mirror/cypress
1
0
Fork 0
mirror of https://github.com/cypress-io/cypress.git synced 2026-01-06 06:29:45 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
3eaf7400addbf8d9419d4d2eeee2930866740b58
cypress/scripts/windows-sign.js
Bill Glesias d34fdcf60e chore: implement remote executable signing for windows binary builds (#28636) 
* chore: implement remote executable signing for windows to comply with
new  signing key storage requirements [run ci]

* bump circleci cache to avoid electron install issues [run ci]

* chore: use fs-extra to ensure and create directory for temporary files and use os package to locate OS tmp directory
2024-01-08 11:38:22 -05:00

64 lines
3.2 KiB
JavaScript
Raw Blame History

// This signing procedure only runs on windows binary builds to leverage remote signing in order to
// fullfil new requirements around OV and IV code signing.
// @see https://www.ssl.com/article/code-signing-key-storage-requirements-will-change-on-june-1-2023/ for more details.
// Signing delegation happens inside the electron-builder.json, which can be seen in the configuration:
// "sign": "./scripts/windows-sign.js"
// @see https://www.electron.build/configuration/win#how-do-delegate-code-signing for configuration reference.
// sampled from https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-899798533
const path = require('path')
const { tmpdir } = require('os')
const fs = require('fs-extra')
const childProcess = require('child_process')
const TEMP_DIR = path.join(tmpdir(), 'release', 'tmp')
// create the temp directory we need for CodeSignTool in order to avoid manual confirmations
fs.ensureDirSync(TEMP_DIR)
function sign (configuration) {
// credentials from ssl.com
const USER_NAME = process.env.WINDOWS_SIGN_USER_NAME
const USER_PASSWORD = process.env.WINDOWS_SIGN_USER_PASSWORD
const CREDENTIAL_ID = process.env.WINDOWS_SIGN_CREDENTIAL_ID
const USER_TOTP = process.env.WINDOWS_SIGN_USER_TOTP
if (USER_NAME && USER_PASSWORD && USER_TOTP && CREDENTIAL_ID) {
console.log(`Signing ${configuration.path}`)
const { name, dir } = path.parse(configuration.path)
// Since the CodeSignTool can only be run in the directory it is installed, we want to
// download the CodeSignTool and explode it into the current directory. This isn't a repeat operation
// in this case since we are only signing the executable, which is one file.
console.log('downloading CodeSignTool for Windows from ssl.com...')
childProcess.execSync('curl https://www.ssl.com/download/codesigntool-for-windows/ -o codesigntool-for-windows.zip')
childProcess.execSync('tar -xvf codesigntool-for-windows.zip')
childProcess.execSync('rm ./codesigntool-for-windows.zip')
// CodeSignTool can't sign in place without verifying the overwrite with a
// manual interaction so we are creating a new file in a temp directory and
// then replacing the original file with the signed file.
const tempFile = path.join(TEMP_DIR, name)
console.log('executing signing...')
// Sign the executable with the signing tool. For CLI reference, @see https://www.ssl.com/guide/esigner-codesigntool-command-guide/.
childProcess.execSync(`CodeSignTool.bat sign -input_file_path="${configuration.path}" -output_dir_path="${TEMP_DIR}" -credential_id="${CREDENTIAL_ID}" -username="${USER_NAME}" -password="${USER_PASSWORD}" -totp_secret="${USER_TOTP}"`)
console.log('signing complete! Moving signed files back to package directory...')
childProcess.execSync(`mv "${tempFile}" "${dir}"`)
console.log('move completed!')
} else {
console.warn(`windows-sign.js - Can't sign file ${configuration.path}, missing value for:
${USER_NAME ? '' : 'WINDOWS_SIGN_USER_NAME'}
${USER_PASSWORD ? '' : 'WINDOWS_SIGN_USER_PASSWORD'}
${CREDENTIAL_ID ? '' : 'WINDOWS_SIGN_CREDENTIAL_ID'}
${USER_TOTP ? '' : 'WINDOWS_SIGN_USER_TOTP'}
`)
process.exit(1)
}
}
exports.default = sign
Reference in New Issue View Git Blame Copy Permalink