From 70b80e0c862bb7cfcd4c337637a8a6035cda5e3b Mon Sep 17 00:00:00 2001
From: Nazar Mokrynskyi <nazar@mokrynskyi.com>
Date: Sun, 10 Nov 2024 03:33:31 +0200
Subject: [PATCH] Sign both outer bundle and inner installer on Windows

---
 .github/workflows/release.yml | 37 ++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f88b448..d245d08 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -301,7 +301,7 @@ jobs:
           tool: cargo-wix
         if: runner.os == 'Windows'
 
-      - name: Package (Windows)
+      - name: Package and sign (Windows)
         run: |
           Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue
 
@@ -321,24 +321,43 @@ jobs:
 
           # TODO: Ideally something like this would have worked and we wouldn't need to hardcode stuff in `space-acres.wxs`: https://github.com/volks73/cargo-wix/issues/271
           # & "C:\Program Files (x86)\WiX Toolset v3.11\bin\heat.exe" dir target\wix\gtk4 -gg -sfrag -template:fragment -out target\wix\gtk4.wxs -cg GTK -dr GTK
-          
+
           cargo wix --target ${{ matrix.build.target }} --profile production --no-build --nocapture
-          # Create bundle with Microsoft Visual C++ Redistributable in it
-          Remove-Item target\wix\space-acres.wixobj -Confirm:$false
-          cargo wix --profile release --no-build --nocapture --include res\windows\wix\bundle.wxs -C -ext -C WixBalExtension
 
           Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue
         if: runner.os == 'Windows'
 
-      - name: Sign Application (Windows)
+      - name: Sign installer (Windows)
         run: |
           $ErrorActionPreference = "Stop"
-          
+
           dotnet tool install --global AzureSignTool
 
-          (Get-ChildItem -Path target\wix -Include space-acres-*.exe -Recurse) | ForEach-Object {
+          (Get-ChildItem -Path target\wix -Include space-acres-*.msi) | ForEach-Object {
             Write("Signing $($_)");
-          
+
+            AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
+          }
+        # Allow code signing to fail on non-release builds and in non-autonomys repos (forks)
+        continue-on-error: ${{ github.repository_owner != 'autonomys' || github.event_name != 'push' || github.ref_type != 'tag' }}
+        if: runner.os == 'Windows'
+
+      - name: Create bundle (Windows)
+        run: |
+          # Create a bundle with Microsoft Visual C++ Redistributable in it
+          Remove-Item target\wix\space-acres.wixobj -Confirm:$false
+          cargo wix --profile release --no-build --nocapture --include res\windows\wix\bundle.wxs -C -ext -C WixBalExtension
+        if: runner.os == 'Windows'
+
+      - name: Sign bundle (Windows)
+        run: |
+          $ErrorActionPreference = "Stop"
+
+          dotnet tool install --global AzureSignTool
+
+          (Get-ChildItem -Path target\wix -Include space-acres-*.exe) | ForEach-Object {
+            Write("Signing $($_)");
+
             AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
           }
         # Allow code signing to fail on non-release builds and in non-autonomys repos (forks)