+          codesign --deep --force --verbose \
+            --sign "$CODESIGN_IDENTITY" \
+            --keychain "$KEYCHAIN_PATH" \
+          "$BINARY_PATH"
+
+          # Verify the signature
+          codesign --verify --verbose=4 "$BINARY_PATH"
+
+  # TODO: comment out temporarily
+  #     - name: Upload artifact
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         name: binary-macos-latest
+  #         path: |
+  #           target/release/genesis-creator
+
+
+  build:
+    name: Build and Sign Windows
+    strategy:
+      fail-fast: true
+    runs-on: windows-latest
+    environment: release-unprivileged
     steps:
+      - name: Support longpaths on Windows
+        run: git config --system core.longpaths true
+
       - uses: actions/checkout@v4
         with:
           submodules: recursive
-      - uses: actions/download-artifact@v4
-      - run: |
-          mkdir uploads
-          mv binary-macos-latest/genesis-creator uploads/genesis-creator-darwin-amd64
-          mv binary-windows-latest/genesis-creator.exe uploads/genesis-creator-windows-amd64.exe
-          mv binary-ubuntu-latest/genesis-creator uploads/genesis-creator-linux-amd64
-      - name: Extract version tag from Cargo.toml manifest.
-        id: meta
+
+      - name: Build
+        run: cargo build --locked --release --package genesis-creator
+
+      - name: Install DigiCert Client tools (Windows only)
+        id: digicert_client
+        uses: digicert/[email protected]
+
+      - name: Import Windows certificate (Windows only)
+        id: windows_certificate
+        env:
+          # Base64 encoding of the pfx/p12 certificate for Windows code signing.
+          SM_CLIENT_CERT_FILE_B64: ${{ secrets.WINDOWS_SM_CLIENT_CERT_FILE_B64 }}
         run: |
-          export VERSION=$(yq .package.version genesis-creator/Cargo.toml)
-          # Make sure the tag matches the version in Cargo.toml manifest.
-          if [ ! "${{ github.ref_name }}" = "genesis-creator/${VERSION}" ]; then
-             echo "::error Expected tag ${{ github.ref_name }} does not match the version ${VERSION}."
-             exit 1
-          else
-             # Store the version into a version variable for the following step.
-             echo "version=${VERSION}" > "$GITHUB_OUTPUT"
-          fi
-      - name: Create release and attach binaries to release.
+          $CERTIFICATE_PATH_BASE64="$env:RUNNER_TEMP\cert-b64.txt"
+          $CERTIFICATE_PATH="$env:RUNNER_TEMP\cert.pfx"
+
+          Set-Content -Path $CERTIFICATE_PATH_BASE64 -Value $env:SM_CLIENT_CERT_FILE_B64
+          certutil -decode $CERTIFICATE_PATH_BASE64 $CERTIFICATE_PATH
+          echo "CERTIFICATE_PATH=$CERTIFICATE_PATH" >> $env:GITHUB_OUTPUT
+
+      - name: Sign
+        working-directory: ${{steps.build.outputs.bin_dir}}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # windows signing
+          WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
+          WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
+          SM_HOST: ${{ secrets.WINDOWS_SM_HOST }}
+          SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
         run: |
-          gh release create ${{ github.ref_name }} --title "Genesis Creator ${{ steps.meta.outputs.version }}" uploads/*
+           smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --file target\release\genesis-creator.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} --verbose --exit-non-zero-on-fail --failfast
+           smctl verify --files target\release\genesis-creator.exe
+
+  # TODO: comment out temporarily
+  #     - name: Upload artifact
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         name: binary-windows-latest
+  #         path: |
+  #           target\release\genesis-creator.exe
+
+
+
+
+  # TODO: comment out temporarily
+  # build-ubuntu:
+  #   name: Build Ubuntu
+  #   strategy:
+  #     fail-fast: true
+  #   runs-on: ubuntu-latest
+  #   environment: release-unprivileged
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #       with:
+  #         submodules: recursive
+  # 
+  #     - name: Build
+  #       run: |
+  #         rustup target add x86_64-unknown-linux-musl
+  #         cargo build --locked --release --package genesis-creator --target x86_64-unknown-linux-musl
+  # 
+  #     - name: Upload artifact
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         name: binary-ubuntu-latest
+  #         path: |
+  #           target/release/x86_64-unknown-linux-musl/genesis-creator
+
+  # TODO: comment out temporarily
+  # Attach binaries to the release identified by the tag.
+  # release:
+  #   permissions:
+  #     contents: write
+  #   needs:  [Build and Sign Windows, Build and Sign Macos, Build Ubuntu]
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #       with:
+  #         submodules: recursive
+  # 
+  #     - uses: actions/download-artifact@v4
+  #     - run: |
+  #         mkdir uploads
+  #         mv binary-macos-latest/genesis-creator uploads/genesis-creator-darwin-amd64
+  #         mv binary-windows-latest/genesis-creator.exe uploads/genesis-creator-windows-amd64.exe
+  #         mv binary-ubuntu-latest/genesis-creator uploads/genesis-creator-linux-amd64
+  # 
+  #     - name: Extract version tag from Cargo.toml manifest.
+  #       id: meta
+  #       run: |
+  #         export VERSION=$(yq .package.version genesis-creator/Cargo.toml)
+  #         # Make sure the tag matches the version in Cargo.toml manifest.
+  #         if [ ! "${{ github.ref_name }}" = "genesis-creator/${VERSION}" ]; then
+  #            echo "::error Expected tag ${{ github.ref_name }} does not match the version ${VERSION}."
+  #            exit 1
+  #         else
+  #            # Store the version into a version variable for the following step.
+  #            echo "version=${VERSION}" > "$GITHUB_OUTPUT"
+  #         fi
+  # 
+  #     - name: Create release and attach binaries to release.
+  #       env:
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       run: |
+  #         gh release create ${{ github.ref_name }} --title "Genesis Creator ${{ steps.meta.outputs.version }}" uploads/*