From 3ce7e31f64d86b3ca58be61407a33380cda072b4 Mon Sep 17 00:00:00 2001
From: Owen Rudge <owen@owenrudge.net>
Date: Mon, 24 May 2021 23:03:04 +0100
Subject: [PATCH] Feature: Sign Windows builds

---
 .github/workflows/release.yml | 32 ++++++++++++++++++++++++++++++++
 cmake/InstallAndPackage.cmake |  7 +++++++
 os/windows/sign.bat           | 18 ++++++++++++++++++
 3 files changed, 57 insertions(+)
 create mode 100644 os/windows/sign.bat

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 894e9b9eb7..447b165f9c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -746,6 +746,21 @@ jobs:
       with:
         arch: ${{ matrix.host }}
 
+    - name: Import code signing certificate
+      shell: powershell
+      # If this is run on a fork, there may not be a certificate set up - continue in this case
+      continue-on-error: true
+      run: |
+        $tempFile = [System.IO.Path]::GetTempFileName()
+        $bytes = [System.Convert]::FromBase64String($env:WINDOWS_CERTIFICATE_P12)
+        [IO.File]::WriteAllBytes($tempFile, $bytes)
+        $pwd = ConvertTo-SecureString $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force
+        Import-PfxCertificate -FilePath $tempFile -CertStoreLocation Cert:\CurrentUser\My -Password $pwd
+        Remove-Item $tempFile
+      env:
+        WINDOWS_CERTIFICATE_P12: ${{ secrets.WINDOWS_CERTIFICATE_P12 }}
+        WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+
     - name: Build (with installer)
       if: needs.source.outputs.is_tag == 'true'
       shell: bash
@@ -761,12 +776,15 @@ jobs:
           -DOPTION_USE_NSIS=ON \
           -DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+          -DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \
           # EOF
         echo "::endgroup::"
 
         echo "::group::Build"
         cmake --build .
         echo "::endgroup::"
+      env:
+        WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
 
     - name: Build (without installer)
       if: needs.source.outputs.is_tag != 'true'
@@ -782,12 +800,15 @@ jobs:
           -DCMAKE_TOOLCHAIN_FILE="c:\vcpkg\scripts\buildsystems\vcpkg.cmake" \
           -DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+          -DWINDOWS_CERTIFICATE_COMMON_NAME="${WINDOWS_CERTIFICATE_COMMON_NAME}" \
           # EOF
         echo "::endgroup::"
 
         echo "::group::Build"
         cmake --build .
         echo "::endgroup::"
+      env:
+        WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
 
     - name: Create bundles
       shell: bash
@@ -809,6 +830,17 @@ jobs:
         rm -f bundles/*.sha256
         echo "::endgroup::"
 
+    - name: Sign installer
+      if: needs.source.outputs.is_tag == 'true'
+      shell: bash
+      # If this is run on a fork, there may not be a certificate set up - continue in this case
+      continue-on-error: true
+      run: |
+        cd ${GITHUB_WORKSPACE}/build/bundles
+        ../../os/windows/sign.bat *.exe "${WINDOWS_CERTIFICATE_COMMON_NAME}"
+      env:
+        WINDOWS_CERTIFICATE_COMMON_NAME: ${{ secrets.WINDOWS_CERTIFICATE_COMMON_NAME }}
+
     - name: Store bundles
       uses: actions/upload-artifact@v2
       with:
diff --git a/cmake/InstallAndPackage.cmake b/cmake/InstallAndPackage.cmake
index 9b7d657887..057f0934f8 100644
--- a/cmake/InstallAndPackage.cmake
+++ b/cmake/InstallAndPackage.cmake
@@ -138,6 +138,13 @@ elseif(WIN32)
     endif()
 
     set(CPACK_PACKAGE_FILE_NAME "openttd-#CPACK_PACKAGE_VERSION#-windows-${CPACK_SYSTEM_NAME}")
+
+    if(WINDOWS_CERTIFICATE_COMMON_NAME)
+      add_custom_command(TARGET openttd
+        POST_BUILD
+        COMMAND "${CMAKE_SOURCE_DIR}/os/windows/sign.bat" "$<TARGET_FILE:openttd>" "${WINDOWS_CERTIFICATE_COMMON_NAME}"
+      )
+    endif()
 elseif(UNIX)
     # With FHS, we can create deb/rpm/... Without it, they would be horribly broken
     # and not work. The other way around is also true; with FHS they are not
diff --git a/os/windows/sign.bat b/os/windows/sign.bat
new file mode 100644
index 0000000000..0e4291f9b8
--- /dev/null
+++ b/os/windows/sign.bat
@@ -0,0 +1,18 @@
+@echo off
+REM Signing script
+REM Arguments: sign.bat exe_to_sign certificate_subject_name
+
+REM This is a loose wrapper around the Microsoft signtool application (included in the Windows SDK).
+REM See https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe for more details.
+
+REM Path to signtool.exe
+IF NOT DEFINED SIGNTOOL_PATH (SET SIGNTOOL_PATH=signtool)
+
+REM URL of the timestamp server
+IF NOT DEFINED SIGNTOOL_TIMESTAMP_URL (SET SIGNTOOL_TIMESTAMP_URL=http://timestamp.digicert.com)
+
+REM Sign with SHA-1 for Windows 7 and below
+"%SIGNTOOL_PATH%" sign -v -n %2 -t %SIGNTOOL_TIMESTAMP_URL% %1
+
+REM Sign with SHA-256 for Windows 8 and above
+"%SIGNTOOL_PATH%" sign -v -n %2 -tr %SIGNTOOL_TIMESTAMP_URL% -fd sha256 -td sha256 -as %1