[release-0.14] コード署名をeSignerCKAに (#1597)

Hiroshiba · web-flow · commit 89b749ea5d44 · 2023-10-05T19:01:35.000+09:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -213,18 +213,30 @@ jobs:
         run: |
           df -h
 
-      # build electronでコード署名するには環境変数を指定が必要だけど、
-      # コード署名しない場合に環境変数を定義するとエラーになるので、動的に環境変数を足す
       - name: Define Code Signing Envs
         if: startsWith(matrix.os, 'windows-') && github.event.inputs.code_signing == 'true'
         shell: bash
         run: |
-          # 複数行の文字列を環境変数に代入
-          echo 'CSC_LINK<<EOF' >> $GITHUB_ENV
-          echo "${{ secrets.CERT_BASE64 }}" >> $GITHUB_ENV
-          echo 'EOF' >> $GITHUB_ENV
+          bash build/codesign_setup.bash
+          THUMBPRINT="$(head -n 1 $THUMBPRINT_PATH)"
+          SIGNTOOL_PATH="$(head -n 1 $SIGNTOOL_PATH_PATH)"
+          echo "::add-mask::$THUMBPRINT"
 
-          echo 'CSC_KEY_PASSWORD=${{ secrets.CERT_PASSWORD }}' >> $GITHUB_ENV
+          echo "WIN_CERTIFICATE_SHA1=$THUMBPRINT" >> $GITHUB_ENV
+          echo 'WIN_SIGNING_HASH_ALGORITHMS=["sha256"]' >> $GITHUB_ENV
+          echo "SIGNTOOL_PATH=$SIGNTOOL_PATH" >> $GITHUB_ENV
+
+          # NOTE: electron-builder 22.14.13 は指定したsigntoolを使わないので、ワークアラウンドとしてディレクトリを差し替える
+          CACHE_SIGNTOOL_DIR="$ELECTRON_BUILDER_CACHE/winCodeSign/winCodeSign-2.6.0/windows-10/x64"
+          mv "$CACHE_SIGNTOOL_DIR"{,.bak}
+          SIGNTOOL_DIR=$(dirname "$SIGNTOOL_PATH")
+          ln -s "$SIGNTOOL_DIR" "$CACHE_SIGNTOOL_DIR"
+        env:
+          ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
+          ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
+          ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
+          THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
+          SIGNTOOL_PATH_PATH: /tmp/signtool_path.txt
 
       # Build result will be exported to ${{ matrix.artifact_path }}
       - name: Build Electron
@@ -243,8 +255,17 @@ jobs:
         if: startsWith(matrix.os, 'windows-') && github.event.inputs.code_signing == 'true'
         shell: bash
         run: |
-          echo 'CSC_LINK=' >> $GITHUB_ENV
-          echo 'CSC_KEY_PASSWORD=' >> $GITHUB_ENV
+          bash build/codesign_cleanup.bash
+          echo 'WIN_CERTIFICATE_SHA1=' >> $GITHUB_ENV
+          echo 'WIN_SIGNING_HASH_ALGORITHMS=' >> $GITHUB_ENV
+          echo 'SIGNTOOL_PATH=' >> $GITHUB_ENV
+
+          # NOTE: ワークアラウンドで差し替えたディレクトリを元に戻す
+          CACHE_SIGNTOOL_DIR="$ELECTRON_BUILDER_CACHE/winCodeSign/winCodeSign-2.6.0/windows-10/x64"
+          rm -r "$CACHE_SIGNTOOL_DIR"
+          mv "$CACHE_SIGNTOOL_DIR"{.bak,}
+        env:
+          THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
 
       - name: Upload NoEngine Prepackage
         uses: actions/upload-artifact@v3
@@ -654,18 +675,30 @@ jobs:
         run: |
           df -h
 
