Merge commit 'a91e8d226c6c07c68a9b60074a7db3669b233f51' into checkpoint/main_from_release_2.0.0_a91e8d226c6c07c68a9b60074a7db3669b233f51

.github/workflows/build-windows-installer.yml

@@ -130,16 +130,39 @@ jobs:
         if [ -n "$GLUE_ACCESS_TOKEN" ]; then HAS_GLUE_SECRET='true' ; fi
         echo HAS_GLUE_SECRET=${HAS_GLUE_SECRET} >> "$GITHUB_OUTPUT"
       env:
-        SIGNING_SECRET: "${{ secrets.WIN_CODE_SIGN_CERT }}"
+        SIGNING_SECRET: "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}"
         AWS_SECRET: "${{ secrets.CHIA_AWS_ACCOUNT_ID }}"
         GLUE_ACCESS_TOKEN: "${{ secrets.GLUE_ACCESS_TOKEN }}"
 
-    - name: Decode code signing cert into an encrypted file
+    - name: Setup Certificate
       if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
-      uses: kitek/decode-base64-into-file-action@1.0
-      with:
-        encoded-value: ${{ secrets.WIN_CODE_SIGN_CERT }}
-        destination-file: .\win_code_sign_cert.p12
+      shell: bash
+      run: |
+        echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
+
+    - name: Set signing variables
+      if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
+      shell: bash
+      run: |
+        echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
+        echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
+        echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
+        echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
+        echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
+        echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
+        echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
+        echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
+
+    - name: Setup SSM KSP on windows latest
+      if: steps.check_secrets.outputs.HAS_SIGNING_SECRET
+      shell: cmd
+      run: |
+        curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
+        msiexec /i smtools-windows-x64.msi /quiet /qn
+        smksp_registrar.exe list
+        smctl.exe keypair ls
+        C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+        smksp_cert_sync.exe
 
     # Create our own venv outside of the git directory JUST for getting the ACTUAL version so that install can't break it
     - name: Get version number
@@ -234,8 +257,7 @@ jobs:
     - name: Build Windows installer
       env:
         CHIA_INSTALLER_VERSION: ${{ steps.version_number.outputs.CHIA_INSTALLER_VERSION }}
-        HAS_SECRET: ${{ steps.check_secrets.outputs.HAS_SIGNING_SECRET }}
-        CSC_KEY_PASSWORD: ${{ secrets.WIN_CODE_SIGN_PASS }}
+        HAS_SIGNING_SECRET: ${{ steps.check_secrets.outputs.HAS_SIGNING_SECRET }}
       run: |
         $env:path="C:\Program` Files` (x86)\Microsoft` Visual` Studio\2019\Enterprise\SDK\ScopeCppSDK\vc15\VC\bin\;$env:path"
         $env:path="C:\Program` Files` (x86)\Windows` Kits\10\App` Certification` Kit;$env:path"

build_scripts/build_windows-2-installer.ps1

@@ -38,9 +38,6 @@ npm ci
 $Env:Path = $(npm bin) + ";" + $Env:Path
 
 Set-Location -Path "..\..\" -PassThru
-If ($env:HAS_SECRET) {
-    $env:CSC_LINK = Join-Path "." "win_code_sign_cert.p12" -Resolve
-}
 
 Write-Output "   ---"
 Write-Output "Prepare Electron packager"
@@ -76,12 +73,15 @@ electron-builder build --win --x64 --config.productName="Chia"
 Get-ChildItem dist\win-unpacked\resources
 Write-Output "   ---"
 
-If ($env:HAS_SECRET) {
+If ($env:HAS_SIGNING_SECRET) {
+   Write-Output "   ---"
+   Write-Output "Sign App"
+   signtool.exe sign /sha1 $env:SM_CODE_SIGNING_CERT_SHA1_HASH /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 .\dist\ChiaSetup-$packageVersion.exe
    Write-Output "   ---"
    Write-Output "Verify signature"
    Write-Output "   ---"
    signtool.exe verify /v /pa .\dist\ChiaSetup-$packageVersion.exe
-   }   Else    {
+}   Else    {
    Write-Output "Skipping verify signatures - no authorization to install certificates"
 }