[ci][windows] sign executables using Azure

Signed-off-by: Vitalii Koshura <[email protected]>

.github/workflows/windows.yml

@@ -33,6 +33,16 @@ env:
   AWS_ACCESS_KEY_ID: ${{secrets.S3_ACCESS_KEY}}
   AWS_SECRET_ACCESS_KEY: ${{secrets.S3_SECRET_KEY}}
   AWS_DEFAULT_REGION: us-west-2
+  AZURE_CLIENT_ID: ${{secrets.AZURE_CLIENT_ID}}
+  AZURE_CLIENT_SECRET: ${{secrets.AZURE_CLIENT_SECRET}}
+  AZURE_TENANT_ID: ${{secrets.AZURE_TENANT_ID}}
+  AZURE_ENDPOINT: ${{secrets.AZURE_ENDPOINT}}
+  AZURE_CODE_SIGNING_NAME: ${{secrets.AZURE_CODE_SIGNING_NAME}}
+  AZURE_CERT_PROFILE_NAME: ${{secrets.AZURE_CERT_PROFILE_NAME}}
+
+  TSCT: ${{github.workspace}}\temp\TSCT
+  DLIB: ${{github.workspace}}\temp\TSCT\Azure.CodeSigning.Dlib.dll
+  DMDF: ${{github.workspace}}\metadata.json
 
 jobs:
   build:
@@ -88,9 +98,25 @@ jobs:
             ${{github.workspace}}\3rdParty\Windows\cuda\
           key: windows-${{matrix.platform}}-${{matrix.configuration}}-${{hashFiles('win_build/vcpkg_3rdparty_dependencies.vcxproj', '.github/workflows/windows.yml')}}
 
+      - name: Install Trusted Signing Client Tools
+        if: success() && matrix.type == 'msbuild'
+        shell: powershell
+        run: $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri "https://download.microsoft.com/download/6d9cb638-4d5f-438d-9f21-23f0f4405944/TrustedSigningClientTools.msi" -OutFile .\TrustedSigningClientTools.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I TrustedSigningClientTools.msi TARGETDIR="$Env:TSCT" /quiet'; Remove-Item .\TrustedSigningClientTools.msi
+
+      - name: Write metadata.json
+        if: success() && matrix.type == 'msbuild'
+        shell: powershell
+        run: |
+          $metadata = @{
+            Endpoint = "$Env:AZURE_ENDPOINT"
+            CodeSigningAccountName = "$Env:AZURE_CODE_SIGNING_NAME"
+            CertificateProfileName = "$Env:AZURE_CERT_PROFILE_NAME"
+          }
+          $metadata | ConvertTo-Json -Depth 4 | Out-File -FilePath $Env:DMDF -Encoding utf8
+
       - name: Build
         if: success() && matrix.type == 'msbuild'
-        run: msbuild win_build\boinc.sln -p:Configuration=${{matrix.configuration}} -p:Platform=${{matrix.platform}} -p:VcpkgTripletConfig=ci -m
+        run: msbuild win_build\boinc.sln -p:Configuration=${{matrix.configuration}} -p:Platform=${{matrix.platform}} -p:VcpkgTripletConfig=ci -p:DLIB=${{ env.DLIB }} -p:DMDF=${{ env.DMDF }} -m
 
       - name: Build CMake
         if: success() && matrix.type == 'libs-cmake'

win_build/boinc.sln

@@ -152,6 +152,12 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "installer_icon", "installer
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "installer_setup", "installer_setup.vcxproj", "{80DFF29A-7B1D-41F4-BEAE-307CDB39BF54}"
 	ProjectSection(ProjectDependencies) = postProject
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27} = {88EB73FC-A865-4C3F-906D-44E00EF27A27}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "installer_msi", "installer_msi.vcxproj", "{88EB73FC-A865-4C3F-906D-44E00EF27A27}"
+	ProjectSection(ProjectDependencies) = postProject
+		{49723CA5-DA05-43C0-93AB-6FD30D046919} = {49723CA5-DA05-43C0-93AB-6FD30D046919}
 		{BB5EF2AB-F453-463B-835A-65BBE7182378} = {BB5EF2AB-F453-463B-835A-65BBE7182378}
 	EndProjectSection
 EndProject
@@ -505,6 +511,14 @@ Global
 		{80DFF29A-7B1D-41F4-BEAE-307CDB39BF54}.Release|ARM64.Build.0 = Release|ARM64
 		{80DFF29A-7B1D-41F4-BEAE-307CDB39BF54}.Release|x64.ActiveCfg = Release|x64
 		{80DFF29A-7B1D-41F4-BEAE-307CDB39BF54}.Release|x64.Build.0 = Release|x64
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27}.Debug|ARM64.Build.0 = Debug|ARM64
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27}.Debug|x64.ActiveCfg = Debug|x64
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27}.Debug|x64.Build.0 = Debug|x64
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27}.Release|ARM64.ActiveCfg = Release|ARM64
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27}.Release|ARM64.Build.0 = Release|ARM64
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27}.Release|x64.ActiveCfg = Release|x64
+		{88EB73FC-A865-4C3F-906D-44E00EF27A27}.Release|x64.Build.0 = Release|x64
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

