From 07f46bd72f8fb71760908c88e668524c06a933ce Mon Sep 17 00:00:00 2001
From: RJ Ryan <rryan@mixxx.org>
Date: Wed, 8 Jul 2020 23:08:25 -0700
Subject: Add a PKCS12 Windows code signing certificate and sign exe/msi
 artifacts.

This certificate is encrypted with AppVeyor's "secure files" tool:
https://www.appveyor.com/docs/how-to/secure-files/

The secret, salt and password in appveyor.yml are encrypted with
AppVeyor's repository-specific public key. During AppVeyor builds, the
environment variables are set to the decrypted value of the secret,
salt, and password which allows us to decrypt the PKCS12 file and then
decrypt the private key within the PKCS12 file.

The private key in the PKCS12 file itself is encrypted with
PBE-SHA1-3DES, since apparently Windows does not support AES.
---
 appveyor.yml | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'appveyor.yml')

diff --git a/appveyor.yml b/appveyor.yml
index abdd789c35..d6bc12c1bb 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -165,7 +165,13 @@ for:
     ENVIRONMENTS_PATH: C:\mixxx-buildserver
     MSVC_PATH: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Community"
     PATH: 'C:\Python37-x64;C:\Python37-x64\Scripts;%PATH%'
-
+    CODESIGN_CERTIFICATE_PATH: build\certificates\windows_sectigo_codesign_certificate.pfx
+    CODESIGN_CERTIFICATE_SECURE_FILE_SECRET:
+      secure: 1xzNVbLop/5/ySSgZxPzyOz5cm8nVMLEIEW4x0XOJjI=
+    CODESIGN_CERTIFICATE_SECURE_FILE_SALT:
+      secure: tw+bg3qfia7+WQdBdXtC301Z9Dv7yQ6SwpWcFJav9YC4zwyyGztev6pAbGE93sln4VO0WRCJ+4/KTviBMPXvXQ==
+    CODESIGN_CERTIFICATE_PASSWORD:
+      secure: EiAsLAgrsS+N3rr71AAkXPCrxIe2vLvlOvCipnTw6pg=
 
   install:
     - set /P ENVIRONMENT_NAME=<build/windows/golden_environment
@@ -183,6 +189,13 @@ for:
       )
     - choco install ninja
     - python -m pip install git+https://github.com/frerich/clcache.git
+    # Decrypt the code signing certificate.
+    - ps: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1'))
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        appveyor-tools\secure-file -decrypt %CODESIGN_CERTIFICATE_PATH%.enc -secret %CODESIGN_CERTIFICATE_SECURE_FILE_SECRET% -salt %CODESIGN_CERTIFICATE_SECURE_FILE_SALT%
+      ) else (
+        echo "Skipping certificate decryption because we are in a pull request."
+      )
 
   before_build:
     - FOR /D %%G IN (%WINLIB_PATH%\Qt-*) DO SET QT_PATH=%%G
@@ -235,8 +248,18 @@ for:
       ..
     - cmake --build .
     - cmake --build . --target install
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        signtool sign /f ..\%CODESIGN_CERTIFICATE_PATH% /p %CODESIGN_CERTIFICATE_PASSWORD% *.exe
+      ) else (
+        echo "Skipping codesigning *.exe because we are in a pull request."
+      )
     # Generate WIX installer
     - cpack -G "WIX"
+    - IF [%APPVEYOR_PULL_REQUEST_NUMBER%] == [] (
+        signtool sign /f ..\%CODESIGN_CERTIFICATE_PATH% /p %CODESIGN_CERTIFICATE_PASSWORD% *.msi
+      ) else (
+        echo "Skipping codesigning *.msi because we are in a pull request."
+      )
 
   test_script:
     # Calling mixxx-test under bash to have standard output and use stdbuf to
-- 
cgit v1.2.3