Feature: Switch to different windows signer (#3943)

Replace usage of signtool with Actalis code signer.
2026-05-21 20:21:27 +00:00 · 2025-07-28 15:13:15 +02:00
parent 27c10080d6
commit 8b1d2101db
2 changed files with 180 additions and 32 deletions
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -12,6 +12,11 @@ on:
        description: 'Build debug version with console output'
        type: boolean
        default: false
+      sign:
+        description: 'Sign binaries'
+        required: false
+        type: boolean
+        default: false
  push:
    branches-ignore:
      - 'dependabot/**'
@@ -205,16 +210,15 @@ jobs:
          New-Item -Path appdir/jpackage-jmod -ItemType Directory
          & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
          Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
-      - name: Codesign
-        uses: skymatic/code-sign-action@v3
+      - name: Sign DLLs with Actalis CodeSigner
+        if: inputs.sign || github.event_name == 'release'
+        uses: ./.github/actions/win-sign-action
        with:
-          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
-          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
-          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
-          description: Cryptomator
-          timestampUrl: 'http://timestamp.digicert.com'
-          folder: appdir
+          base-dir: 'appdir'
+          file-extensions: 'dll,exe,ps1'
          recursive: true
+          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
+          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Replace DLLs inside jars with signed ones
        shell: pwsh
        run: |
@@ -263,15 +267,15 @@ jobs:
        env:
          JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
          JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir
-      - name: Codesign MSI
-        uses: skymatic/code-sign-action@v3
+      - name: Sign msi with Actalis CodeSigner
+        if: inputs.sign || github.event_name == 'release'
+        uses: ./.github/actions/win-sign-action
        with:
-          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
-          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
-          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
-          description: Cryptomator Installer
-          timestampUrl: 'http://timestamp.digicert.com'
-          folder: installer
+          base-dir: 'installer'
+          file-extensions: 'msi'
+          sign-description: 'Cryptomator Installer'
+          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
+          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Add possible alpha/beta tags and architecture to installer name
        run: mv installer/Cryptomator-*.msi Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.arch }}.msi
      - name: Create detached GPG signature with key 615D449FE6E6A235
@@ -374,27 +378,26 @@ jobs:
      - name: Detach burn engine in preparation to sign
        run: >
          wix burn detach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe
-      - name: Codesign burn engine
-        uses: skymatic/code-sign-action@v3
+      - name: Sign burn engine with Actalis CodeSigner
+        if: inputs.sign || github.event_name == 'release'
+        uses: ./.github/actions/win-sign-action
        with:
-          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
-          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
-          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
-          description: Cryptomator Installer
-          timestampUrl: 'http://timestamp.digicert.com'
-          folder: tmp
+          base-dir: 'tmp'
+          file-extensions: 'exe'
+          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
+          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Reattach signed burn engine to installer
        run: >
          wix burn reattach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe
-      - name: Codesign EXE
-        uses: skymatic/code-sign-action@v3
+      - name: Sign installer with Actalis CodeSigner
+        if: inputs.sign || github.event_name == 'release'
+        uses: ./.github/actions/win-sign-action
        with:
-          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
-          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
-          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
-          description: Cryptomator Installer
-          timestampUrl: 'http://timestamp.digicert.com'
-          folder: installer
+          base-dir: 'installer'
+          file-extensions: 'exe'
+          sign-description: 'Cryptomator Bundle Installer'
+          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
+          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Add possible alpha/beta tags to installer name
        run: mv installer/Cryptomator-Installer.exe Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.executable-suffix }}.exe
      - name: Create detached GPG signature with key 615D449FE6E6A235