win_build/boinc_signing.targets

@@ -2,7 +2,7 @@
     <ItemGroup>
         <FilesToSign Include="$(OutDir)$(TargetName)$(TargetExt)" Condition="('$(TargetExt)' == '.exe' or '$(TargetExt)' == '.dll' or '$(TargetExt)' == '.scr' or '$(TargetExt)' == '.msi')"/>
     </ItemGroup>
-    <Target Name="Signing" DependsOnTargets="Build" AfterTargets="Build" Condition="('@(FilesToSign)' != '' and Exists('$(BUILDCODESIGN)\boinc.pfx'))">
-        <Exec Command='signtool sign /f "$(BUILDCODESIGN)/boinc.pfx" /p "$(CODESIGNBOINC)" /fd sha256 /d "BOINC Client Software" /du "http://boinc.berkeley.edu" /t "http://timestamp.sectigo.com" "@(FilesToSign)"' WorkingDirectory="$(MSBuildProjectDirectory)" />
+    <Target Name="Signing" DependsOnTargets="Build" AfterTargets="Build" Condition="('@(FilesToSign)' != '' and Exists('$(DLIB)') and Exists('$(DMDF)'))">
+        <Exec Command='signtool.exe sign /v /debug /fd SHA256 /d "BOINC Client Software" /du "https://boinc.berkeley.edu" /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib $(DLIB) /dmdf $(DMDF) "@(FilesToSign)"' WorkingDirectory="$(MSBuildProjectDirectory)" />
     </Target>
 </Project>

win_build/installer.vcxproj

@@ -182,12 +182,7 @@
     <ClInclude Include="..\installer\UpgradeTable.h" />
     <ClInclude Include="..\installer\JsonHelper.h" />
   </ItemGroup>
-  <ItemGroup>
-    <None Include="..\installer\boinc.json" />
-    <None Include="..\installer\locale\en.json" />
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <ImportGroup Label="ExtensionTargets">
-  </ImportGroup>
+  <ImportGroup Label="ExtensionTargets"/>
   <Import Project="boinc_signing.targets" />
 </Project>

win_build/installer_msi.vcxproj

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Label="Globals">
+    <ProjectName>installer_msi</ProjectName>
+    <ProjectGuid>{88EB73FC-A865-4C3F-906D-44E00EF27A27}</ProjectGuid>
+  </PropertyGroup>
+  <PropertyGroup Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="boinc.props" />
+  <PropertyGroup>
+    <TargetName>boinc.msi</TargetName>
+  </PropertyGroup>
+  <ItemGroup>
+    <None Include="..\installer\boinc.json" />
+    <None Include="..\installer\locale\en.json" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+  <PropertyGroup>
+    <CustomBuildBeforeTargets>ClCompile</CustomBuildBeforeTargets>
+  </PropertyGroup>
+  <ItemDefinitionGroup>
+    <CustomBuildStep>
+      <Command>$(SolutionDir)Build\x64\$(Configuration)\installer.exe -p $(Platform)</Command>
+      <Outputs>$(OutDir)$(TargetName)</Outputs>
+    </CustomBuildStep>
+  </ItemDefinitionGroup>
+  <Import Project="boinc_signing.targets" />
+</Project>

win_build/installer_setup.vcxproj

@@ -35,17 +35,6 @@
     <ResourceCompile Include="..\installer\installer_setup\installer_setup.rc" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <ImportGroup Label="ExtensionTargets">
-  </ImportGroup>
-  <PropertyGroup>
-    <CustomBuildBeforeTargets>ClCompile</CustomBuildBeforeTargets>
-  </PropertyGroup>
-  <ItemDefinitionGroup>
-    <CustomBuildStep>
-      <Command>$(SolutionDir)Build\x64\$(Configuration)\installer.exe -p $(Platform)</Command>
-      <Inputs>$(MSBuildThisFileDirectory)..\installer\boinc.json;$(MSBuildThisFileDirectory)..\installer\locale\en.json;$(OutDir)boinccas.dll;$(SolutionDir)Build\x64\$(Configuration)\installer.exe</Inputs>
-      <Outputs>$(OutDir)boinc.msi</Outputs>
-    </CustomBuildStep>
-  </ItemDefinitionGroup>
+  <ImportGroup Label="ExtensionTargets"/>
   <Import Project="boinc_signing.targets" />
 </Project>