Add code signing and time stamping to Windows installer (#280)

* Update cert, update changelog
* Timestamp and verify windows installer
* Update package-lock.json
* It is Chia-Blockchain...
* Add path to signtool.exe
* Remove Start-Process
* use just /t for timestamp

.github/workflows/build-windows.yml

@@ -25,8 +25,11 @@ jobs:
           python-version: "3.7"
 
       - name: Build Windows installer with build_scripts\build_windows.ps1
+        env:
+          WIN_CODE_SIGN_PASS: ${{ secrets.WIN_CODE_SIGN_PASS }}
         run: |
           $env:path="C:\Program` Files` (x86)\Microsoft` Visual` Studio\2019\Enterprise\SDK\ScopeCppSDK\vc15\VC\bin\;$env:path"
+          $env:path="C:\Program` Files` (x86)\Windows` Kits\10\App` Certification` Kit;$env:path"
           .\build_scripts\build_windows.ps1
 
       - name: Upload Windows exe's to artifacts

CHANGELOG.md

@@ -9,20 +9,21 @@ for setuptools_scm/PEP 440 reasons.
 ## [Unreleased]
 
 ### Added
-- Added ability to add plot from filesystem (also need pool_pk and sk from plots.yaml.)
+- Added ability to add plot from filesystem (you will need pool_pk and sk from plots.yaml.)
 - Added ability to import private keys in the UI.
 - User can specify log level in the config file (defaults to info.)
+- The Windows installer is now signed by a Chia Network certificate. It may take some time to develop enough reputation to not warn multiple times during install.
 
 ### Changed
+- Plots are now refreshed in the UI after each plot instead of at the end of plotting.
+- We have made performance improvements to plotting speed on all platforms.
 - Test plots for the simulation and testing harness now go into `~/.chia/test-plots/`
 - We have completely refactored all networking code towards making each Chia service use the same default networking infrastructure and move to websockets as the default networking wire protocol.
 - We added additional improvements and more RPCs to the start daemon and various services to continue to make chia start/stop reliable cross platform.
-- The install.sh script now discovers if it's running on Ubuntu less than 20.04 and correctly upgrade node.js to the modern stable version.
+- The install.sh script now discovers if it's running on Ubuntu less than 20.04 and correctly upgrades node.js to the current stable version.
 - For GitHub ci builds of the Windows installer, editbin.exe is more reliably found.
 - All installer ci builds now obtain version information automatically from setuptools_scm and convert it to an installer version number that is appropriate for the platform and type of release (dev versus release.)
-- Plots are now refreshed in the UI after each plot instead of at the end of plotting.
-- We have made performance improvements to plotting speed on all platforms.
-- We now codesign the Apple .dmg installer with the Chia Network developer ID.
+- We now codesign the Apple .dmg installer with the Chia Network developer ID on both GitHub Actins and Azure Pipelines. We will be notarizing and distributing the Azure Pipelines version as it's built on MacOS Mojave (10.14.6) for stronger cross version support.
 
 ### Fixed
 - Having spaces in the path to a plot or temporary directory caused plotting to fail.

build_scripts/build_windows.ps1

@@ -1,5 +1,4 @@
-# $env:path should contain a path to editbin.exe
-
+# $env:path should contain a path to editbin.exe and signtool.exe
 
 mkdir build_scripts\win_build
 cd build_scripts\win_build
@@ -76,7 +75,8 @@ npm run build
 Write-Output "   ---"
 Write-Output "Increase the stack for chiapos"
 # editbin.exe needs to be in the path
-Start-Process "editbin.exe" -ArgumentList "/STACK:8000000 daemon\create_plots.exe" -Wait
+#Start-Process "editbin.exe" -ArgumentList "/STACK:8000000 daemon\create_plots.exe" -Wait
+editbin.exe /STACK:8000000 daemon\create_plots.exe
 Write-Output "   ---"
 
 $packageVersion = "$env:CHIA_INSTALLER_VERSION"
@@ -87,7 +87,6 @@ Write-Output "packageName is $packageName"
 Write-Output "   ---"
 Write-Output "electron-packager"
 electron-packager . Chia --asar.unpack="**/daemon/**" --overwrite --icon=.\src\assets\img\chia.ico --app-version=$packageVersion
-#electron-osx-sign Chia-darwin-x64/Chia.app --no-gatekeeper-assess  --platform=darwin  --hardened-runtime --provisioning-profile=embedded.provisionprofile --entitlements=entitlements.mac.plist --entitlements-inherit=entitlements.mac.plist
 Write-Output "   ---"
 
