Sign Windows builds again (#4348)

.github/actions/package/windows/action.yml

@@ -15,12 +15,15 @@ inputs:
   msystem:
     description: MSYS2 subsystem to use
     required: false
-  windows-codesign-cert:
+  azure-client-id:
-    description: Certificate for signing Windows builds
+    description: Client ID for the Azure Signer Application
-    required: false
+    required: true
-  windows-codesign-password:
+  azure-tenant-id:
-    description: Password for signing Windows builds
+    description: Tenant ID for the Azure Signer Application
-    required: false
+    required: true
+  azure-subscription-id:
+    description: Subscription ID for the Azure Signer Application
+    required: true
 
 runs:
   using: composite
@@ -50,23 +53,45 @@ runs:
 
         Get-ChildItem ${{ env.INSTALL_DIR }} -Recurse | ForEach FullName | Resolve-Path -Relative | %{ $_.TrimStart('.\') } | %{ $_.TrimStart('${{ env.INSTALL_DIR }}') } | %{ $_.TrimStart('\') } | Out-File -FilePath ${{ env.INSTALL_DIR }}/manifest.txt
 
-    - name: Fetch codesign certificate
+    - name: Emit warning for unsigned builds
-      shell: bash # yes, we are not using MSYS2 or PowerShell here
+      if: ${{ github.ref_name != 'develop' || inputs.azure-client-id == '' }}
-      run: |
-        echo '${{ inputs.windows-codesign-cert }}' | base64 --decode > codesign.pfx
-
-    - name: Sign executable
       shell: pwsh
-      env:
-        INSTALL_DIR: install
       run: |
-        if (Get-Content ./codesign.pfx){
+        ":warning: Skipped code signing for Windows, as certificate was not present." >> $env:GITHUB_STEP_SUMMARY
-          cd ${{ env.INSTALL_DIR }}
+
-          # We ship the exact same executable for portable and non-portable editions, so signing just once is fine
+    - name: Login to Azure
-          SignTool sign /fd sha256 /td sha256 /f ../codesign.pfx /p '${{ inputs.windows-codesign-password }}' /tr http://timestamp.digicert.com prismlauncher.exe prismlauncher_updater.exe prismlauncher_filelink.exe 
+      if: ${{ github.ref_name == 'develop' && inputs.azure-client-id != '' }}
-        } else {
+      uses: azure/login@v2
-          ":warning: Skipped code signing for Windows, as certificate was not present." >> $env:GITHUB_STEP_SUMMARY
+      with:
-        }
+        client-id: ${{ inputs.azure-client-id }}
+        tenant-id: ${{ inputs.azure-tenant-id }}
+        subscription-id: ${{ inputs.azure-subscription-id }}
+
+    - name: Sign executables
+      if: ${{ github.ref_name == 'develop' && inputs.azure-client-id != '' }}
+      uses: azure/trusted-signing-action@v0
+      with:
+        endpoint: https://eus.codesigning.azure.net/
+        trusted-signing-account-name: PrismLauncher
+        certificate-profile-name: PrismLauncher
+
+        files: |
+          install/prismlauncher.exe
+          install/prismlauncher_filelink.exe
+          install/prismlauncher_updater.exe
+
+        # TODO(@getchoo): Is this all really needed???
+        # https://github.com/Azure/trusted-signing-action/blob/fc390cf8ed0f14e248a542af1d838388a47c7a7c/docs/OIDC.md
+        exclude-environment-credential: true
+        exclude-workload-identity-credential: true
+        exclude-managed-identity-credential: true
+        exclude-shared-token-cache-credential: true
+        exclude-visual-studio-credential: true
+        exclude-visual-studio-code-credential: true
+        exclude-azure-cli-credential: false
+        exclude-azure-powershell-credential: true
+        exclude-azure-developer-cli-credential: true
+        exclude-interactive-browser-credential: true
 
     - name: Package (MinGW, portable)
       if: ${{ inputs.msystem != '' }}
@@ -115,13 +140,28 @@ runs:
         makensis -NOCD "${{ github.workspace }}/${{ env.BUILD_DIR }}/program_info/win_install.nsi"
 
     - name: Sign installer
-      shell: pwsh
+      if: ${{ github.ref_name == 'develop' && inputs.azure-client-id != '' }}
-      run: |
+      uses: azure/trusted-signing-action@v0
-        if (Get-Content ./codesign.pfx){
+      with:
-          SignTool sign /fd sha256 /td sha256 /f codesign.pfx /p '${{ inputs.windows-codesign-password }}' /tr http://timestamp.digicert.com PrismLauncher-Setup.exe
+        endpoint: https://eus.codesigning.azure.net/
-        } else {
+        trusted-signing-account-name: PrismLauncher
-          ":warning: Skipped code signing for Windows, as certificate was not present." >> $env:GITHUB_STEP_SUMMARY
+        certificate-profile-name: PrismLauncher
-        }
+
+        files: |
+          PrismLauncher-Setup.exe
+
+        # TODO(@getchoo): Is this all really needed???
+        # https://github.com/Azure/trusted-signing-action/blob/fc390cf8ed0f14e248a542af1d838388a47c7a7c/docs/OIDC.md
+        exclude-environment-credential: true
+        exclude-workload-identity-credential: true
+        exclude-managed-identity-credential: true
+        exclude-shared-token-cache-credential: true
+        exclude-visual-studio-credential: true
+        exclude-visual-studio-code-credential: true
+        exclude-azure-cli-credential: false
+        exclude-azure-powershell-credential: true
+        exclude-azure-developer-cli-credential: true
+        exclude-interactive-browser-credential: true
 
     - name: Upload binary zip
       uses: actions/upload-artifact@v5

.github/workflows/build.yml

@@ -70,6 +70,8 @@ jobs:
     name: Build (${{ matrix.artifact-name }})
 
     permissions:
+      # Required for Azure Trusted Signing
+      id-token: write
       # Required for vcpkg binary cache
       packages: write
 
@@ -215,5 +217,6 @@ jobs:
           artifact-name: ${{ matrix.artifact-name }}
           msystem: ${{ matrix.msystem }}
 
-          windows-codesign-cert: ${{ secrets.WINDOWS_CODESIGN_CERT }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          windows-codesign-password: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }}
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}