add FW Lite code signing (#1093)

.github/workflows/fw-lite.yaml

@@ -9,6 +9,7 @@ on:
       - '.github/workflows/fw-lite.yaml'
     branches:
       - develop
+      - main
   pull_request:
     paths:
       - 'backend/FwLite/**'
@@ -17,12 +18,16 @@ on:
       - '.github/workflows/fw-lite.yaml'
     branches:
       - develop
+      - main
 
 jobs:
   build-and-test:
     name: Build FW Lite and run tests
     timeout-minutes: 20
     runs-on: windows-latest
+    outputs:
+      version: ${{ steps.setVersion.outputs.VERSION }}
+      semver-version: ${{ steps.setVersion.outputs.SEMVER_VERSION }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -34,7 +39,14 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version-file: './frontend/package.json'
-
+      - name: Set Version
+        id: setVersion
+        shell: bash
+        # set version to date in vYYYY-MM-DD-commitSha format, and semver version to YYYY.MM.DD
+        run: |
+          shortSha=$(echo ${{ github.sha }} | cut -c1-8)
+          echo "VERSION=v$(date --rfc-3339=date)-$shortSha" >> ${GITHUB_OUTPUT}
+          echo "SEMVER_VERSION=$(date +%Y.%-m.%-d)" >> ${GITHUB_OUTPUT}
       - name: Dotnet build
         working-directory: backend/FwLite/FwLiteDesktop
         run: |
@@ -80,12 +92,12 @@ jobs:
 
       - name: Publish OSX
         working-directory: backend/FwLite/LocalWebApp
-        run: dotnet publish -r osx-x64 --artifacts-path ../artifacts
+        run: dotnet publish -r osx-x64 --artifacts-path ../artifacts -p:Version=${{ needs.build-and-test.outputs.semver-version }}
 
       - name: Publish OSX ARM
         working-directory: backend/FwLite/LocalWebApp
-        run: dotnet publish -r osx-arm64 --artifacts-path ../artifacts
-
+        run: dotnet publish -r osx-arm64 --artifacts-path ../artifacts -p:Version=${{ needs.build-and-test.outputs.semver-version }}
+#todo sign the app
       - name: Upload local web app artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -117,7 +129,7 @@ jobs:
 
       - name: Publish Linux
         working-directory: backend/FwLite/LocalWebApp
-        run: dotnet publish -r linux-x64 --artifacts-path ../artifacts
+        run: dotnet publish -r linux-x64 --artifacts-path ../artifacts -p:PublishSingleFile=true -p:Version=${{ needs.build-and-test.outputs.semver-version }}
 
       - name: Upload FWLite Desktop artifacts
         uses: actions/upload-artifact@v4
@@ -127,10 +139,7 @@ jobs:
           path: backend/FwLite/artifacts/publish/LocalWebApp/*
 
   publish-win:
-    name: Publish FW Lite app
-
-    # only publish if tag matches fwlite-v* pattern
-    # iif: startsWith(github.ref, 'refs/tags/fwlite-v')
+    name: Publish FW Lite app for Windows
     needs: build-and-test
     timeout-minutes: 30
     runs-on: windows-latest
@@ -157,75 +166,108 @@ jobs:
       - name: Publish Windows MAUI portable app
         working-directory: backend/FwLite/FwLiteDesktop
         run: |
-          dotnet publish -r win-x64 --artifacts-path ../artifacts -p:WindowsPackageType=None
-          dotnet publish -r win-arm64 --artifacts-path ../artifacts -p:WindowsPackageType=None
-      - name: Upload FWLite Desktop artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: fw-lite-portable
-          if-no-files-found: error
-          path: backend/FwLite/artifacts/publish/FwLiteDesktop/*
+          dotnet publish -r win-x64 --artifacts-path ../artifacts -p:WindowsPackageType=None -p:ApplicationDisplayVersion=${{ needs.build-and-test.outputs.semver-version }}
+          dotnet publish -r win-arm64 --artifacts-path ../artifacts -p:WindowsPackageType=None -p:ApplicationDisplayVersion=${{ needs.build-and-test.outputs.semver-version }}
+          mkdir -p ../artifacts/sign/portable
+          cp -r ../artifacts/publish/FwLiteDesktop/* ../artifacts/sign/portable/
 
