IEP-1475: Signing Windows Executable

.github/workflows/win_exe_sign_test.yml

@@ -0,0 +1,263 @@
+name: Espressif-IDE Cross-platform Release
+
+on:
+  push:
+    branches: [master]
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+  pull_request:
+    branches: [master]
+
+env:
+  ARCHIVE_PREFIX: com.espressif.idf.update-
+  ARCHIVE_SUFFIX: -SNAPSHOT.zip
+
+jobs:
+  macos-build:
+    runs-on: macos-latest
+    outputs:
+      version: ${{ steps.get_version.outputs.version }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Get version from tag
+        id: get_version
+        run: echo "version=${GITHUB_REF##*/v}" >> $GITHUB_OUTPUT
+
+      - name: Decode keystore and build with Maven
+        env:
+          JARSIGNER_KEYSTORE_B64: ${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }}
+          JARSIGNER_STOREPASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
+          JARSIGNER_ALIAS: ${{ secrets.JARSIGNER_REL_ALIAS }}
+        run: |
+          KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+          echo "${KEYSTORE_FILE}"
+          printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}"
+          mvn -e -X clean install -Djarsigner.keystore="${KEYSTORE_FILE}" -Djarsigner.alias="${JARSIGNER_ALIAS}" -Djarsigner.storepass="${JARSIGNER_STOREPASS}" -DskipTests=true
+          rm -v "${KEYSTORE_FILE}"
+
+      - name: Codesign Espressif-IDE
+        env: 
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        run: |
+            echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+            /usr/bin/security create-keychain -p espressif build.keychain
+            /usr/bin/security default-keychain -s build.keychain
+            /usr/bin/security unlock-keychain -p espressif build.keychain
+            /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+            /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
+
+            echo "codesigning espressif-ide-macosx.cocoa.x86_64"
+            /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
+            /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
+
+            echo "codesigning espressif-ide-macosx.cocoa.aarch64"
+            /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
+            /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
+
+            echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
+            $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
+            /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
+            /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+
+            echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
+            $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
+            /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
+            /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+
+      - name: Notarization of Espressif-IDE dmg files
+        env: 
+          NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }}
+          NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
+          NOTARIZATION_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }}
+        run: |
+              echo "Create notary keychain"
+                /usr/bin/security create-keychain -p espressif notary.keychain
+                /usr/bin/security default-keychain -s notary.keychain
+                /usr/bin/security unlock-keychain -p espressif notary.keychain
+
+                echo "Create keychain profile"
+                xcrun notarytool store-credentials "ide-notarytool-profile" --apple-id $NOTARIZATION_USERNAME --team-id $NOTARIZATION_TEAM_ID --password $NOTARIZATION_PASSWORD
+                xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg --keychain-profile "ide-notarytool-profile" --wait
+
+                echo "Attach staple for x86_64.dmg"
+                xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+
+                echo "Unlock the notary keychain"
+                /usr/bin/security unlock-keychain -p espressif notary.keychain
+
+                xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg --keychain-profile "ide-notarytool-profile" --wait
+                echo "Attach staple for aarch64.dmg"
+                xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+
+      - name: Upload Espressif-IDE-macosx-cocoa-x86_64.dmg
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-macosx-cocoa-x86_64
+          path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
+
+      - name: Upload Espressif-IDE-macosx-cocoa-aarch64.dmg
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+           name: espressif-ide-macosx.cocoa.aarch64
+           path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
+
+      - name: Upload build artifacts
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: com.espressif.idf.update
+          path: releng/com.espressif.idf.update/target/repository
+
+      - name: Upload windows rcp
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip
+
+      - name: Upload linux rcp
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: espressif-ide-linux
+          path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-linux.gtk.x86_64.tar.gz
+
+
+  windows-sign:
+    runs-on: windows-latest
+    needs: macos-build
+    env:
