Signing support on Windows with P12 keys

2026-01-24 14:28:14 -05:00 · 2016-04-08 14:36:51 -07:00
parent c4f60d0d42
commit 6bbf0d3271
2 changed files with 40 additions and 9 deletions
--- a/build/certs/AtomDevTestSignKey.p12
+++ b/build/certs/AtomDevTestSignKey.p12
--- a/build/tasks/codesign-task.coffee
+++ b/build/tasks/codesign-task.coffee
@@ -1,24 +1,46 @@
 path = require 'path'
+fs = require 'fs'
+request = require 'request'

 module.exports = (grunt) ->
  {spawn} = require('./task-helpers')(grunt)

+  signUsingWindowsSDK = (exeToSign, callback) ->
+    {WIN_P12KEY_PASSWORD, WIN_P12KEY_URL} = process.env
+    if WIN_P12KEY_URL?
+      grunt.log.ok("Obtaining signing key")
+      downloadedKeyFile = path.resolve(__dirname, 'DownloadedSignKey.p12')
+      downloadFile WIN_P12KEY_URL, downloadedKeyFile, (done) ->
+        signUsingWindowsSDKTool exeToSign, downloadedKeyFile, WIN_P12KEY_PASSWORD, (done) ->
+          fs.unlinkSync(downloadedKeyFile)
+          callback()
+    else
+      signUsingWindowsSDKTool exeToSign, path.resolve(__dirname, '..', 'certs', 'AtomDevTestSignKey.p12'), 'password', callback
+
+  signUsingWindowsSDKTool = (exeToSign, keyFilePath, password, callback) ->
+    grunt.log.ok("Signing #{exeToSign}")
+    args = ['sign', '/v', '/p', password, '/f', keyFilePath, exeToSign]
+    spawn {cmd: 'C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v7.1A\\bin\\signtool.exe', args: args}, callback
+
+  signUsingJanky = (exeToSign, callback) ->
+    spawn {cmd: 'signtool', args: [exeToSign]}, callback
+
+  signWindowsExecutable = if process.env.JANKY_SIGNTOOL then signUsingJanky else signUsingWindowsSDK
+
  grunt.registerTask 'codesign:exe', 'CodeSign Atom.exe and Update.exe', ->
    done = @async()
    spawn {cmd: 'taskkill', args: ['/F', '/IM', 'atom.exe']}, ->
-      cmd = process.env.JANKY_SIGNTOOL ? 'signtool'
      atomExePath = path.join(grunt.config.get('atom.shellAppDir'), 'atom.exe')
-      spawn {cmd, args: [atomExePath]}, (error) ->
+      signWindowsExecutable atomExePath, (error) ->
        return done(error) if error?

        updateExePath = path.resolve(__dirname, '..', 'node_modules', 'grunt-electron-installer', 'vendor', 'Update.exe')
-        spawn {cmd, args: [updateExePath]}, (error) -> done(error)
+        signWindowsExecutable updateExePath, (error) -> done(error)

  grunt.registerTask 'codesign:installer', 'CodeSign AtomSetup.exe', ->
    done = @async()
-    cmd = process.env.JANKY_SIGNTOOL ? 'signtool'
    atomSetupExePath = path.resolve(grunt.config.get('atom.buildDir'), 'installer', 'AtomSetup.exe')
-    spawn {cmd, args: [atomSetupExePath]}, (error) -> done(error)
+    signWindowsExecutable atomSetupExePath, (error) -> done(error)

  grunt.registerTask 'codesign:app', 'CodeSign Atom.app', ->
    done = @async()
@@ -26,14 +48,23 @@ module.exports = (grunt) ->
    unlockKeychain (error) ->
      return done(error) if error?

-      cmd = 'codesign'
      args = ['--deep', '--force', '--verbose', '--sign', 'Developer ID Application: GitHub', grunt.config.get('atom.shellAppDir')]
-      spawn {cmd, args}, (error) -> done(error)
+      spawn {cmd: 'codesign', args: args}, (error) -> done(error)

  unlockKeychain = (callback) ->
    return callback() unless process.env.XCODE_KEYCHAIN

-    cmd = 'security'
    {XCODE_KEYCHAIN_PASSWORD, XCODE_KEYCHAIN} = process.env
    args = ['unlock-keychain', '-p', XCODE_KEYCHAIN_PASSWORD, XCODE_KEYCHAIN]
-    spawn {cmd, args}, (error) -> callback(error)
+    spawn {cmd: 'security', args: args}, (error) -> callback(error)
+
+  downloadFile = (sourceUrl, targetPath, callback) ->
+    options = {
+      url: sourceUrl
+      headers: {
+        'User-Agent': 'Atom Signing Key build task',
+        'Accept': 'application/vnd.github.VERSION.raw' }
+    }
+    request(options)
+      .pipe(fs.createWriteStream(targetPath))
+      .on('finish', callback)