eSignerでのコード署名に対応

Hiroshiba · Oct 3, 2023 · 237ca9a · 237ca9a
1 parent 65a4465
commit 237ca9a
Show file tree

Hide file tree

Showing 4 changed files with 106 additions and 20 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -213,18 +213,18 @@ jobs:
         run: |
           df -h
 
-      # build electronでコード署名するには環境変数を指定が必要だけど、
-      # コード署名しない場合に環境変数を定義するとエラーになるので、動的に環境変数を足す
       - name: Define Code Signing Envs
         if: startsWith(matrix.os, 'windows-') && github.event.inputs.code_signing == 'true'
         shell: bash
         run: |
-          # 複数行の文字列を環境変数に代入
-          echo 'CSC_LINK<<EOF' >> $GITHUB_ENV
-          echo "${{ secrets.CERT_BASE64 }}" >> $GITHUB_ENV
-          echo 'EOF' >> $GITHUB_ENV
-
-          echo 'CSC_KEY_PASSWORD=${{ secrets.CERT_PASSWORD }}' >> $GITHUB_ENV
+          bash build/codesign_setup.bash
+          echo "WIN_CERTIFICATE_SHA1=$(head -n 1 $THUMBPRINT_PATH)" >> $GITHUB_ENV
+          echo 'WIN_SIGNING_HASH_ALGORITHMS=["sha256"]' >> $GITHUB_ENV
+        env:
+          ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
+          ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
+          ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
+          THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
 
       # Build result will be exported to ${{ matrix.artifact_path }}
       - name: Build Electron
@@ -243,8 +243,11 @@ jobs:
         if: startsWith(matrix.os, 'windows-') && github.event.inputs.code_signing == 'true'
         shell: bash
         run: |
-          echo 'CSC_LINK=' >> $GITHUB_ENV
-          echo 'CSC_KEY_PASSWORD=' >> $GITHUB_ENV
+          bash build/codesign_cleanup.bash
+          echo 'WIN_CERTIFICATE_SHA1=' >> $GITHUB_ENV
+          echo 'WIN_SIGNING_HASH_ALGORITHMS=' >> $GITHUB_ENV
+        env:
+          THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
 
       - name: Upload NoEngine Prepackage
         uses: actions/upload-artifact@v3
@@ -654,18 +657,18 @@ jobs:
         run: |
           df -h
 
-      # build electronでコード署名するには環境変数を指定が必要だけど、
-      # コード署名しない場合に環境変数を定義するとエラーになるので、動的に環境変数を足す
       - name: Define Code Signing Envs
         if: endsWith(matrix.artifact_name, '-nsis-web') && github.event.inputs.code_signing == 'true'
         shell: bash
         run: |
-          # 複数行の文字列を環境変数に代入
-          echo 'CSC_LINK<<EOF' >> $GITHUB_ENV
-          echo "${{ secrets.CERT_BASE64 }}" >> $GITHUB_ENV
-          echo 'EOF' >> $GITHUB_ENV
-
-          echo 'CSC_KEY_PASSWORD=${{ secrets.CERT_PASSWORD }}' >> $GITHUB_ENV
+          bash build/codesign_setup.bash
+          echo "WIN_CERTIFICATE_SHA1=$(head -n 1 $THUMBPRINT_PATH)" >> $GITHUB_ENV
+          echo 'WIN_SIGNING_HASH_ALGORITHMS=["sha256"]' >> $GITHUB_ENV
+        env:
+          ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
+          ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
+          ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
+          THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
 
       # NOTE: prepackage can be removed before splitting nsis-web archive
       - name: Build Electron
@@ -688,8 +691,11 @@ jobs:
         if: endsWith(matrix.artifact_name, '-nsis-web') && github.event.inputs.code_signing == 'true'
         shell: bash
         run: |
-          echo 'CSC_LINK=' >> $GITHUB_ENV
-          echo 'CSC_KEY_PASSWORD=' >> $GITHUB_ENV
+          bash build/codesign_cleanup.bash
+          echo 'WIN_CERTIFICATE_SHA1=' >> $GITHUB_ENV
+          echo 'WIN_SIGNING_HASH_ALGORITHMS=' >> $GITHUB_ENV
+        env:
+          THUMBPRINT_PATH: /tmp/esignercka_thumbprint.txt
 