+      JKS_B64: ${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }}
+      JKS_PASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
+      ALIAS: ${{ secrets.JARSIGNER_REL_ALIAS }}
+      PFX_PASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Download built artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: artifacts
+
+
+      - name: Verify the downloaded file
+        shell: pwsh
+        run: |
+           ls .\artifacts\*
+
+      - name: Extract Windows ZIP
+        shell: pwsh
+        run: |
+          Expand-Archive -Path artifacts\*.zip -DestinationPath extracted -Force
+          ls .\artifacts\*
+
+      - name: Decode base64-encoded JKS
+        run: |
+          echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
+          certutil -decode encoded.b64 mykeystore.jks
+          Remove-Item encoded.b64
+
+      - name: Convert JKS to PFX
+        shell: pwsh
+        run: |
+            & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
+            -srckeystore mykeystore.jks `
+            -srcstorepass $env:JKS_PASS `
+            -srcalias $env:ALIAS `
+            -destkeystore cert.pfx `
+            -deststoretype PKCS12 `
+            -deststorepass $env:PFX_PASS
+
+      - name: Sign Windows Executable
+        shell: pwsh
+        run: |
+          $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
+          & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
+            /f cert.pfx `
+            /p $env:PFX_PASS `
+            /tr http://timestamp.digicert.com `
+            /td sha256 `
+            /fd sha256 `
+            $exe.FullName
+
+      - name: Verify Signature
+        run: |
+         $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
+         & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" verify `
+         /pa `
+         $exe.FullName
+
+      - name: Removing original ZIP from extracted folder
+        run: |
+           Remove-Item -Force artifacts\*.zip
+
+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
+        with:
+          name: Espressif-IDE-win32-Signed
+          path: extracted/
+          overwrite: true
+          if-no-files-found: error
+
+      - name: Delete the unsigned Binary
+        uses: geekyeggo/delete-artifact@v5
+        with:
+          name: espressif-ide-win32
+          failOnError: false
+
+  # deploy:
+  #   runs-on: ubuntu-latest
+  #   needs: [macos-build, windows-sign]
+  #   steps:
+  #     - uses: actions/checkout@v3
+
+  #     - name: Download final artifacts
+  #       uses: actions/download-artifact@v4
+  #       with:
+  #         name: release-artifacts
+  #         path: final
+
+  #     - name: Upload to S3 (dl.espressif.com)
+  #       env:
+  #         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  #         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  #         AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+  #         DL_BUCKET: ${{ secrets.DL_BUCKET }}
+  #         DL_DISTRIBUTION_ID: ${{ secrets.DL_DISTRIBUTION_ID }}
+  #       run: |
+  #         version=${GITHUB_REF##*/v}
+  #         folder=v${version}
+
+  #         mkdir "$folder"
+  #         unzip -q final/com.espressif.idf.update-*.zip -d "$folder"
+
+  #         mv final/com.espressif.idf.update-*.zip "${ARCHIVE_PREFIX}${version}.zip"
+  #         mv final/Espressif-IDE-macosx-cocoa-x86_64.dmg "Espressif-IDE-macosx-cocoa-x86_64-${folder}.dmg"
+  #         mv final/Espressif-IDE-macosx-cocoa-aarch64.dmg "Espressif-IDE-macosx-cocoa-aarch64-${folder}.dmg"
+
+  #         aws s3 rm s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/latest --recursive
+  #         aws s3 cp --acl=public-read --recursive "./$folder/" s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/latest
+  #         aws s3 cp --acl=public-read ./releng/index.html s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/latest/
+  #         aws s3 cp --acl=public-read --recursive "./$folder/" s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/$folder
+  #         aws s3 cp --acl=public-read --recursive --exclude "*" --include "Espressif-IDE-*" final/ s3://$DL_BUCKET/dl/idf-eclipse-plugin/ide/
+  #         aws s3 cp --acl=public-read "${ARCHIVE_PREFIX}${version}.zip" s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/
+  #         aws s3 cp --acl=public-read "Espressif-IDE-macosx-cocoa-x86_64-${folder}.dmg" s3://$DL_BUCKET/dl/idf-eclipse-plugin/ide/
+  #         aws s3 cp --acl=public-read "Espressif-IDE-macosx-cocoa-aarch64-${folder}.dmg" s3://$DL_BUCKET/dl/idf-eclipse-plugin/ide/
+
+  #         aws cloudfront create-invalidation --distribution-id $DL_DISTRIBUTION_ID --paths "/dl/idf-eclipse-plugin/updates/latest/*"
+
+  #         aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-win32.win32.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-${version}-win32.win32.x86_64.zip"
+  #         aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-x86_64-${folder}.dmg"
+  #         aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-aarch64/latest" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-aarch64-${folder}.dmg"
+  #         aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-linux.gtk.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-${version}-linux.gtk.x86_64.tar.gz"