fix: enable code signing

nb-ccd · nb-ccd · commit b1964c749d30 · 2025-07-08T11:27:18.000+01:00
diff --git a/.github/workflows/test-windows-code-signing.yaml b/.github/workflows/test-windows-code-signing.yaml
@@ -80,7 +80,7 @@ jobs:
 
   node-windows:
     runs-on: windows-latest  
-    # environment: release # This step needs to use the release context to access credentials for code signing.
+    environment: release # This step needs to use the release context to access credentials for code signing.
     needs: [validate-preconditions]
     if: contains(fromJSON('["rc", "alpha", "node-windows"]'), needs.validate-preconditions.outputs.release_type)
     defaults:
@@ -102,35 +102,31 @@ jobs:
         id: digicert_client
         uses: digicert/ssm-code-signing@v1.0.0
 
-# Disabling these to test the windows-y commandline file manipulation stuff.
-#       - name: Import Windows certificate (Windows only)
-#         id: windows_certificate
-#         env:
-#           # Base64 encoding of the pfx/p12 certificate for Windows code signing.
-#           SM_CLIENT_CERT_FILE_B64: ${{ secrets.WINDOWS_SM_CLIENT_CERT_FILE_B64 }}
-#         run: |
-#           $CERTIFICATE_PATH_BASE64="$env:RUNNER_TEMP\cert-b64.txt"
-#           $CERTIFICATE_PATH="$env:RUNNER_TEMP\cert.pfx"
-
-#           Set-Content -Path $CERTIFICATE_PATH_BASE64 -Value $env:SM_CLIENT_CERT_FILE_B64
-#           certutil -decode $CERTIFICATE_PATH_BASE64 $CERTIFICATE_PATH
-#           echo "CERTIFICATE_PATH=$CERTIFICATE_PATH" >> $env:GITHUB_OUTPUT
-
-#       - name: Run smctl healthcheck to confirm if the tool is configured properly.
-#         working-directory: ${{steps.build.outputs.bin_dir}}
-#         env:
-#           # windows signing
-#           # FILE_TO_SIGN: ${{ steps.build.outputs.FILE_TO_SIGN }}
-#           WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
-#           WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
-#           SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
-#           SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
-#           SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
-#           SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
-#         run: |
-#           smctl healthcheck --all
-# #           smctl sign --verbose --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ${{ env.FILE_TO_SIGN }} --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} --verbose --exit-non-zero-on-fail --failfast
-#         shell: cmd
+      - name: Import Windows certificate (Windows only)
+        id: windows_certificate
+        env:
+          # Base64 encoding of the pfx/p12 certificate for Windows code signing.
+          SM_CLIENT_CERT_FILE_B64: ${{ secrets.WINDOWS_SM_CLIENT_CERT_FILE_B64 }}
+        run: |
+          $CERTIFICATE_PATH_BASE64="$env:RUNNER_TEMP\cert-b64.txt"
+          $CERTIFICATE_PATH="$env:RUNNER_TEMP\cert.pfx"
+
+          Set-Content -Path $CERTIFICATE_PATH_BASE64 -Value $env:SM_CLIENT_CERT_FILE_B64
+          certutil -decode $CERTIFICATE_PATH_BASE64 $CERTIFICATE_PATH
+          echo "CERTIFICATE_PATH=$CERTIFICATE_PATH" >> $env:GITHUB_OUTPUT
+
+      - name: Run smctl healthcheck to confirm if the tool is configured properly.
+        working-directory: ${{steps.build.outputs.bin_dir}}
+        env:
+          WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
+          WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
+          SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
+          SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
+        run: |
+          smctl healthcheck --all
+        shell: cmd
 
       - name: Install dependencies
         run: |
@@ -207,25 +203,25 @@ jobs:
           mv ./Node/NodeCollector ./Node/NodeCollector.exe 
           mv ./Node/ConcordiumNode ./Node/ConcordiumNode.exe
 
-      # - name: Sign files with smctl
-      #   working-directory: ${{steps.build.outputs.bin_dir}}
-      #   env:
-      #     WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
-      #     WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
-      #     SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
-      #     SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
-      #     SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
-      #     SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
-      #     SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
-      #   run: |
-      #     smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumConsensusDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-      #     smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumBaseDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-      #     smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumSmartContractEngineDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-      #     smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/Sha2DLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }}  ${{ env.SM_ARGS }}
-      #     smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeRunnerService.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-      #     smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeCollector.exe  --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-      #     smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumNode.exe  --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-      #   shell: cmd
+      - name: Sign files with smctl
+        working-directory: ${{steps.build.outputs.bin_dir}}
+        env:
+          WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
+          WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
+          SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
+          SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
+          SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
+        run: |
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumConsensusDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumBaseDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumSmartContractEngineDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/Sha2DLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }}  ${{ env.SM_ARGS }}
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeRunnerService.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeCollector.exe  --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumNode.exe  --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
+        shell: cmd
 
       - name: Rename files back to their original form without extension. 
         run: |
@@ -243,15 +239,26 @@ jobs:
           makecab.exe /D MaxDiskSize=0 /D Cabinet=ON /D Compress=ON /D CabinetName1=Node.cab /D SourceDir=Node /f cabfiles.txt
         shell: cmd
 
-
       - name: Repackage the cabinet file. 
         run: |
           rm Node.cab
           mv disk1\Node.cab .
           MsiDb.exe -d ./service/windows/installer/Node.msi -k Node.cab
           MsiDb.exe -d ./service/windows/installer/Node.msi -a Node.cab
   
-      # Here we would sign the installer
+      - name: Sign files with smctl
+        working-directory: ${{steps.build.outputs.bin_dir}}
+        env:
+          WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
+          WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
+          SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
+          SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
+          SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
+        run: |
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./service/windows/installer/Node.msi --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
+        shell: cmd
 
       - name: Rename the package to target filename.
         run: |