       - name: Show disk space (debug info)
         shell: bash

diff --git a/build/codesign_cleanup.bash b/build/codesign_cleanup.bash
@@ -0,0 +1,18 @@
+# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!
+
+set -eu
+
+if [ ! -v THUMBPRINT_PATH ]; then
+    echo "THUMBPRINT_PATHが未定義です"
+    exit 1
+fi
+
+if [ ! -v ESIGNERCKA_INSTALL_DIR ]; then
+    ESIGNERCKA_INSTALL_DIR='..\eSignerCKA'
+fi
+
+# 証明書を削除
+powershell "& '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' unload"
+
+# THUMBPRINTを削除
+rm "$THUMBPRINT_PATH"
diff --git a/build/codesign_setup.bash b/build/codesign_setup.bash
@@ -0,0 +1,50 @@
+# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!
+
+set -eu
+
+if [ ! -v ESIGNERCKA_USERNAME ]; then
+    echo "ESIGNERCKA_USERNAMEが未定義です"
+    exit 1
+fi
+if [ ! -v ESIGNERCKA_PASSWORD ]; then
+    echo "ESIGNERCKA_PASSWORDが未定義です"
+    exit 1
+fi
+if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then
+    echo "ESIGNERCKA_TOTP_SECRETが未定義です"
+    exit 1
+fi
+if [ ! -v THUMBPRINT_PATH ]; then
+    echo "THUMBPRINT_PATHが未定義です"
+    exit 1
+fi
+
+if [ ! -v ESIGNERCKA_INSTALL_DIR ]; then
+    ESIGNERCKA_INSTALL_DIR='..\eSignerCKA'
+fi
+
+# eSignerCKAのセットアップ
+if [ ! -d "$ESIGNERCKA_INSTALL_DIR" ]; then
+    curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip"
+    unzip -o SSL.COM-eSigner-CKA_1.0.6.zip
+    mv *eSigner*CKA_*.exe eSigner_CKA_Installer.exe
+    powershell "
+        & ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR="$ESIGNERCKA_INSTALL_DIR" | Out-Null
+        & '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$ESIGNERCKA_INSTALL_DIR\master.key' -r
+        & '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' unload
+    "
+    rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe
+fi
+
+# 証明書を読み込む
+powershell "& '$ESIGNERCKA_INSTALL_DIR\eSignerCKATool.exe' load"
+
+THUMBPRINT=$(
+    powershell '
+        $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
+        echo "$($CodeSigningCert.Thumbprint)"
+    '
+)
+
+# THUMBPRINTを出力
+echo "$THUMBPRINT" >"$THUMBPRINT_PATH"
diff --git a/vue.config.js b/vue.config.js
@@ -18,6 +18,12 @@ const LINUX_EXECUTABLE_NAME = process.env.LINUX_EXECUTABLE_NAME;
 // ${productName}-${version}.${ext}
 const MACOS_ARTIFACT_NAME = process.env.MACOS_ARTIFACT_NAME;
 
+// コード署名証明書
+const WIN_CERTIFICATE_SHA1 = process.env.WIN_CERTIFICATE_SHA1;
+const WIN_SIGNING_HASH_ALGORITHMS = process.env.WIN_SIGNING_HASH_ALGORITHMS
+  ? JSON.parse(process.env.WIN_SIGNING_HASH_ALGORITHMS)
+  : undefined;
+
 const isMac = process.platform === "darwin";
 
 module.exports = {
@@ -76,6 +82,12 @@ module.exports = {
               arch: ["x64"],
             },
           ],
+          certificateSha1:
+            WIN_CERTIFICATE_SHA1 !== "" ? WIN_CERTIFICATE_SHA1 : undefined,
+          signingHashAlgorithms:
+            WIN_SIGNING_HASH_ALGORITHMS !== ""
+              ? WIN_SIGNING_HASH_ALGORITHMS
+              : undefined,
         },
         directories: {
           buildResources: "build",