 Write-Output "   ---"
@@ -95,8 +94,12 @@ Write-Output "node winstaller.js"
 node winstaller.js
 Write-Output "   ---"
 
+Write-Output "   ---"
+Write-Output "Add timestamp and verify signature"
+Write-Output "   ---"
+signtool.exe timestamp /v /t http://timestamp.comodoca.com/ .\release-builds\windows-installer\ChiaSetup-$packageVersion.exe
+signtool.exe verify /v /pa .\release-builds\windows-installer\ChiaSetup-$packageVersion.exe
+
 Write-Output "   ---"
 Write-Output "Windows Installer complete"
 Write-Output "   ---"
-dir
-dir Chia-win32-x64

build_scripts/macos_notarize_build.txt

@@ -0,0 +1,18 @@
+#!/bin/bash
+# How to notarize
+
+echo "Ask for username and password - password should be an app specific password"
+# Generate app specific password https://support.apple.com/en-us/HT204397
+xcrun altool --notarize-app -f Chia-0.1.X.dmg --primary-bundle-id net.chia.blockchain -u username -p password
+echo "xcrun altool --notarize-app; -should return REQUEST-ID, use it in next command"
+
+echo "Wait until following command return a success message"
+xcrun altool --notarization-info  {REQUEST-ID} -u username -p password
+echo "It can take a while, run it every few minutes"
+
+
+echo "Once that is successful, execute the following command"
+xcrun stapler staple Chia-0.1.X.dmg
+
+echo "Validate DMG"
+xcrun stapler validate Chia-0.1.X.dmg

build_scripts/macos_release_build.txt

@@ -1,38 +0,0 @@
-#!/bin/bash
-echo "Installing npm and electron packagers"
-npm install electron-installer-dmg -g
-npm install electron-packager -g
-
-echo "Create dist/"
-sudo rm -rf dist
-mkdir dist
-
-echo "Create executeables with pyinstaller"
-pip install pyinstaller
-sudo pyinstaller daemon.spec
-cp -r dist/daemon ../electron-react
-cd ..
-cd electron-react
-
-echo "npm release build"
-echo "This won't work unless you have Straya's Certs on your machine"
-npm install
-npm run build
-electron-packager . Chia  --platform=darwin --icon=./src/assets/img/chia.icns --overwrite --app-bundle-id=straya.domain.chia
-electron-osx-sign Chia-darwin-x64/Chia.app --no-gatekeeper-assess  --platform=darwin  --hardened-runtime --provisioning-profile=embedded.provisionprofile --entitlements=entitlements.mac.plist --entitlements-inherit=entitlements.mac.plist
-electron-installer-dmg Chia-darwin-x64/Chia.app Chia-0.1.6
-
-echo "Ask Straya for username and password"
-xcrun altool --notarize-app -f Chia-0.1.6.dmg --primary-bundle-id straya.domain.chia -u username -p password
-echo "xcrun altool --notarize-app; -should return REQUEST-ID, use it in next command"
-
-echo "Wait until following command return a success message"
-xcrun altool --notarization-info  {REQUEST-ID} -u username -p password
-echo "It can take a while, run it every few minutes"
-
-
-echo "Once that is succesfull, execute the following command"
-xcrun stapler staple Chia-0.1.6.dmg
-
-echo "Validate DMG"
-xcrun stapler validate Chia-0.1.6.dmg

electron-react/package-lock.json

@@ -1,5 +1,5 @@
 {
-  "name": "Chia",
+  "name": "Chia-Blockchain",
   "requires": true,
   "lockfileVersion": 1,
   "dependencies": {

electron-react/package.json

@@ -1,8 +1,8 @@
 {
-  "name": "Chia",
-  "author": "Straya Markovic",
+  "name": "Chia-Blockchain",
+  "author": "Straya Markovic <hello@chia.net> (https://chia.net/)",
   "description": "GUI for Chia Blockchain",
-  "productName": "Chia",
+  "productName": "Chia Blockchain",
   "private": true,
   "devDependencies": {
     "electron": "^8.2.4",