Updated deployment workflow that includes EV Code signing on windows

.github/workflows/deploy.yml

@@ -16,16 +16,16 @@ jobs:
             target: aarch64-apple-darwin
           - os: ubuntu-latest
             target: x86_64-unknown-linux-gnu
-          # - os: windows-2019
-          #   target: x86_64-pc-windows-msvc
+          - os: win-signing
+            target: x86_64-pc-windows-msvc
 
     runs-on: ${{ matrix.os }}
 
     env:
       TARGET: ${{ matrix.target }}
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: true
       - name: Setup Build Environment
@@ -34,32 +34,47 @@ jobs:
           sudo apt update
           sudo apt install libudev-dev libhidapi-dev
       - name: Setup rust toolchain
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@stable
         with:
-          override: true
-          default: true
-          target: ${{ matrix.target }}
+          toolchain: nightly-2023-11-10
+          targets: ${{ matrix.target }}
       - uses: davidB/rust-cargo-make@v1
-      - uses: Swatinem/rust-cache@v1
+        # This doesn't work on custom win runner, so we just skip it as it's installed already anyway
+        if: ${{ ! startsWith(matrix.os, 'win-sign') }}
         with:
-          sharedKey: ${{ matrix.target }}
+          version: 0.37.23
+      - uses: Swatinem/rust-cache@v2
+        # Caching not needed on custom runner
+        if: ${{ ! startsWith(matrix.os, 'win-sign') }}
+        with:
+          shared-key: ${{ matrix.target }}
       - name: Run deploy script
         shell: bash
+        # Signing key env is required for signing dll's on windows
+        env:
+          TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}}
+          CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}}
+          CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}}
+          READER: ${{secrets.WIN_EV_CSC_READER}}
+          PASS: ${{secrets.WIN_EV_CSC_PASS}}
+          CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}}
         run: sh ci/before_deploy.sh
       - name: Build Windows Installer
         shell: bash
-        env:
-          WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
-          WIN_CSC_DESC: ${{ secrets.WIN_CSC_DESC }}
-          WIN_CSC_SUBJECTNAME: ${{ secrets.WIN_CSC_SUBJECTNAME }}
         if: runner.os == 'Windows'
+        env:
+          TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}}
+          CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}}
+          CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}}
+          READER: ${{secrets.WIN_EV_CSC_READER}}
+          PASS: ${{secrets.WIN_EV_CSC_PASS}}
+          CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}}
         run: cargo make --cwd wooting-analog-sdk sign-win-installer -- --target $TARGET
       - name: Build debian package
         if: startsWith(matrix.os, 'ubuntu')
         run: cargo make --cwd wooting-analog-sdk build-deb  -- --target $TARGET
       - name: Upload artifacts to release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           draft: true
           files: |

ci/before_deploy.sh

@@ -3,7 +3,7 @@
 set -ex
 
 main() {
-    local src=$(pwd) 
+    local src=$(pwd)
           stage=
           lib_ext=
           lib_prefix=
@@ -37,11 +37,20 @@ main() {
 
     test -f Cargo.lock || cargo generate-lockfile
 
-    # Currently the --out-dir flag is 'unstable' so unfortunately need to switch to nightly for the build to work properly 
+    # Currently the --out-dir flag is 'unstable' so unfortunately need to switch to nightly for the build to work properly
     # Don't need to use this currently as the rust-toolchain file specifies the rust version to use
     # rustup default nightly
     cargo make build-target-release
 
+    ROOT_DIR=${GITHUB_WORKSPACE:-.}
+    ARTIFACT_FOLDER=$ROOT_DIR/target/release-artifacts
+
+
+    # Codesign dlls before packaging up. This should only be running on Windows
+    if [ $RUNNER_OS = "Windows" ]; then
+
+        powershell $ROOT_DIR/ci/codesign.ps1 $ARTIFACT_FOLDER/wooting_analog_sdk.dll $ARTIFACT_FOLDER/wooting_analog_plugin.dll $ARTIFACT_FOLDER/wooting_analog_wrapper.dll $ARTIFACT_FOLDER/wooting-analog-sdk-updater.exe $ARTIFACT_FOLDER/wooting_analog_test_plugin.dll $ARTIFACT_FOLDER/wooting-analog-virtual-control.exe
+    fi
 
     mkdir $stage/plugins
     mkdir $stage/plugins/lib
@@ -53,8 +62,8 @@ main() {
     mkdir $stage/wrapper/sdk
 
     # Copy Plugin items
-    cp target/release-artifacts/${lib_prefix}wooting_analog_common.$lib_ext $stage/plugins/lib
-    cp target/release-artifacts/${lib_prefix}wooting_analog_plugin_dev.$lib_ext $stage/plugins/lib
+    cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_common.$lib_ext $stage/plugins/lib
+    cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_plugin_dev.$lib_ext $stage/plugins/lib
 
