From 428a8c1a7a2306dbadbbbd8927f08bce7b0abbc0 Mon Sep 17 00:00:00 2001
From: Dave Simpson <45690499+davegarthsimpson@users.noreply.github.com>
Date: Sat, 29 Jun 2024 10:46:01 +0200
Subject: [PATCH] attempt sign of all windows files

---
 .github/workflows/build.yml | 73 ++++++++++++++++++++++++-------------
 1 file changed, 48 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a70f99034..d1491852a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -79,8 +79,12 @@ env:
           name: Windows_X86-64_interactive_installer_signed
         - path: '*Windows_64bit.msi'
           name: Windows_X86-64_MSI
+        - path: '*Windows_64bit_signed.msi'
+          name: Windows_X86-64_MSI_signed
         - path: '*Windows_64bit.zip'
           name: Windows_X86-64_zip
+        - path: '*Windows_64bit_signed.zip'
+          name: Windows_X86-64_zip_signed
     - config:
         name: Linux
         runs-on: ubuntu-latest
@@ -433,38 +437,57 @@ jobs:
           name: ${{ env.JOB_TRANSFER_ARTIFACT }}
           path: ${{ env.BUILD_ARTIFACTS_PATH }}
 
-      - name: Save artifact path to variable
+      - name: Find and process artifacts
         shell: bash
         run: |
-          ARTIFACT=$(find "${{ env.BUILD_ARTIFACTS_PATH }}" -name "*Windows_64bit.exe" | head -n 1)
-          # Convert to Windows-style path with forward slashes
-          FULL_PATH=$(cygpath -w $ARTIFACT | sed 's|\\|/|g')
-          echo "ARTIFACT_PATH=$FULL_PATH" >> $GITHUB_ENV
+          shopt -s nullglob
+          for ARTIFACT in "${{ env.BUILD_ARTIFACTS_PATH }}"/*.{exe,zip,msi}; do
+            echo "Processing $ARTIFACT"
+            FILENAME=$(basename "$ARTIFACT")
+            BASE_NAME="${FILENAME%.*}"
+            EXTENSION="${FILENAME##*.}"
+            
+            # Sign and rename EXE and MSI files
+            if [[ "$EXTENSION" == "exe" || "$EXTENSION" == "msi" ]]; then
+              echo "Signing $ARTIFACT"
+              "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "$ARTIFACT"
+              SIGNED_ARTIFACT_PATH="${{ env.BUILD_ARTIFACTS_PATH }}/${BASE_NAME}_signed.${EXTENSION}"
+              mv "$ARTIFACT" "$SIGNED_ARTIFACT_PATH"
+              echo "Renamed $ARTIFACT to $SIGNED_ARTIFACT_PATH"
+            fi
+            
+            # Unzip, Sign, and Rezip ZIP file with new name
+            if [[ "$EXTENSION" == "zip" ]]; then
+              TEMP_DIR=$(mktemp -d)
+              unzip "$ARTIFACT" -d "$TEMP_DIR"
+              find "$TEMP_DIR" -type f -name '*.exe' -exec "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v {} \;
+              SIGNED_ARTIFACT_PATH="${{ env.BUILD_ARTIFACTS_PATH }}/${BASE_NAME}_signed.zip"
+              pushd "$TEMP_DIR"
+              zip -r "$SIGNED_ARTIFACT_PATH" .
+              popd
+              rm -rf "$TEMP_DIR"
+              echo "Processed and re-zipped $ARTIFACT"
+            fi
+          done
 
-      - name: Save Win signing certificate to file
-        run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER }}
+      - name: Upload signed EXE
+        uses: actions/upload-artifact@v3
+        with:
+          name: Windows_X86-64_interactive_installer_signed
+          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*_signed.exe
 
-      - name: Sign EXE
-        env:
-          CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
-          CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
-          # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
-        run: |
-          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v ${{ env.ARTIFACT_PATH }}
-      
-      - name: Rename signed EXE
-        shell: bash
-        run: |
-          BASE_NAME=$(echo "${{ env.ARTIFACT_PATH }}" | sed 's/.exe$//')
-          SIGNED_EXE_PATH="${BASE_NAME}_signed.exe"
-          mv "${{ env.ARTIFACT_PATH }}" "$SIGNED_EXE_PATH"
-          echo "SIGNED_ARTIFACT_PATH=$SIGNED_EXE_PATH" >> $GITHUB_ENV
-  
-      - name: Upload artifacts with signed EXE
+      - name: Upload signed MSI
+        uses: actions/upload-artifact@v3
+        with:
+          name: Windows_X86-64_MSI_signed
+          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*_signed.msi
+
+
+      - name: Upload signed ZIP
         uses: actions/upload-artifact@v3
         with:
           name: Windows_X86-64_interactive_installer_signed
-          path: ${{ env.SIGNED_ARTIFACT_PATH }}
+          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*_signed.zip
 
         # This step is needed because the self hosted runner does not delete files automatically
       - name: Clean up artifacts