Merge pull request #4193 from balena-io/fix-windows-signature

patch: fix windows signature

.github/actions/publish/action.yml

@@ -98,20 +98,14 @@ runs:
       id: import_win_signing_cert
       shell: powershell
       run: |
-        Set-Content -Path ${{ runner.temp }}/certificate.base64 -Value $env:WINDOWS_CERTIFICATE
-        certutil -decode ${{ runner.temp }}/certificate.base64 ${{ runner.temp }}/certificate.pfx
+        Set-Content -Path ${{ runner.temp }}/certificate.base64 -Value $env:SM_CLIENT_CERT_FILE_B64
+        certutil -decode ${{ runner.temp }}/certificate.base64 ${{ runner.temp }}/Certificate_pkcs12.p12
         Remove-Item -path ${{ runner.temp }} -include certificate.base64
 
-        Import-PfxCertificate `
-          -FilePath ${{ runner.temp }}/certificate.pfx `
-          -CertStoreLocation Cert:\CurrentUser\My `
-          -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)
-
-        echo "certFilePath=${{ runner.temp }}/certificate.pfx" >> $GITHUB_OUTPUT
+        echo "certFilePath=${{ runner.temp }}/Certificate_pkcs12.p12" >> $GITHUB_OUTPUT
 
       env:
-        WINDOWS_CERTIFICATE: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING }}
-        WINDOWS_CERTIFICATE_PASSWORD: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING_PASSWORD }}
+        SM_CLIENT_CERT_FILE_B64: ${{ fromJSON(inputs.secrets).SM_CLIENT_CERT_FILE_B64 }}
 
     - name: Package release
       shell: bash
@@ -137,6 +131,20 @@ runs:
           PLATFORM=Windows
           SHA256SUM_BIN=sha256sum
 
+          # Install DigiCert Signing Manager Tools      
+          curl --silent --retry 3 --fail https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download \
+            -H "x-api-key:$SM_API_KEY" \
+            -o smtools-windows-x64.msi
+          msiexec -i smtools-windows-x64.msi -qn
+          PATH="/c/Program Files/DigiCert/DigiCert One Signing Manager Tools:${PATH}"
+          smksp_registrar.exe list
+          smctl.exe keypair ls
+          /c/Windows/System32/certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+          smksp_cert_sync.exe
+
+          # (signtool.exe) https://github.com/actions/runner-images/blob/main/images/win/Windows2019-Readme.md#installed-windows-sdks
+          PATH="/c/Program Files (x86)/Windows Kits/10/bin/${runner_arch}:${PATH}"
+
         else
           echo "ERROR: unexpected runner OS: ${RUNNER_OS}"
           exit 1
@@ -174,8 +182,12 @@ runs:
         XCODE_APP_LOADER_PASSWORD: ${{ fromJSON(inputs.secrets).XCODE_APP_LOADER_PASSWORD }}
         XCODE_APP_LOADER_TEAM_ID: ${{ fromJSON(inputs.secrets).XCODE_APP_LOADER_TEAM_ID }}
         # Windows signing
-        WINDOWS_SIGNING_CERT_PATH: ${{ steps.import_win_signing_cert.outputs.certFilePath }}
-        WINDOWS_SIGNING_PASSWORD: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING_PASSWORD }}
+        SM_CLIENT_CERT_PASSWORD: ${{ fromJSON(inputs.secrets).SM_CLIENT_CERT_PASSWORD }}
+        SM_CLIENT_CERT_FILE: '${{ runner.temp }}\Certificate_pkcs12.p12'
+        SM_HOST: ${{ fromJSON(inputs.secrets).SM_HOST }}
+        SM_API_KEY: ${{ fromJSON(inputs.secrets).SM_API_KEY }}
+        SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ fromJSON(inputs.secrets).SM_CODE_SIGNING_CERT_SHA1_HASH }}
+        TIMESTAMP_SERVER: http://timestamp.digicert.com
 
     - name: Upload artifacts
       uses: actions/upload-artifact@v4

forge.config.ts

@@ -25,8 +25,7 @@ if (process.env.NODE_ENV === 'production') {
 	};
 
 	winSigningConfig = {
-		certificateFile: process.env.WINDOWS_SIGNING_CERT_PATH,
-		certificatePassword: process.env.WINDOWS_SIGNING_PASSWORD,
+		signWithParams: `-sha1 ${process.env.SM_CODE_SIGNING_CERT_SHA1_HASH} -tr ${process.env.TIMESTAMP_SERVER} -td sha256 -fd sha256 -d balena-etcher`,
 	};
 }