From 042ea9b27c131828edf6f3c84809e53b3ad1a375 Mon Sep 17 00:00:00 2001
From: Serhii Varakuta <flood.code@gmail.com>
Date: Thu, 25 Jul 2024 11:04:35 +0300
Subject: [PATCH] ATOR-179 Sign windows binaries

---
 .github/workflows/build-packages.yml | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 4ffc801343..c10140bf8c 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -418,6 +418,26 @@ jobs:
           name: anon-${{ env.PKG_ENV }}-windows-amd64
           path: package/
 
+  sign-windows-64-binary:
+    runs-on: windows-latest
+    needs: build-windows-64-binary
+    steps:
+      - name: Download raw artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: anon-${{ env.PKG_ENV }}-windows-amd64
+          path: build/
+      - name: Sign
+        run: |
+          dotnet tool install --global AzureSignTool
+          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "build/anon.exe"
+          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "build/anon-gencert.exe"
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: anon-${{ env.PKG_ENV }}-windows-signed-amd64
+          path: build/
+
   #
   # Release
   #
@@ -465,7 +485,7 @@ jobs:
 
   release-github:
     runs-on: ubuntu-latest
-    needs: [build-deb-package, build-macos-binary, build-windows-64-binary]
+    needs: [build-deb-package, build-macos-binary, sign-windows-64-binary]
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Download raw artifacts
@@ -484,7 +504,7 @@ jobs:
           zip -j release-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64/*
           zip -j release-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64/*
           zip -j release-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64/*
-          zip -j release-artifacts/anon-${{ env.PKG_ENV }}-windows-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-windows-amd64/*
+          zip -j release-artifacts/anon-${{ env.PKG_ENV }}-windows-signed-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-windows-signed-amd64/*
           ls -la -R release-artifacts/
       - name: Checkout Repository
         uses: actions/checkout@v4