diff --git a/.github/workflows/app-test-build-deploy.yaml b/.github/workflows/app-test-build-deploy.yaml index 7322db49154e..2d104a737d5f 100644 --- a/.github/workflows/app-test-build-deploy.yaml +++ b/.github/workflows/app-test-build-deploy.yaml @@ -211,32 +211,6 @@ jobs: python-version: '3.10' - name: check make version run: make --version - - name: 'Configure Windows code signing environment' - if: startsWith(matrix.os, 'windows') && contains(needs.determine-build-type.outputs.type, 'release') - shell: bash - run: | - echo "${{ secrets.SM_CLIENT_CERT_FILE_B64_V2 }}" | base64 --decode > /d/Certificate_pkcs12.p12 - echo "${{ secrets.WINDOWS_CSC_B64}}" | base64 --decode > /d/opentrons_labworks_inc.crt - echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH - echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH - echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH - - - name: 'Setup Windows code signing helpers' - if: startsWith(matrix.os, 'windows') && contains(needs.determine-build-type.outputs.type, 'release') - shell: cmd - env: - SM_HOST: ${{ secrets.SM_HOST_V2 }} - SM_CLIENT_CERT_FILE: "D:\\Certificate_pkcs12.p12" - SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD_V2}} - SM_API_KEY: ${{secrets.SM_API_KEY_V2}} - run: | - curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:${{secrets.SM_API_KEY_V2}}" -o Keylockertools-windows-x64.msi - msiexec /i Keylockertools-windows-x64.msi /quiet /qn - smksp_registrar.exe list - smctl.exe keypair ls - C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user - smksp_cert_sync.exe - smctl.exe healthcheck --all # Do the frontend dist bundle - name: 'bundle ${{matrix.variant}} frontend' @@ -255,13 +229,9 @@ jobs: OT_APP_MIXPANEL_ID: ${{ secrets.OT_APP_MIXPANEL_ID }} OT_APP_INTERCOM_ID: ${{ secrets.OT_APP_INTERCOM_ID }} WINDOWS_SIGN: ${{ format('{0}', contains(needs.determine-build-type.outputs.type, 'release')) }} - SM_CODE_SIGNING_CERT_SHA1_HASH: ${{secrets.SM_CODE_SIGNING_CERT_SHA1_HASH_V2}} - SM_KEYPAIR_ALIAS: ${{secrets.SM_KEYPAIR_ALIAS_V2}} - SM_HOST: ${{ secrets.SM_HOST_V2 }} - SM_CLIENT_CERT_FILE: "D:\\Certificate_pkcs12.p12" - SM_CLIENT_CERT_PASSWORD: ${{secrets.SM_CLIENT_CERT_PASSWORD_V2}} - SM_API_KEY: ${{secrets.SM_API_KEY_V2}} - WINDOWS_CSC_FILEPATH: "D:\\opentrons_labworks_inc.crt" + AZURE_TENANT_ID: ${{secrets.AZURE_TENANT_ID}} + AZURE_CLIENT_ID: ${{secrets.AZURE_CLIENT_ID}} + AZURE_CLIENT_SECRET: ${{secrets.AZURE_CLIENT_SECRET}} CSC_LINK: ${{ secrets.OT_APP_CSC_MACOS_V2 }} CSC_KEY_PASSWORD: ${{ secrets.OT_APP_CSC_KEY_MACOS_V2 }} APPLE_ID: ${{ secrets.OT_APP_APPLE_ID_V2 }} diff --git a/app-shell/electron-builder.config.js b/app-shell/electron-builder.config.js index ea94be54b6aa..27f510d109b4 100644 --- a/app-shell/electron-builder.config.js +++ b/app-shell/electron-builder.config.js @@ -67,11 +67,11 @@ module.exports = async () => ({ target: ['nsis'], icon: project === 'robot-stack' ? 'build/icon.ico' : 'build/three.ico', forceCodeSigning: WINDOWS_SIGN, - signtoolOptions: { - publisherName: 'Opentrons Labworks Inc.', - rfc3161TimeStampServer: 'http://timestamp.digicert.com', - sign: 'scripts/windows-custom-sign.js', - signingHashAlgorithms: ['sha256'], + azureSignOptions: { + publisherName: 'OPENTRONS LABWORKS INC.', + codeSigningAccountName: 'desktop-app-signing', + certificateProfileName: 'OpentronsDesktopApp', + endpoint: 'https://eus.codesigning.azure.net', }, }, nsis: { diff --git a/app-shell/scripts/windows-custom-sign.js b/app-shell/scripts/windows-custom-sign.js deleted file mode 100644 index f0735a50989c..000000000000 --- a/app-shell/scripts/windows-custom-sign.js +++ /dev/null @@ -1,66 +0,0 @@ -// from https://github.com/electron-userland/electron-builder/issues/7605 - -'use strict' - -const { execSync } = require('node:child_process') - -exports.default = async configuration => { - const { WINDOWS_SIGN } = process.env - if (WINDOWS_SIGN !== 'true') { - return - } - const signCmd = `smctl sign --keypair-alias="${String( - process.env.SM_KEYPAIR_ALIAS - )}" --input "${String(configuration.path)}" --certificate="${String( - process.env.WINDOWS_CSC_FILEPATH - )}" --exit-non-zero-on-fail --failfast --verbose` - console.log(signCmd) - try { - const signProcess = execSync(signCmd, { - stdio: 'pipe', - }) - console.log(`Sign success!`) - console.log( - `Sign stdout: ${signProcess?.stdout?.toString() ?? ''}` - ) - console.log( - `Sign stderr: ${signProcess?.stderr?.toString() ?? ''}` - ) - console.log(`Sign code: ${signProcess.code}`) - } catch (err) { - console.error(`Exception running sign: ${err.status}! -Process stdout: - ${err?.stdout?.toString() ?? ''} -------------- -Process stderr: -${err?.stdout?.toString() ?? ''} -------------- -`) - throw err - } - const verifyCmd = `smctl sign verify --fingerprint="${String( - process.env.SM_CODE_SIGNING_CERT_SHA1_HASH - )}" --input="${String(configuration.path)}" --verbose` - console.log(verifyCmd) - try { - const verifyProcess = execSync(verifyCmd, { stdio: 'pipe' }) - console.log(`Verify success!`) - console.log( - `Verify stdout: ${verifyProcess?.stdout?.toString() ?? ''}` - ) - console.log( - `Verify stderr: ${verifyProcess?.stderr?.toString() ?? ''}` - ) - } catch (err) { - console.error(` -Exception running verification: ${err.status}! -Process stdout: - ${err?.stdout?.toString() ?? ''} --------------- -Process stderr: - ${err?.stderr?.toString() ?? ''} --------------- -`) - throw err - } -}