Detach, sign and reattach burn-engine during windows CI

j-chmielewski · j-chmielewski · commit df687040e3f9 · 2024-04-17T12:13:17.000+02:00
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -225,6 +225,14 @@ jobs:
           asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
           asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
           asset_content_type: application/octet-stream
+
+  # Building signed windows bundle involves a few steps as described here:
+  # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
+  # 1. Build defguard & bundle the binaries (defguard & wireguard) using wix (windows)
+  # 2. Detach the burn engine from the bundle so that it can be signed (also windows)
+  # 3. Sign the burn engine (linux)
+  # 4. Reattach the burn engine back to the bundle (windows again)
+  # 5. Sign the whole bundle (linux)
   build-windows:
     needs:
       - create-release
@@ -271,18 +279,70 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Bundle application
         run: |
+          # prepare wix extension
           dotnet tool install --global wix --version 4.0.5
           wix extension add WixToolset.Bal.wixext/4
+          # bundle defguard & wireguard binaries together
           wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
-      - name: Upload installer artifact
+          # detach burn engine from the bundle to be signed
+          wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
+      - name: Upload unsigned bundle and burn-engine
         uses: actions/upload-artifact@v4
         with:
-          name: defguard-client.exe
-          path: src-tauri/resources-windows/defguard-client.exe
-  sign-msi:
+          name: unsigned-bundle-and-burnengine
+          path: |
+            src-tauri/resources-windows/defguard-client.exe
+            src-tauri/resources-windows/burnengine.exe
+  sign-burn-engine:
     needs:
       - build-windows
+    runs-on:
+      - self-hosted
+      - Linux
+    steps:
+      - name: Write release version
+        run: |
+          VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+          echo Version: $VERSION
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+      - name: Download unsigned bundle & burn-engine
+        uses: actions/download-artifact@v4
+        with:
+          name: unsigned-bundle-and-burnengine
+      - name: Sign burn-engine
+        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
+      - name: Upload bundle and burn-engine artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-bundle-and-signed-burnengine
+          path: |
+            src-tauri/resources-windows/defguard-client.exe
+            src-tauri/resources-windows/burnengine-signed.exe
+  reattach-burn-engine:
+    needs:
+      - sign-burn-engine
+    runs-on: windows-latest
+    steps:
+      - name: Download unsigned bundle & signed burn-engine
+        uses: actions/download-artifact@v4
+        with:
+          name: unsigned-bundle-and-signed-burnengine
+      - name: Reattach burn-engine
+        run: |
+          # prepare wix extension
+          dotnet tool install --global wix --version 4.0.5
+          wix extension add WixToolset.Bal.wixext/4
+          # reattach burn engine to the bundle
+          wix burn reattach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine-signed.exe -o defguard-client-reattached.exe
+      - name: Upload bundle with reattached burn-engine
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-bundle-with-reattached-signed-burn-engine
+          path: defguard-client-reattached.exe
+  sign-bundle:
+    needs:
       - create-release
+      - reattach-burn-engine
     runs-on:
       - self-hosted
       - Linux
@@ -292,13 +352,13 @@ jobs:
           VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
           echo Version: $VERSION
           echo "VERSION=$VERSION" >> $GITHUB_ENV
-      - name: Download a single artifact
+      - name: Download unsigned bundle & signed burn-engine
         uses: actions/download-artifact@v4
         with:
-          name: defguard-client.exe
-      - name: Sign MSI
-        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client.exe -out defguard-client-signed.exe
-      - name: Upload installer
+          name: unsigned-bundle-with-reattached-signed-burn-engine
+      - name: Sign bundle
+        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
+      - name: Upload installer asset
         uses: actions/upload-release-asset@v1.0.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