-      # build electronでコード署名するには環境変数を指定が必要だけど、
-      # コード署名しない場合に環境変数を定義するとエラーになるので、動的に環境変数を足す
       - name: Define Code Signing Envs
         if: endsWith(matrix.artifact_name, '-nsis-web') && github.event.inputs.code_signing == 'true'
         shell: bash
         run: |
-          # 複数行の文字列を環境変数に代入
-          echo 'CSC_LINK<<EOF' >> $GITHUB_ENV
-          echo "${{ secrets.CERT_BASE64 }}" >> $GITHUB_ENV
-          echo 'EOF' >> $GITHUB_ENV
+          bash build/codesign_setup.bash
+          THUMBPRINT="$(head -n 1 $THUMBPRINT_PATH)"
+          SIGNTOOL_PATH="$(head -n 1 $SIGNTOOL_PATH_PATH)"
+          echo "::add-mask::$THUMBPRINT"
 
-          echo 'CSC_KEY_PASSWORD=${{ secrets.CERT_PASSWORD }}' >> $GITHUB_ENV
+          echo "WIN_CERTIFICATE_SHA1=$THUMBPRINT" >> $GITHUB_ENV
+          echo 'WIN_SIGNING_HASH_ALGORITHMS=["sha256"]' >> $GITHUB_ENV
+          echo "SIGNTOOL_PATH=$SIGNTOOL_PATH" >> $GITHUB_ENV
+
+          # NOTE: electron-builder 22.14.13 は指定したsigntoolを使わないので、ワークアラウンドとしてディレクトリを差し替える
+          CACHE_SIGNTOOL_DIR="$ELECTRON_BUILDER_CACHE/winCodeSign/winCodeSign-2.6.0/windows-10/x64"
+          mv "$CACHE_SIGNTOOL_DIR"{,.bak}
+          SIGNTOOL_DIR=$(dirname "$SIGNTOOL_PATH")
+          ln -s "$SIGNTOOL_DIR" "$CACHE_SIGNTOOL_DIR"
+        env:
+          ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
+          ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
+          ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
+          THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
+          SIGNTOOL_PATH_PATH: /tmp/signtool_path.txt
 
       # NOTE: prepackage can be removed before splitting nsis-web archive
       - name: Build Electron
@@ -688,8 +721,17 @@ jobs:
         if: endsWith(matrix.artifact_name, '-nsis-web') && github.event.inputs.code_signing == 'true'
         shell: bash
         run: |
-          echo 'CSC_LINK=' >> $GITHUB_ENV
-          echo 'CSC_KEY_PASSWORD=' >> $GITHUB_ENV
+          bash build/codesign_cleanup.bash
+          echo 'WIN_CERTIFICATE_SHA1=' >> $GITHUB_ENV
+          echo 'WIN_SIGNING_HASH_ALGORITHMS=' >> $GITHUB_ENV
+          echo 'SIGNTOOL_PATH=' >> $GITHUB_ENV
+
+          # NOTE: ワークアラウンドで差し替えたディレクトリを元に戻す
+          CACHE_SIGNTOOL_DIR="$ELECTRON_BUILDER_CACHE/winCodeSign/winCodeSign-2.6.0/windows-10/x64"
+          rm -r "$CACHE_SIGNTOOL_DIR"
+          mv "$CACHE_SIGNTOOL_DIR"{.bak,}
+        env:
+          THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
 
