Add code signing on release

Author: jackpot51

.github/workflows/ci.yml

@@ -8,9 +8,15 @@ jobs:
               with:
                   lfs: true
             - uses: actions-rs/toolchain@v1
-            - run: choco install dotnet netfx-4.8 wixtoolset
+            - run: choco install dotnet netfx-4.8 python3 wixtoolset
             - run: cargo install cargo-wix
-            - run: cargo wix -v --nocapture
+            - env:
+                  SSL_COM_USERNAME: ${{ github.event_name == 'release' && secrets.SSL_COM_USERNAME || '' }}
+                  SSL_COM_PASSWORD: ${{ github.event_name == 'release' && secrets.SSL_COM_PASSWORD || '' }}
+                  SSL_COM_CREDENTIAL_ID: ${{ github.event_name == 'release' && secrets.SSL_COM_CREDENTIAL_ID || '' }}
+                  SSL_COM_TOTP_SECRET: ${{ github.event_name == 'release' && secrets.SSL_COM_TOTP_SECRET || '' }}
+                  SIGN: ${{ github.event_name == 'release' && '--sign' || '' }}
+              run: python build.py %SIGN%
             - uses: actions/upload-artifact@v2
               with:
                   name: thelio-io

README.md

@@ -5,15 +5,17 @@
 - Install Chocolaty from https://chocolatey.org/install
 - Launch an Administrator Command Prompt and run the following:
 ```
-choco install dotnet netfx-4.8 wixtoolset
+choco install dotnet netfx-4.8 python3 wixtoolset
 ```
 - Launch a normal Command Prompt and run the following:
 ```
 cargo install cargo-wix
 ```
 - Run the following to build the installer:
 ```
-cargo wix -v --nocapture
+python build.py
 ```
 - Execute the installer at `target/wix/thelio-io-0.1.0-x86_64.msi`
-- Execute the program from the `bin/thelio-io.exe` file in the install directory
+- The installer will start the `System76 Thelio Io` service
+- Logs can be viewed in `Event Viewer` under `Windows Logs/Application` with the
+  source `System76 Thelio Io`

sign.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+
+import argparse
+import os
+import shutil
+import subprocess
+import urllib.request
+from zipfile import ZipFile
+
+# Handle commandline arguments
+parser = argparse.ArgumentParser()
+parser.add_argument('--sign', action='store_true')
+args = parser.parse_args()
+
+# Build .msi
+subprocess.check_call([
+    "cargo",
+    "wix",
+    "--nocapture",
+    "--verbose",
+])
+
+if args.sign:
+    if not os.path.isdir('target/sign'):
+        os.mkdir("target/sign")
+
+    # Download signing tool
+    tool_url = "https://www.ssl.com/download/29773/"
+    tool_zip = "target/sign/CodeSignTool.zip"
+    if not os.path.isfile(tool_zip):
+        if os.path.isfile(tool_zip + ".partial"):
+            os.remove(tool_zip + ".partial")
+        urllib.request.urlretrieve(tool_url, tool_zip + ".partial")
+        os.rename(tool_zip + ".partial", tool_zip)
+
+    # Extract signing tool
+    tool_dir = "target/sign/CodeSignTool"
+    if not os.path.isdir(tool_dir):
+        if os.path.isdir(tool_dir + ".partial"):
+            shutil.rmtree(tool_dir + ".partial")
+        os.mkdir(tool_dir + ".partial")
+        with ZipFile(tool_zip, "r") as zip:
+            zip.extractall(tool_dir + ".partial")
+        os.rename(tool_dir + ".partial", tool_dir)
+
+    # Sign with specified cloud signing key
+    subprocess.check_call([
+        "cmd", "/c", "CodeSignTool.bat",
+        "sign",
+        "-credential_id=" + os.environ["SSL_COM_CREDENTIAL_ID"],
+        "-username=" + os.environ["SSL_COM_USERNAME"],
+        "-password=" + os.environ["SSL_COM_PASSWORD"],
+        "-totp_secret=" + os.environ["SSL_COM_TOTP_SECRET"],
+        "-input_file_path=../../../wix/thelio-io-0.1.0-x86_64.msi",
+        "-output_dir_path=../../",
+    ], cwd="target/sign/CodeSignTool/CodeSignTool-v1.0-windows")