     ## Copy c headers
     cp includes/plugin.h $stage/plugins/includes/
@@ -66,18 +75,18 @@ main() {
 
 
     # Copy wrapper items
-    cp target/release-artifacts/${lib_prefix}wooting_analog_wrapper.$shared_lib_ext $stage/wrapper/
-    cp target/release-artifacts/${lib_prefix}wooting_analog_wrapper.$lib_ext $stage/wrapper/lib/
+    cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_wrapper.$shared_lib_ext $stage/wrapper/
+    cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_wrapper.$lib_ext $stage/wrapper/lib/
 
     if [ $RUNNER_OS = Windows ]; then
-        cp target/release-artifacts/${lib_prefix}wooting_analog_wrapper.$shared_lib_ext.$lib_ext $stage/wrapper/
+        cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_wrapper.$shared_lib_ext.$lib_ext $stage/wrapper/
     fi
 
-    cp target/release-artifacts/${lib_prefix}wooting_analog_sdk.$shared_lib_ext $stage/wrapper/sdk/
-    cp target/release-artifacts/${lib_prefix}wooting_analog_test_plugin.$shared_lib_ext $stage/wrapper/sdk/
+    cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_sdk.$shared_lib_ext $stage/wrapper/sdk/
+    cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_test_plugin.$shared_lib_ext $stage/wrapper/sdk/
     # Include Wooting Plugin & Virtual Keyboard app
-    cp target/release-artifacts/${lib_prefix}wooting_analog_plugin.$shared_lib_ext $stage/wrapper/sdk/
-    cp target/release-artifacts/wooting-analog-virtual-control$exe_ext $stage/wrapper/sdk/
+    cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_plugin.$shared_lib_ext $stage/wrapper/sdk/
+    cp $ARTIFACT_FOLDER/wooting-analog-virtual-control$exe_ext $stage/wrapper/sdk/
 
     ## Copy c headers
     cp includes/wooting-analog-wrapper.h $stage/wrapper/includes/

ci/codesign.ps1

@@ -1,8 +1,18 @@
 # Thanks https://github.com/electron-userland/electron-builder/issues/3629#issuecomment-473238513
-Set-PSDebug -Trace 1
+# Set-PSDebug -Trace 1
+$ErrorActionPreference = "Stop"
+# dir cert:/LocalMachine
 
-dir cert:/LocalMachine
+# $WINDOWS_SDK_VER = '10.0.17763.0'
+$WINDOWS_SDK_VER = '10.0.22000.0'
 
-$Password = ConvertTo-SecureString -String $Env:WIN_CSC_KEY_PASSWORD -AsPlainText -Force
-Import-PfxCertificate -FilePath cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password
-Start-Process -NoNewWindow -Wait 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe' -ArgumentList "sign -v -sm -s My -n `"$Env:WIN_CSC_SUBJECTNAME`" -d `"$Env:WIN_CSC_DESC`" `"$Env:WIN_INSTALLER_PATH`""
+# Remember what the Path was before so we can clean it up after exiting
+$PREV_PATH = $env:PATH
+
+$env:PATH += ";C:/Program Files (x86)/Windows Kits/10/bin/$WINDOWS_SDK_VER/x64/"
+
+# Passing in $args allows the caller to specify multiple files to be signed at once
+signtool.exe sign /fd sha256 /td sha256 /tr ${Env:TIMESTAMP}?td=sha256 /f $Env:CERT_FILE /csp "$Env:CRYPT_PROVIDER" /kc "[${Env:READER}{{${Env:PASS}}}]=${Env:CONTAINER}" $args
+signtool.exe verify /pa $args
+
+$env:PATH = $PREV_PATH

ci/codesign.sh

@@ -2,17 +2,9 @@
 if [ $RUNNER_OS = Windows ]; then
   set -e
 
-  export PATH="C:\Program Files (x86)\Windows Kits\10\bin\x64":$PATH
-  # TODO: Dynamic installer filename
-  #export BINARY_FILE="target/wix/wooting_analog_sdk-0.1.0-x86_64.msi"
-
-#  choco install -y windows-sdk-10.0
-
-  curl -v -L "$WIN_CSC_LINK" --output cert.pfx
 
   powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine
   powershell Get-ExecutionPolicy -List
 
-  powershell $GITHUB_WORKSPACE/ci/codesign.ps1
-  'C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe' verify -pa "$WIN_INSTALLER_PATH"
-fi
+  powershell $GITHUB_WORKSPACE/ci/codesign.ps1 $WIN_INSTALLER_PATH
+fi

rust-toolchain

@@ -1 +1 @@
-nightly-2023-08-01
+nightly-2023-11-10

wooting-analog-sdk/Makefile.toml

@@ -4,11 +4,14 @@ command = "cargo"
 args = ["wix" , "-p", "wooting-analog-sdk", "--nocapture", "--output", "${WIN_INSTALLER_PATH}"]
 
 [tasks.sign-win-installer]
-condition = {env_true = ["CARGO_MAKE_CI"]}
+env = {CODESIGN_SCRIPT_PATH="${CARGO_MAKE_WORKSPACE_WORKING_DIRECTORY}/ci/codesign.ps1"}
+# condition = {env_true = ["CARGO_MAKE_CI"]}
 dependencies = ["win-installer"]
+script_runner = "bash"
+# bash ../ci/codesign.sh
 script = [
 '''
-bash ../ci/codesign.sh
+powershell $CODESIGN_SCRIPT_PATH $WIN_INSTALLER_PATH
 '''
 ]