ci: add signpath

diff --git a/.github/workflows/guix.yml b/.github/workflows/guix.yml
index a0825b04a328fbe6da7a4873b5b68e47f329d5e6..09d6e02705853143b1037810e8d090b9715b8326 100644 (file)
--- a/.github/workflows/guix.yml
+++ b/.github/workflows/guix.yml
@@ -37,6 +37,9 @@ jobs:
           - target: "x86_64-apple-darwin"
           - target: "arm64-apple-darwin"
 
+    outputs:
+      WIN_INSTALLER_ARTIFACT_ID: ${{ steps.win-installer.outputs.WIN_INSTALLER_ARTIFACT_ID }}
+      WIN_EXECUTABLE_ARTIFACT_ID: ${{ steps.win-executable.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}
     name: ${{ matrix.toolchain.target }}
     steps:
       - uses: actions/checkout@v4
@@ -55,7 +58,7 @@ jobs:
           path: contrib/depends/sources
           key: sources-${{ hashFiles('contrib/depends/packages/*') }}
       - name: install dependencies
-        run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils
+        run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils osslsigncode
       - name: apparmor workaround
         # https://bugs.launchpad.net/ubuntu/+source/guix/+bug/2064115
         run: |
@@ -82,11 +85,18 @@ jobs:
           files: |
             guix/guix-build-*/build/distsrc-*/build/bin/feather.exe
       - uses: actions/upload-artifact@v4
+        id: upload-artifact
         with:
           name: ${{ matrix.toolchain.target }}
           path: |
             guix/guix-build-*/output/${{ matrix.toolchain.target }}/*
             guix/guix-build-*/logs/${{ matrix.toolchain.target }}/*
+      - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32.installer' }}
+        id: win-installer
+        run: echo "WIN_INSTALLER_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"
+      - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' }}
+        id: win-executable
+        run: echo "WIN_EXECUTABLE_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"
 
   bundle-logs:
     runs-on: ubuntu-24.04
@@ -104,9 +114,45 @@ jobs:
         with:
           name: "logs"
           path: '**/logs/**'
-      - uses: ncipollo/release-action@v1
-        if: startsWith(github.ref, 'refs/tags/')
+
+  codesigning:
+    runs-on: ubuntu-24.04
+    needs: [build-guix, bundle-logs]
+    if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-rc')
+    strategy:
+      fail-fast: false
+      matrix:
+        toolchain:
+          - target: "x86_64-w64-mingw32"
+          - target: "x86_64-w64-mingw32.installer"
+    steps:
+      - name: install dependencies
+        run: sudo apt update; sudo apt -y install osslsigncode
+      - name: "set artifact id"
+        run: |
+          if [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32" ]; then
+            echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}" >> $GITHUB_ENV
+            echo "ARTIFACT_SLUG=executable" >> $GITHUB_ENV
+          elif [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32.installer" ]; then
+            echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_INSTALLER_ARTIFACT_ID }}" >> $GITHUB_ENV
+            echo "ARTIFACT_SLUG=installer" >> $GITHUB_ENV
+          fi
+      - uses: signpath/github-action-submit-signing-request@v1
+        name: "request signature"
         with:
-          artifacts: "**/*.AppImage,**/*-linux-arm.zip,**/*-linux-arm64.zip,**/*-linux-riscv64.zip,**/*-linux.zip,**/*-mac-arm64.zip,**/*-mac.zip,**/*-win.zip,**/FeatherWalletSetup-*.exe,**/feather-${{github.ref_name}}.tar.gz"
-          draft: true
-          name: v${{github.ref_name}}
+          api-token: '${{ secrets.SIGNPATH_API_KEY }}'
+          organization-id: 'd3e94749-9c69-44e9-82de-c65cb3832869'
+          project-slug: 'feather'
+          signing-policy-slug: 'release-signing'
+          artifact-configuration-slug: ${{ env.ARTIFACT_SLUG }}
+          github-artifact-id: ${{ env.ARTIFACT_ID }}
+          wait-for-completion: true
+          output-artifact-directory: codesigning/
+      - name: "extract signature"
+        run: osslsigncode extract-signature -in codesigning/guix-build-*/output/${{ matrix.toolchain.target }}/*.exe -out codesigning/${{ matrix.toolchain.target }}.pem
+      - uses: actions/upload-artifact@v4
+        name: "upload signature"
+        with:
+          name: ${{ matrix.toolchain.target }}.pem
+          path: |
+            codesigning/${{ matrix.toolchain.target }}.pem

diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index 94a434122b5b7ea7b77cc48cd6118e104ef1cf0a..c1c3a03057204eabfe75f43785c31cfd57a97a14 100755 (executable)
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -377,8 +377,8 @@ export PATH="${BASEPREFIX}/${HOST}/native/bin:${PATH}"
             case "$OPTIONS" in
                 installer)
                     makensis -DCUR_PATH=$PWD -V2 contrib/installers/windows/setup.nsi
-                    cp contrib/installers/windows/FeatherWalletSetup-*.exe "${INSTALLPATH}/"
-                    mv contrib/installers/windows/FeatherWalletSetup-*.exe "${OUTDIR}/"
+                    cp contrib/installers/windows/FeatherWalletSetup.exe "${INSTALLPATH}/"
+                    mv contrib/installers/windows/FeatherWalletSetup.exe "${OUTDIR}/"
                     ;;
             esac
             ;;
@@ -423,6 +423,28 @@ export PATH="${BASEPREFIX}/${HOST}/native/bin:${PATH}"
                     *darwin*)
                         signapple apply Feather.app "/distsrc/external/feather-codesigning/signatures/${HOST}/Feather.app"
                         ;;
+                    *mingw*)
+                        case "$OPTIONS" in
+                            installer)
+                                osslsigncode attach-signature \
+                                                 -in "FeatherWalletSetup.exe" \
+                                                 -out "FeatherWalletSetup.exe.tmp" \
+                                                 -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
+                                                 -sigin "/distsrc/external/feather-codesigning/signatures/${HOST}/feather.installer.pem" || true
+                                cp FeatherWalletSetup.exe.tmp "${OUTDIR}/FeatherWalletSetup-${TAG}.exe"
+                                mv FeatherWalletSetup.exe.tmp "FeatherWalletSetup-${TAG}.exe"
+                                rm "${OUTDIR}/FeatherWalletSetup.exe"
+                                ;;
+                            "")
+                                osslsigncode attach-signature \
+                                                 -in "feather.exe" \
+                                                 -out "feather.exe.tmp" \
+                                                 -CAfile "$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt" \
+                                                 -sigin "/distsrc/external/feather-codesigning/signatures/${HOST}/feather.pem" || true
+                                mv feather.exe.tmp feather.exe
+                                ;;
+                        esac
+                        ;;
                 esac
             fi
         fi
@@ -431,25 +453,31 @@ export PATH="${BASEPREFIX}/${HOST}/native/bin:${PATH}"
         # for release
         case "$HOST" in
             *mingw*)
-                case "$OPTIONS" in
-                    installer)
-                        find . -print0 \
-                            | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
-                        find . \
-                            | sort \
-                            | zip -X@ "${OUTDIR}/${DISTNAME}-win-installer.zip" \
-                            || ( rm -f "${OUTDIR}/${DISTNAME}-win-installer.zip" && exit 1 )
-                        ;;
-                    "")
-                        mv feather.exe ${DISTNAME}.exe && \
-                        find . -print0 \
-                            | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
-                        find . \
-                            | sort \
-                            | zip -X@ "${OUTDIR}/${DISTNAME}-win.zip" \
-                            || ( rm -f "${OUTDIR}/${DISTNAME}-win.zip" && exit 1 )
-                        ;;
-                esac
+                if [[ "${TAG}" == *"-rc"* ]]; then
+                    if [ -z "$OPTIONS" ]; then
+                        mv feather.exe "${OUTDIR}/${DISTNAME}.exe"
+                    fi
+                else
+                      case "$OPTIONS" in
+                          installer)
+                              find . -print0 \
+                                  | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
+                              find . \
+                                  | sort \
+                                  | zip -X@ "${OUTDIR}/${DISTNAME}-win-installer.zip" \
+                                  || ( rm -f "${OUTDIR}/${DISTNAME}-win-installer.zip" && exit 1 )
+                              ;;
+                          "")
+                              mv feather.exe ${DISTNAME}.exe && \
+                              find . -print0 \
+                                  | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
+                              find . \
+                                  | sort \
+                                  | zip -X@ "${OUTDIR}/${DISTNAME}-win.zip" \
+                                  || ( rm -f "${OUTDIR}/${DISTNAME}-win.zip" && exit 1 )
+                              ;;
+                      esac
+                fi
                 ;;
             *linux*)
                 if [ "$OPTIONS" != "pack" ]; then

diff --git a/contrib/installers/windows/setup.nsi.in b/contrib/installers/windows/setup.nsi.in
index 323c25f3ff254bcdc49764da29e9cb9eba076e6c..09e85165912327a95027588ed4c2c108e7157462 100644 (file)
--- a/contrib/installers/windows/setup.nsi.in
+++ b/contrib/installers/windows/setup.nsi.in
@@ -1,6 +1,6 @@
 Name "Feather Wallet"
 
-OutFile "${CUR_PATH}\contrib\installers\windows\FeatherWalletSetup-@PROJECT_VERSION@.exe"
+OutFile "${CUR_PATH}\contrib\installers\windows\FeatherWalletSetup.exe"
 RequestExecutionLevel highest
 SetCompressor /SOLID lzma
 SetDateSave off