Testing local runner signing for Windows.

Signed-off-by: ubi de feo <[email protected]>

Author: ubidefeo

.github/workflows/build.yml

@@ -22,7 +22,7 @@ jobs:
       fail-fast: false
       matrix:
         config:
-          - os: windows-2019
+          - os: [self-hosted, windows-sign-pc]
           - os: ubuntu-latest
           - os: macos-13
           - os: macos-14
@@ -51,11 +51,18 @@ jobs:
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
           AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }}
+          INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer"
+          # We are hardcoding the path for signtool because is not present on the windows PATH env var by default.
+          # Keep in mind that this path could change when upgrading to a new runner version
+          SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
+          WIN_CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
+          WIN_CERT_CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
           # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           # IS_NIGHTLY: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }}
           IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/') }}
           IS_FORK: ${{ github.event.pull_request.head.repo.fork == true }}
+
         run: |
             # See: https://www.electron.build/code-signing
             if [ $IS_FORK = true ]; then

build_resources/windowsCustomSign.js

@@ -0,0 +1,30 @@
+const childProcess = require('child_process');
+
+exports.default = async function (configuration) {
+  if (!process.env.GITHUB_ACTIONS) {
+    return;
+  }
+
+  const SIGNTOOL_PATH = process.env.SIGNTOOL_PATH;
+  const INSTALLER_CERT_WINDOWS_CER = process.env.INSTALLER_CERT_WINDOWS_CER;
+  const CERT_PASSWORD = process.env.WIN_CERT_PASSWORD;
+  const CONTAINER_NAME = process.env.WIN_CERT_CONTAINER_NAME;
+  const filePath = configuration.path;
+
+  if (
+    SIGNTOOL_PATH &&
+    INSTALLER_CERT_WINDOWS_CER &&
+    CERT_PASSWORD &&
+    CONTAINER_NAME
+  ) {
+    childProcess.execSync(
+      `"${SIGNTOOL_PATH}" sign -d "Arduino Lab for MicroPython" -f "${INSTALLER_CERT_WINDOWS_CER}" -csp "eToken Base Cryptographic Provider" -k "[{{${CERT_PASSWORD}}}]=${CONTAINER_NAME}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "${filePath}"`,
+      { stdio: 'inherit' }
+    );
+  } else {
+    console.warn(
+      `Custom windows signing was no performed one of the following variables was not provided: SIGNTOOL_PATH (${SIGNTOOL_PATH}), INSTALLER_CERT_WINDOWS_CERT (${INSTALLER_CERT_WINDOWS_CER}), CERT_PASSWORD (${CERT_PASSWORD}), CONTAINER_NAME (${CONTAINER_NAME})`
+    );
+    process.exit(1);
+  }
+};

package.json

@@ -28,6 +28,7 @@
     },
     "win": {
       "target": "zip",
+      "sign": "./build_resources/windowsCustomSign.js",
       "icon": "build_resources/icon.png"
     },
     "linux": {