Add support for Azure Artifact Signing

.github/workflows/publish-windows.yml

@@ -7,9 +7,14 @@ on:
     tags:
     - v*
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     runs-on: windows-latest
+    environment: azuresigning
     steps:
     - name: Checkout
       uses: actions/checkout@v2
@@ -21,9 +26,22 @@ jobs:
       run: |
         npm i
         npm i -g nexe@4.0.0-rc.7
+    - name: Retrieve the metadata and decode it to a file
+      env:
+        AZURESIGNING_METADATA: ${{ secrets.AZURESIGNING_METADATA }}
+      run: |
+        echo $AZURESIGNING_METADATA | base64 --decode > "$RUNNER_TEMP\metadata.json"
+      shell: bash
+    - name: Azure login
+      uses: azure/login@v1
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     - name: Build bundle
       run: |
-        npm run winbundle
+        npm run winbundle -- --signtool-path "C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" --azure-signing-metadata "%RUNNER_TEMP%\metadata.json"
+      shell: cmd
     - name: Upload Bundle File
       uses: actions/upload-artifact@v4
       with:

scripts/winbundle.js

@@ -5,9 +5,12 @@ const request = require('request');
 const async = require('async');
 const nodeUnzip = require('node-unzip-2');
 const archiver = require('archiver');
+const os = require('os');
 
 const bundleName = "nodeodm-windows-x64.zip";
 
+const scratch = 'RUNNER_TEMP' in process.env ? process.env.RUNNER_TEMP : os.tmpdir();
+
 const download = function(uri, filename, callback) {
     console.log(`Downloading ${uri}`);
     request.head(uri, function(err, res, body) {
@@ -68,13 +71,42 @@ async.series([
     cb => {
         downloadApp(path.join("apps", "unzip"), "https://github.com/OpenDroneMap/NodeODM/releases/download/v2.1.0/unzip600.zip", cb);
     },
+    cb => {
+        downloadApp(path.join(scratch, "azuresigning"), "https://www.nuget.org/api/v2/package/Microsoft.ArtifactSigning.Client/1.0.115", cb);
+    },
     cb => {
         console.log("Building executable");
-        const code = spawnSync('nexe.cmd', ['index.js', '-t', 'windows-x64-12.16.3', '-o', 'nodeodm.exe'], { stdio: "pipe"}).status;
+        const code = spawnSync('nexe.cmd', ['index.js', '-t', 'windows-x64-12.16.3', '-o', 'nodeodm.exe'], { stdio: "inherit", shell: true }).status;
 
         if (code === 0) cb();
         else cb(new Error(`nexe returned non-zero error code: ${code}`));
     },
+    cb => {
+        let signtoolPath = null;
+        let metadataPath = null;
+
+        const signtoolPathArgIndex = process.argv.indexOf("--signtool-path");
+        if (signtoolPathArgIndex !== -1 && signtoolPathArgIndex + 1 < process.argv.length) {
+            signtoolPath = process.argv[signtoolPathArgIndex + 1];
+        }
+
+        const metadataPathArgIndex = process.argv.indexOf("--azure-signing-metadata");
+        if (metadataPathArgIndex !== -1 && metadataPathArgIndex + 1 < process.argv.length) {
+            metadataPath = process.argv[metadataPathArgIndex + 1];
+        }
+
+        if (signtoolPath && metadataPath) {
+            console.log("Signing executable");
+
+            const dlibPath = path.join(scratch, "azuresigning", "bin", "x64", "Azure.CodeSigning.Dlib.dll");
+            const code = spawnSync(signtoolPath, ['sign', '/v', '/debug', '/fd', 'SHA256', '/tr', 'http://timestamp.acs.microsoft.com', '/td', 'SHA256', '/dlib', dlibPath, '/dmdf', metadataPath, 'nodeodm.exe'], { stdio: "inherit" }).status;
+
+            if (code === 0) cb();
+            else cb(new Error(`signtool returned non-zero error code: ${code}`));
+        } else {
+            cb();
+        }
+    },
     cb => {
         // Zip
         const outFile = path.join("dist", bundleName);