       - name: Publish Windows MAUI msix app
-        if: false
         working-directory: backend/FwLite/FwLiteDesktop
         run: |
-          dotnet publish -f net8.0-windows10.0.19041.0 -r win-x64 --artifacts-path ../artifacts -p:Platform=x64
-          dotnet publish -f net8.0-windows10.0.19041.0 -r win-arm64 --artifacts-path ../artifacts -p:Platform=arm64
+          dotnet publish -r win-x64 --artifacts-path ../artifacts -p:ApplicationDisplayVersion=${{ needs.build-and-test.outputs.semver-version }}
+          dotnet publish -r win-arm64 --artifacts-path ../artifacts -p:ApplicationDisplayVersion=${{ needs.build-and-test.outputs.semver-version }}
           mkdir -p ../artifacts/msix
           cp ../artifacts/bin/FwLiteDesktop/*/AppPackages/*/*.msix ../artifacts/msix/
 
-      - name: Upload FWLite Desktop artifacts
+      - name: Bundle MSIX
+        working-directory: backend/FwLite/artifacts/msix
+        shell: pwsh
+        run: |
+          $SdkVersion = '10.0.19041.0'
+          $Architecture = 'x86'
+          $sdkToolsPath = Join-Path -Path 'C:\Program Files (x86)\Windows Kits\10\bin' -ChildPath $SdkVersion -AdditionalChildPath $Architecture
+          $env:Path += ";$sdkToolsPath"
+
+          MakeAppx.exe bundle /v /bv ${{ needs.build-and-test.outputs.semver-version }}.1 /d . /p ../sign/FwLiteDesktop.msixbundle
+
+      - name: Sign with Trusted Signing
+        if: ${{ github.ref_name == 'develop' || github.ref_name == 'main' }}
+        uses: azure/[email protected]
+        with:
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+          endpoint: ${{ vars.TRUSTED_SIGNING_ENDPOINT }}
+          trusted-signing-account-name: ${{ vars.TRUSTED_SIGNING_ACCOUNT_NAME }}
+          certificate-profile-name: ${{ vars.CERTIFICATE_PROFILE_NAME }}
+          files-folder: ${{ github.workspace }}/backend/FwLite/artifacts/sign
+          files-folder-filter: msixbundle,exe
+          files-folder-recurse: true
+          files-folder-depth: 4
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          description:  'Release for version ${{ needs.build-and-test.outputs.version }} from branch ${{ github.ref_name || github.head_ref }}'
+          description-url: 'https://github.com/sillsdev/languageforge-lexbox'
+          trace: ${{ runner.debug == '1' }}
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: true
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
+
+      - name: Upload FWLite Portable
         uses: actions/upload-artifact@v4
-        if: false
         with:
-          name: fw-lite-msix
+          name: fw-lite-portable
           if-no-files-found: error
-          path: backend/FwLite/artifacts/msix/*.msix
-
-  sign-installer:
-    #disabled as this doesn't work since ltops-signing doesn't have the signtool
-    if: false
-    name: Sign FWLite MSIX installer
-    needs: publish-win
-    runs-on: [self-hosted, ltops-signing]
-    steps:
-      - uses: actions/download-artifact@v4
-        with:
-          name: fw-lite-msix
-          path: target-msix
-      - name: Sign MSIX installer
-        shell: pwsh
-        env:
-          signtool: C:/"Program Files (x86)"/"Windows Kits"/10/bin/10.0.17763.0/x86/signtool.exe
-        run: |
-          $PublicCert = [System.Convert]::FromBase64String('${{ secrets.CODESIGN_LSDEVSECTIGOEV }}')
-          Set-Content $ENV:TEMP\certificate -Value ($PublicCert) -AsByteStream
-          ${{env.signtool}} sign /f $ENV:TEMP\certificate /fd sha256 /du https://software.sil.org /tr http://timestamp.sectigo.com /td sha256 /v target-msix/*.msix
-      - name: Upload signed MSIX installer
+          path: backend/FwLite/artifacts/sign/portable/*
+
+      - name: Upload FWLite MSIX
         uses: actions/upload-artifact@v4
         with:
-          name: fw-lite-msix-signed
+          name: fw-lite-msix
           if-no-files-found: error
-          path: target-msix/*.msix
+          path: backend/FwLite/artifacts/sign/*.msixbundle
 
