Build & EV Sign Windows builds (#517

* Add way to provide apple ID and app password to notarise script

* Add utility to generate electron-builder.json for release & nightly builds

* Run Build & Test on staging too

* First attempt at build & deploy for macOS with signing and notarisation

* Fix quote mismatch

* use correct quotes

* add runs-on

* Fix inputs.mode usage

* remove quotes

* chmod +x

* Fix artifact paths

* Fix deploy condition

* Fix deploy condition

* Fix artifact path

* Iterate

* Fix workflow

* Fix env

* Iterate

* Fix missing env

* Fix version calculation

* Iterate

* Fix config not taking effect

* Update build_and_deploy.yaml

* Fix alignments

* delint

* Fix alignment

* Update build_macos.yaml

* Add ability to EV sign using eSigner CKA

* Initial work to build & sign Windows nightlies in CI

* Format

* Format

* Fix gha

* fix winSign

* Fix install command

* Add signtool to path

* Update build_and_deploy.yaml

* Fix quotes

* Test

* Fix comments

* Fix cmd

* Try again

* arg slashes

* Fix exe path

* Fix matrix strategy

* Use ampersand-call

* fwd slash ftw?

* ls *

* 🌲

* tree dist

* prepend path

* Specify /fd and /td to modern signtool

* /tr not /t for CKA

* Test signing

* missing comma

* 🤦‍♂️

* Fix wrong mv

* Lets sign

* Fix config gen

* Debug

* Fix typo

* Multiple drives why

* Try NVL sandbox creds

* Update

* Attempt to disable logger

* Try again

* Iterate

* Update build_macos.yaml

* Update build_and_deploy.yaml

* Update build_macos.yaml

* Update build_and_deploy.yaml

* Update build_and_deploy.yaml

* Try custom build of eSigner CKA

* Fix typos

* Update build_windows.yaml

* Update build_and_deploy.yaml

* Update build_windows.yaml

* Update build_and_deploy.yaml

* Fix symlinking

* Fix working-directory incantation

* exe

* remove debug

* Prettier

* Vendor check in SSL.com executable

* Download CKA from packages.element.io instead

* Use demo creds

* StrictMode

* Switch back to 0207 (unsigned)

* Fix call syntax

* Revert env inc

* Partial rollback

* Trace

* Trace less

* Fix CN being passed wrong

* DEBUG

* Debug 2

* Fix ConvertFrom-StringData

* 0214

* Test

* Test

* Untested

* Revert to 0207

* stash

* Try with 20230221

* Restore scripts/electron_winSign.js

* Prepare for merge

* Update build_windows.yaml

* Update build_and_deploy.yaml

* Restore .github/workflows/build_and_deploy.yaml

* Restore .github/workflows/build_and_deploy.yaml

* Fix bad restore

scripts/generate-builder-config.ts

@@ -22,10 +22,12 @@ const NIGHTLY_APP_ID = "im.riot.nightly";
 const NIGHTLY_APP_NAME = "element-desktop-nightly";
 
 const argv = parseArgs<{
-    nightly?: string;
+    "nightly"?: string;
+    "signtool-thumbprint"?: string;
+    "signtool-subject-name"?: string;
     "deb-custom-control"?: string;
 }>(process.argv.slice(2), {
-    string: ["nightly", "deb-custom-control"],
+    string: ["nightly", "deb-custom-control", "signtool-thumbprint", "signtool-subject-name"],
 });
 
 interface File {
@@ -54,7 +56,10 @@ interface PackageBuild {
         target: {
             target: string;
         };
-        sign: string;
+        sign?: string;
+        signingHashAlgorithms?: string[];
+        certificateSubjectName?: string;
+        certificateSha1?: string;
     };
     deb?: {
         fpm?: string[];
@@ -108,6 +113,13 @@ async function main(): Promise<number | void> {
         cfg.extraMetadata!.version = version;
     }
 
+    if (argv["signtool-thumbprint"] && argv["signtool-subject-name"]) {
+        delete cfg.win.sign;
+        cfg.win.signingHashAlgorithms = ["sha256"];
+        cfg.win.certificateSubjectName = argv["signtool-subject-name"];
+        cfg.win.certificateSha1 = argv["signtool-thumbprint"];
+    }
+
     if (os.platform() === "linux") {
         // Electron crashes on debian if there's a space in the path.
         // https://github.com/vector-im/element-web/issues/13171
@@ -123,9 +135,11 @@ async function main(): Promise<number | void> {
     await fsProm.writeFile(ELECTRON_BUILDER_CFG_FILE, JSON.stringify(cfg, null, 4));
 }
 
-main().then((ret) => {
-    process.exit(ret!);
-}).catch((e) => {
-    console.error(e);
-    process.exit(1);
-});
+main()
+    .then((ret) => {
+        process.exit(ret!);
+    })
+    .catch((e) => {
+        console.error(e);
+        process.exit(1);
+    });