       - name: Show disk space (debug info)
         shell: bash
diff --git a/build/codesign_cleanup.bash b/build/codesign_cleanup.bash
@@ -0,0 +1,20 @@
+# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!
+
+# eSignerCKAで読み込んだコードサイニング証明書を破棄する
+
+set -eu
+
+if [ ! -v THUMBPRINT_PATH ]; then # THUMBPRINTの出力先
+    echo "THUMBPRINT_PATHが未定義です"
+    exit 1
+fi
+
+if [ ! -v ESIGNERCKA_INSTALL_DIR ]; then # eSignerCKAのインストール先
+    ESIGNERCKA_INSTALL_DIR='..\eSignerCKA'
+fi
+
+# 証明書を破棄
+powershell "& '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' unload"
+
+# THUMBPRINTを削除
+rm "$THUMBPRINT_PATH"
diff --git a/build/codesign_setup.bash b/build/codesign_setup.bash
@@ -0,0 +1,61 @@
+# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!
+
+# eSignerCKAを使ってコードサイニング証明書を読み込む
+# electronから利用するためにTHUMBPRINTとsigntoolのパスを出力する
+
+set -eu
+
+if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名
+    echo "ESIGNERCKA_USERNAMEが未定義です"
+    exit 1
+fi
+if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード
+    echo "ESIGNERCKA_PASSWORDが未定義です"
+    exit 1
+fi
+if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret
+    echo "ESIGNERCKA_TOTP_SECRETが未定義です"
+    exit 1
+fi
+if [ ! -v THUMBPRINT_PATH ]; then # THUMBPRINTの出力先
+    echo "THUMBPRINT_PATHが未定義です"
+    exit 1
+fi
+if [ ! -v SIGNTOOL_PATH_PATH ]; then # 対応しているsigntoolのパスの出力先
+    echo "SIGNTOOL_PATH_PATHが未定義です"
+    exit 1
+fi
+
+if [ ! -v ESIGNERCKA_INSTALL_DIR ]; then
+    ESIGNERCKA_INSTALL_DIR='..\eSignerCKA'
+fi
+
+# eSignerCKAのセットアップ
+if [ ! -d "$ESIGNERCKA_INSTALL_DIR" ]; then
+    curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip"
+    unzip -o SSL.COM-eSigner-CKA_1.0.6.zip
+    mv *eSigner*CKA_*.exe eSigner_CKA_Installer.exe
+    powershell "
+        & ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR="$ESIGNERCKA_INSTALL_DIR" | Out-Null
+        & '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$ESIGNERCKA_INSTALL_DIR\master.key' -r
+        & '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' unload
+    "
+    rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe
+fi
+
+# 証明書を読み込む
+powershell "& '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' load"
+
+THUMBPRINT=$(
+    powershell '
+        $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
+        echo "$($CodeSigningCert.Thumbprint)"
+    '
+)
+
+# THUMBPRINTを出力
+echo "$THUMBPRINT" >"$THUMBPRINT_PATH"
+
+# 対応しているsigntoolのパスを出力
+SIGNTOOL_PATH=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない
+echo "$SIGNTOOL_PATH" >"$SIGNTOOL_PATH_PATH"
diff --git a/vue.config.js b/vue.config.js
@@ -18,6 +18,12 @@ const LINUX_EXECUTABLE_NAME = process.env.LINUX_EXECUTABLE_NAME;
 // ${productName}-${version}.${ext}
 const MACOS_ARTIFACT_NAME = process.env.MACOS_ARTIFACT_NAME;
 
+// コード署名証明書
+const WIN_CERTIFICATE_SHA1 = process.env.WIN_CERTIFICATE_SHA1;
+const WIN_SIGNING_HASH_ALGORITHMS = process.env.WIN_SIGNING_HASH_ALGORITHMS
+  ? JSON.parse(process.env.WIN_SIGNING_HASH_ALGORITHMS)
+  : undefined;
+
 const isMac = process.platform === "darwin";
 
 module.exports = {
@@ -76,6 +82,12 @@ module.exports = {
               arch: ["x64"],
             },
           ],
+          certificateSha1:
+            WIN_CERTIFICATE_SHA1 !== "" ? WIN_CERTIFICATE_SHA1 : undefined,
+          signingHashAlgorithms:
+            WIN_SIGNING_HASH_ALGORITHMS !== ""
+              ? WIN_SIGNING_HASH_ALGORITHMS
+              : undefined,
         },
         directories: {
           buildResources: "build",
