chore: new windows codesign process

.vscode/launch.json

@@ -6,7 +6,7 @@
     "configurations": [
       {
         "name": "Debug Release",
-        "program": "${workspaceFolder}/scripts/release.js",
+        "program": "${workspaceFolder}/scripts/release.mjs",
         "request": "launch",
         "skipFiles": [
           "<node_internals>/**"

package.json

@@ -5,7 +5,7 @@
   "description": "Electron updater E2E test",
   "scripts": {
     "start": "electron ./src/main.js",
-    "release": "node ./scripts/release.js"
+    "release": "node ./scripts/release.mjs"
   },
   "keywords": [
     "electron",
@@ -28,6 +28,8 @@
   "devDependencies": {
     "electron": "37.2.3",
     "electron-builder": "26.0.12",
-    "fs-extra": "11.1.1"
+    "fs-extra": "11.1.1",
+    "p-retry": "7.1.0",
+    "p-throttle": "8.1.0"
   }
 }

scripts/release.js → scripts/release.mjs

@@ -1,6 +1,7 @@
 'use strict'
-const exec = require('child_process').execSync
+import { exec, execSync } from 'node:child_process'
 
+const __dirname = import.meta.dirname
 const TEST_BUILD = process.env.TEST_BUILD // set true if you would like to test on your local machine
 
 // electron-builder security override.
@@ -26,9 +27,12 @@ if (!isReleaseCommit) {
   process.exit(0)
 }
 
-const path = require('path')
-const builder = require('electron-builder')
-const fs = require('fs-extra')
+import path from 'node:path'
+import {setTimeout} from 'node:timers/promises'
+import builder from 'electron-builder'
+import fs from 'fs-extra'
+import pThrottle from 'p-throttle'
+import pRetry from 'p-retry'
 
 const Platform = builder.Platform
 const ELECTRON_BUILD_FOLDER = path.join(__dirname, '../tmp-build')
@@ -53,10 +57,7 @@ if (process.platform === 'darwin') {
 if (process.platform === 'darwin') {
   const encryptedFile = path.join(__dirname, './certs/mac-cert.p12.enc')
   const decryptedFile = path.join(__dirname, './certs/mac-cert.p12')
-  exec(`openssl aes-256-cbc -K $CERT_KEY -iv $CERT_IV -in ${encryptedFile} -out ${decryptedFile} -d`)
-} else if (process.platform === 'win32') {
-  // decrypt windows certificate
-  exec('openssl aes-256-cbc -K %CERT_KEY% -iv %CERT_IV% -in scripts/certs/windows-cert.p12.enc -out scripts/certs/windows-cert.p12 -d')
+  execSync(`openssl aes-256-cbc -K $CERT_KEY -iv $CERT_IV -in ${encryptedFile} -out ${decryptedFile} -d`)
 }
 
 const APPLE_TEAM_ID = 'CMXCBCFHDG'
@@ -85,8 +86,8 @@ if (TEST_BUILD || gitTag) {
       win: {
         signtoolOptions: {
           publisherName: 'Ultimate Gadget Laboratories Kft.',
-          certificateFile: path.join(__dirname, 'certs/windows-cert.p12')
-        }
+          sign: configuration => azureKeyvaultSign(configuration.path),
+        },
       },
       linux: {},
       publish: 'github',
@@ -125,3 +126,60 @@ function prepareDistDir() {
   electronJson.dependencies = rootJson.dependencies
   fs.writeJsonSync(path.join(ELECTRON_BUILD_FOLDER, 'package.json'), electronJson, { spaces: 2 })
 }
+
+// sign only 1 file in every 2 sec
+// otherwise we got random singing error
+// maybe related issue https://github.com/vcsjones/AzureSignTool/issues/330
+const throttleAzureCodeSign = pThrottle({
+	limit: 1,
+	interval: 2000
+});
+
+const azureKeyvaultSign = throttleAzureCodeSign(async (filePath) => {
+  const {
+      AZURE_KEY_VAULT_TENANT_ID,
+      AZURE_KEY_VAULT_CLIENT_ID,
+      AZURE_KEY_VAULT_SECRET,
+      AZURE_KEY_VAULT_URL,
+      AZURE_KEY_VAULT_CERTIFICATE,
+    } = process.env;
+
+  if (!AZURE_KEY_VAULT_URL) {
+    console.log('Skipping code signing, no environment variables set for that.')
+    return
+  }
+
+  return pRetry(() => new Promise((resolve, reject) => {
+    console.log('Signing file', filePath);
+    const signToolPath = path.join(__dirname, 'AzureSignTool-x64-6-0-1.exe')
+    const command = `${signToolPath} sign -kvu ${AZURE_KEY_VAULT_URL} -kvi ${AZURE_KEY_VAULT_CLIENT_ID} -kvt ${AZURE_KEY_VAULT_TENANT_ID} -kvs ${AZURE_KEY_VAULT_SECRET} -kvc ${AZURE_KEY_VAULT_CERTIFICATE} -tr http://timestamp.identrust.com -v '${filePath}'`;
+    exec(command, { shell: 'powershell.exe' }, (e, stdout, stderr) => {
+      if (e instanceof Error) {
+        console.error(e)
+        return reject(e)
+      }
+
+      if (stderr) {
+        console.error(stderr)
+        return reject(new Error(stderr))
+      }
+
+      if (stdout.indexOf('Signing completed successfully') > -1) {
+        console.log(stdout)
+        return resolve()
+      }
+
+      return reject(new Error(stdout))
+    })
+  }), {
+    retries: 5,
+    onFailedAttempt: async ({error, attemptNumber, retriesLeft, retriesConsumed}) => {
+      console.log('Signing file failed', filePath);
+		  console.log(`Attempt ${attemptNumber} failed. ${retriesLeft} retries left. ${retriesConsumed} retries consumed.`);
+      console.error(error)
+
+      console.log('wait 5 sec before retry')
+      await setTimeout(5000)
+	  },
+  })
+})