From 9b55f6fc56cb0a91aaa5eb80899fe3225f91eb37 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 11 Oct 2023 12:55:05 +0200
Subject: [PATCH] Refactor extraction and singing in seperate steps

---
 .github/workflows/win-exe.yml | 72 +++++++++++++++--------------------
 1 file changed, 31 insertions(+), 41 deletions(-)

diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index c6ebdecbb..490c7eafb 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -143,53 +143,29 @@ jobs:
       - name: Fix permissions
         run: attrib -r appdir/Cryptomator/Cryptomator.exe
         shell: pwsh
-      - name: Codesign binaries inside jars
-        run: |
-          $certificate = '${{ secrets.WIN_CODESIGN_P12_BASE64 }}'
-          $password = '${{ secrets.WIN_CODESIGN_P12_PW }}'
-          $certificateSHA1 = '5FC94CE149E5B511E621F53A060AC67CBD446B3A'
-          $description = 'Cryptomator'
-          $timestampUrl = 'http://timestamp.digicert.com'
-          $folder = ".\appdir\Cryptomator\app"
-          $tmpDir = ".\extract"
-          $signtool = $(Get-ChildItem 'C:\Program Files (x86)\Windows Kits\10\bin\' -Recurse -File signtool.exe | Where-Object { $_.Directory.ToString().EndsWith('x64') } | Select-Object -Last 1).FullName
-
-          # preps
-          Install-Module -Name Microsoft.PowerShell.TextUtility -Force -Confirm:$False
-
-          # import certificate
-          $bytes = ConvertFrom-Base64 -EncodedText $certificate -AsByteArray
-          Set-Content -Path ".\certFile" -AsByteStream -Value $bytes
-          & certutil -f -p $password -importpfx ".\certFile"
-
-          # create directory to extract every jar to
-          New-Item -Path $tmpDir -ItemType Directory > $null
-          # iterate over all jars
-          Get-ChildItem -Path $folder -Recurse -File *.jar | ForEach-Object {
-              $jar = Copy-Item $_ -Destination $tmpDir -PassThru
-              Set-Location -Path $tmpDir
-              jar --file=$($_.FullName) --extract
-              Get-ChildItem -Path "." -Recurse -File "*.dll" | ForEach-Object {
-                  # sign
-                  & $signtool sign /sm /tr ${timestampUrl} /td SHA256 /fd SHA256 /d $description /sha1 $certificateSHA1 $_.FullName
-                  # update jar with signed dll
-                  jar --file=$($jar.FullName) --update $(Resolve-Path -Relative -Path $_)
-              }
-              # replace old jar with its update
-              Move-Item -Path $($jar.FullName) -Destination $_ -Force
-              # clear extraction dir
-              Remove-Item -Path ".\*" -Force -Recurse
-              Set-Location -Path ".."
-          }
-          # clean up
-          Remove-Item -Path $tmpDir
+      - name: Extract jars with DLLs for Codesigning
         shell: pwsh
+        run: |
+          Add-Type -AssemblyName "System.io.compression.filesystem"
+          $jarFolder = Resolve-Path ".\appdir\Cryptomator\app\mods"
+          $jarExtractDir = New-Item -Path ".\appdir\jar-extract" -ItemType Directory
+
+          #for all jars inspect
+          Get-ChildItem -Path $jarFolder -Filter "*.jar" | ForEach-Object {
+              $jar = [Io.compression.zipfile]::OpenRead($_.FullName)
+              if (@($jar.Entries | Where-Object {$_.Name.ToString().EndsWith(".dll")} | Select-Object -First 1).Count -gt 0) {
+                  #jars containing dlls extract
+                  Set-Location $jarExtractDir
+                  Expand-Archive -Path $_.FullName
+              }
+              $jar.Dispose()
+          }
       - name: Extract wixhelper.dll for Codesigning #see https://github.com/cryptomator/cryptomator/issues/3130
+        shell: pwsh
         run: |
           New-Item -Path appdir/jpackage-jmod -ItemType Directory
           & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
           Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
-        shell: pwsh
       - name: Codesign
         uses: skymatic/code-sign-action@v2
         with:
@@ -200,6 +176,20 @@ jobs:
           timestampUrl: 'http://timestamp.digicert.com'
           folder: appdir
           recursive: true
+      - name: Replace DLLs inside jars with signed ones
+        shell: pwsh
+        run: |
+          $jarExtractDir = Resolve-Path ".\appdir\jar-extract"
+          $jarFolder = Resolve-Path ".\appdir\Cryptomator\app\mods"
+          Get-ChildItem -Path $jarExtractDir | ForEach-Object {
+              $jarName = $_.Name
+              $jarFile = "${jarFolder}\${jarName}.jar"
+              Set-Location $_
+              Get-ChildItem -Path $_ -Recurse -File "*.dll" | ForEach-Object {
+                  # update jar with signed dll
+                  jar --file="$jarFile" --update $(Resolve-Path -Relative -Path $_)
+              }
+          }
       - name: Generate license for MSI
         run: >
           mvn -B license:add-third-party