Feature: Sign files with Azure trusted signing (#4038)

.github/actions/win-sign-action/action.yml

@@ -0,0 +1,76 @@
+name: 'Windows Code Signing'
+description: 'Sign files on Windows with the Azure Trusted Signing'
+inputs:
+  base-dir:
+    description: 'Absolute path to the base directory to search for files'
+    required: true
+  recursive:
+    description: 'Whether to search recursively in subdirectories'
+    required: false
+    default: 'false'
+  file-extensions:
+    description: 'List of file extensions to sign, separated by comma'
+    required: true
+    default: 'exe,dll,ps1'
+  description:
+    description: 'Signature description'
+    required: true
+    default: 'Cryptomator'
+  url:
+    description: 'Signature URL'
+    required: false
+    default: 'https://cryptomator.org'
+  append-signature:
+    description: 'Whether to append the signature to existing signatures'
+    required: false
+    default: 'false'
+  tenant-id:
+    description: 'Azure Tenant ID'
+    required: true
+  client-id:
+    description: 'Azure Client ID'
+    required: true
+  client-secret:
+    description: 'Azure Client Secret'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Generate, mask, and output the input secrets
+      id: set-secrets
+      run: |
+        echo "::add-mask::${{ inputs.tenant-id }}"
+        echo "::add-mask::${{ inputs.client-id }}"
+        echo "::add-mask::${{ inputs.client-secret }}"
+        echo "tenant-id=${{ inputs.tenant-id }}" >> "$GITHUB_OUTPUT"
+        echo "client-id=${{ inputs.client-id }}" >> "$GITHUB_OUTPUT"
+        echo "client-secret=${{ inputs.client-secret }}" >> "$GITHUB_OUTPUT"
+      shell: bash
+    - name: Sign DLLs with Azure Trusted Signing
+      uses: azure/trusted-signing-action@fc390cf8ed0f14e248a542af1d838388a47c7a7c # v0.5.10
+      with:
+        files-folder: ${{ inputs.base-dir }}
+        files-folder-filter: ${{ inputs.file-extensions }}
+        files-folder-recurse: ${{ inputs.recursive }}
+        append-signature: ${{ inputs.append-signature }}
+        description: ${{ inputs.description }}
+        description-url: ${{ inputs.url }}
+        azure-tenant-id: ${{ steps.set-secrets.outputs.tenant-id }}
+        azure-client-id: ${{ steps.set-secrets.outputs.client-id }}
+        azure-client-secret: ${{ steps.set-secrets.outputs.client-secret }}
+        trusted-signing-account-name: cryptomatorSigning
+        certificate-profile-name: production
+        endpoint: https://weu.codesigning.azure.net/
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
+        exclude-environment-credential: false
+        exclude-workload-identity-credential: true
+        exclude-managed-identity-credential: true
+        exclude-shared-token-cache-credential: true
+        exclude-visual-studio-credential: true
+        exclude-visual-studio-code-credential: true
+        exclude-azure-cli-credential: true
+        exclude-azure-powershell-credential: true
+        exclude-azure-developer-cli-credential: true
+        exclude-interactive-browser-credential: true

.github/workflows/win-exe.yml

@@ -8,10 +8,6 @@ on:
       version:
         description: 'Version'
         required: false
-      isDebug:
-        description: 'Build debug version with console output'
-        type: boolean
-        default: false
       sign:
         description: 'Sign binaries'
         required: false
@@ -192,6 +188,16 @@ jobs:
           New-Item -Path appdir/jpackage-jmod -ItemType Directory
           & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
           Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
+      - name: Sign DLLs with Azure Trusted Signing
+        if: inputs.sign || github.event_name == 'release'
+        uses: ./.github/actions/win-sign-action
+        with:
+          base-dir: ${{ github.workspace }}\appdir
+          recursive: true
+          append-signature: true
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       - name: Sign DLLs with Actalis CodeSigner
         if: inputs.sign || github.event_name == 'release'
         uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f # no specific version
@@ -251,16 +257,16 @@ jobs:
         env:
           JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
           JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir
-      - name: Sign msi with Actalis CodeSigner
+      - name: Sign MSI with Azure Trusted Signing
         if: inputs.sign || github.event_name == 'release'
-        uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f # no specific version
+        uses: ./.github/actions/win-sign-action
         with:
-          base-dir: 'installer'
-          file-extensions: 'msi'
-          sign-description: 'Cryptomator Installer'
-          sign-url: 'https://cryptomator.org'
-          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
-          password: ${{ secrets.WIN_CODESIGN_PW }}
+          base-dir: ${{ github.workspace }}\installer
+          file-extensions: msi
+          description: 'Cryptomator Installer'
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       - name: Add possible alpha/beta tags and architecture to installer name
         run: mv installer/Cryptomator-*.msi Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.arch }}.msi
       - name: Create detached GPG signature with key 615D449FE6E6A235
@@ -357,6 +363,17 @@ jobs:
       - name: Detach burn engine in preparation to sign
         run: >
           wix burn detach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe
+      - name: Sign WiX burn engine with Azure Trusted Signing
+        if: inputs.sign || github.event_name == 'release'
+        uses: ./.github/actions/win-sign-action
+        with:
+          base-dir: ${{ github.workspace }}\tmp
+          file-extensions: exe
+          append-signature: true
+          description: 'Cryptomator Bundle Installer'
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       - name: Sign burn engine with Actalis CodeSigner
         if: inputs.sign || github.event_name == 'release'
         uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f # no specific version
@@ -370,6 +387,17 @@ jobs:
       - name: Reattach signed burn engine to installer
         run: >
           wix burn reattach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe
+      - name: Sign EXE installer with Azure Trusted Signing
+        if: inputs.sign || github.event_name == 'release'
+        uses: ./.github/actions/win-sign-action
+        with:
+          base-dir: ${{ github.workspace }}\installer
+          file-extensions: exe
+          append-signature: true
+          description: 'Cryptomator Bundle Installer'
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       - name: Sign installer with Actalis CodeSigner
         if: inputs.sign || github.event_name == 'release'
         uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f # no specific version