   create-release:
-    #disabled since we don't have a release yet
-    if: false
+    if: ${{ github.ref_name == 'main' || github.head_ref == 'chore/setup-trusted-signing' }}
     name: Create Release
-    needs: sign-installer
-    runs-on: windows-latest
+    needs: [ build-and-test, publish-win, publish-linux, publish-mac]
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/download-artifact@v4
         with:
-          name: fw-lite
+          name: fw-lite-msix
+          path: fw-lite-msix
+      - uses: actions/download-artifact@v4
+        with:
+          name: fw-lite-portable
+          path: fw-lite-portable
+      - uses: actions/download-artifact@v4
+        with:
+          name: fw-lite-local-web-app-linux
+          path: fw-lite-local-web-app-linux
+
+      - name: Zip artifacts
+        run: |
+          zip -r fw-lite-portable.zip fw-lite-portable
+          zip -r fw-lite-local-web-app-linux.zip fw-lite-local-web-app-linux
 
       - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
+          tag_name: ${{ needs.build-and-test.outputs.version }}
+          target_commitish: ${{ github.sha }}
+          generate_release_notes: true
+          draft: ${{ github.head_ref == 'chore/setup-trusted-signing' }}
           files: |
-            backend/FwLite/artifacts/bin/FwLiteDesktop/*/AppPackages/FwLiteDesktop_1.0.0.1_Test/*.msix
-          body: |
-            Release for version ${{ github.ref }}
-          draft: true
+            fw-lite-msix/*
+            fw-lite-portable.zip
+            fw-lite-local-web-app-linux.zip
+

backend/FwLite/FwLiteDesktop/FwLiteDesktop.csproj

@@ -22,10 +22,9 @@
 		<ImplicitUsings>enable</ImplicitUsings>
 		<Nullable>enable</Nullable>
         <SelfContained>true</SelfContained>
-        <Platform Condition="$([MSBuild]::IsOSPlatform('windows'))">x64</Platform>
 
 		<!-- controls display name in Package.appxmanifest -->
-		<ApplicationTitle>FW Lite (nightly)</ApplicationTitle>
+		<ApplicationTitle>FieldWorks Lite</ApplicationTitle>
 
 		<!-- App Identifier -->
 		<ApplicationId>com.sil.fwlitedesktop</ApplicationId>

backend/FwLite/FwLiteDesktop/Platforms/Windows/Package.appxmanifest

@@ -5,18 +5,15 @@
   xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"
   IgnorableNamespaces="uap rescap">
 
-  <Identity Name="FwLiteDesktop" Publisher="CN=&quot;SUMMER INSTITUTE OF LINGUISTICS, INC.&quot;, O=&quot;SUMMER INSTITUTE OF LINGUISTICS, INC.&quot;, S=Texas, C=US, OID.2.5.4.15=Private Organization, SERIALNUMBER=62218101" Version="0.0.0.0" />
-<!--    for now to publish to the microsoft store, we need to use a different identity-->
-   <!-- <Identity Name="KevinHahn.FWLitenightly"
-              Publisher="CN=7BEA9D9E-7070-4761-8F0A-2C10487C3E25"
-              Version="0.9.0.0"/>
--->
+  <Identity Name="FwLiteDesktop"
+            Publisher="CN=&quot;Summer Institute of Linguistics, Inc.&quot;, O=&quot;Summer Institute of Linguistics, Inc.&quot;, L=Dallas, S=Texas, C=US"
+            Version="0.0.0.0" />
   <Properties>
 <!--      publisher name must match the microsoft store-->
 <!--    <PublisherDisplayName>Kevin Hahn</PublisherDisplayName>-->
 <!--      modified with ApplicationTitle in FwLiteDesktop.csproj-->
     <DisplayName>$placeholder$</DisplayName>
-      <PublisherDisplayName>SIL</PublisherDisplayName>
+    <PublisherDisplayName>SIL</PublisherDisplayName>
     <Logo>$placeholder$.png</Logo>
   </Properties>