feat: reimplement windows signing (#174)

Only enabled for releases, as the build server is slower
bitfocus · Jan 9, 2025 · 67db6da · 67db6da
1 parent c009d49
commit 67db6da
Show file tree

Hide file tree

Showing 9 changed files with 177 additions and 129 deletions.
diff --git a/.github/workflows/node.yaml b/.github/workflows/node.yaml
@@ -170,7 +170,7 @@ jobs:
           retention-days: 1
 
   Windows-x64:
-    runs-on: windows-latest
+    runs-on: ${{ startsWith(github.ref, 'refs/tags/') && fromJSON('["self-hosted", "Windows", "codecert", "X64"]') || 'windows-latest'}}
     steps:
       - name: Check out Git repository
         uses: actions/checkout@v4
@@ -191,7 +191,22 @@ jobs:
 
           yarn
           yarn --cwd webui install
-          yarn dist
+
+      - name: build & package (unsigned)
+        if: ${{ runner.environment != 'self-hosted' }}
+        run: |
+          yarn dist win32-x64
+        env:
+          CI: 1
+
+      - name: build & package (signed)
+        if: ${{ runner.environment == 'self-hosted' }}
+        run: |
+          yarn dist win32-x64
+        env:
+          CI: 1
+          CSC_LINK: c:\\actions-runner-bitfocusas\\codesign.cer
+          BF_CODECERT_KEY: ${{ secrets.BF_CODECERT_KEY }}
 
       - name: Determine files to upload
         id: filenames

diff --git a/eslint.config.mjs b/eslint.config.mjs
@@ -47,6 +47,7 @@ export default [
 			'no-warning-comments': ['error', { terms: ['nocommit', '@nocommit', '@no-commit'] }],
 			// 'jest/no-mocks-import': 'off',
 		},
+		files: ['**/*.ts', '**/*.cts', '**/*.mts'],
 	},
 	...tseslint.configs.recommendedTypeChecked,
 	{

diff --git a/package.json b/package.json
@@ -30,7 +30,7 @@
     "lint:raw": "eslint",
     "lint": "eslint .",
     "license-validate": "sofie-licensecheck",
-    "dist": "run build && zx tools/build_electron.mjs"
+    "dist": "run build && tsx tools/build_electron.mts"
   },
   "devDependencies": {
     "@sofie-automation/eslint-plugin": "^0.1.1",
@@ -45,6 +45,7 @@
     "husky": "^9.1.6",
     "lint-staged": "^15.2.10",
     "prettier": "^3.3.3",
+    "tsx": "^4.19.2",
     "typescript": "~5.6.3",
     "typescript-eslint": "^8.11.0",
     "zx": "^8.1.9"

diff --git a/satellite/package.json b/satellite/package.json
@@ -16,7 +16,6 @@
 		"dev:electron": "run build:main && electron dist/electron.js",
 		"build": "rimraf dist && run build:main",
 		"build:main": "run -T tsc -p tsconfig.build.json",
-		"build:electron": "electron-builder --publish=never",
 		"check-types": "run build:main --noEmit",
 		"watch-types": "run build:main --noEmit --watch"
 	},
@@ -70,68 +69,5 @@
 		"*.{ts,tsx,js,jsx}": [
 			"run -T lint:raw --fix"
 		]
-	},
-	"build": {
-		"productName": "Companion Satellite",
-		"appId": "remote.companion.bitfocus.no",
-		"afterSign": "../tools/notarize.cjs",
-		"npmRebuild": false,
-		"directories": {
-			"buildResources": "assets/",
-			"output": "../electron-output/"
-		},
-		"mac": {
-			"category": "no.bitfocus.companion.remote",
-			"target": "dmg",
-			"extendInfo": {
-				"LSBackgroundOnly": 1,
-				"LSUIElement": 1
-			},
-			"hardenedRuntime": "true",
-			"gatekeeperAssess": "false",
-			"entitlements": "entitlements.mac.plist",
-			"entitlementsInherit": "entitlements.mac.plist"
-		},
-		"dmg": {
-			"artifactName": "companion-satellite-${arch}.dmg",
-			"sign": true
-		},
-		"win": {
-			"target": "nsis"
-		},
-		"nsis": {
-			"createStartMenuShortcut": true,
-			"perMachine": true,
-			"oneClick": false,
-			"allowElevation": true,
-			"artifactName": "companion-satellite-x64.exe"
-		},
-		"linux": {
-			"target": "tar.gz",
-			"artifactName": "companion-satellite-${arch}.tar.gz",
-			"extraFiles": [
-				{
-					"from": "assets/linux",
-					"to": "."
-				}
-			]
-		},
-		"files": [
-			"**/*",
-			"assets/*",
-			"!.nvmrc",
-			"!.node_version",
-			"!docs",
-			"!samples",
-			"!src",
-			"!tools",
-			"!pi-image"
-		],
-		"extraResources": [
-			{
-				"from": "../webui/dist",
-				"to": "webui"
-			}
-		]
 	}
 }
diff --git a/tools/build_electron.mjs b/tools/build_electron.mjs
diff --git a/tools/build_electron.mts b/tools/build_electron.mts
@@ -0,0 +1,138 @@
+/* eslint-disable n/no-process-exit */
+import { fs, usePowerShell, argv } from 'zx'
+// eslint-disable-next-line n/no-extraneous-import
+import electronBuilder from 'electron-builder'
+
+if (process.platform === 'win32') {
+	usePowerShell() // to enable powershell
+}
+
+const platform = argv._[0] || `${process.platform}-${process.arch}`
+
+let platformInfo: { platform: string; arch: electronBuilder.Arch }
+// let nodePreGypArgs: string[] = []
+
+console.log(`Building for platform: ${platform}`)
+
+if (platform === 'mac-x64' || platform === 'darwin-x64') {
+	platformInfo = { platform: 'mac', arch: electronBuilder.Arch.x64 }
+	// nodePreGypArgs = ['--target_platform=darwin', '--target_arch=x64', '--target_libc=unknown']
+} else if (platform === 'mac-arm64' || platform === 'darwin-arm64') {
+	platformInfo = { platform: 'mac', arch: electronBuilder.Arch.arm64 }
+	// nodePreGypArgs = ['--target_platform=darwin', '--target_arch=arm64', '--target_libc=unknown']
+} else if (platform === 'win-x64' || platform === 'win32-x64') {
+	platformInfo = { platform: 'win', arch: electronBuilder.Arch.x64 }
+	// nodePreGypArgs = ['--target_platform=win32', '--target_arch=x64', '--target_libc=unknown']
+} else if (platform === 'linux-x64') {
+	platformInfo = { platform: 'linux', arch: electronBuilder.Arch.x64 }
+	// nodePreGypArgs = ['--target_platform=linux', '--target_arch=x64', '--target_libc=glibc']
+} else if (platform === 'linux-arm7') {
+	platformInfo = { platform: 'linux', arch: electronBuilder.Arch.armv7l }
+	// nodePreGypArgs = ['--target_platform=linux', '--target_arch=arm', '--target_libc=glibc']
+} else if (platform === 'linux-arm64') {
+	platformInfo = { platform: 'linux', arch: electronBuilder.Arch.arm64 }
+	// nodePreGypArgs = ['--target_platform=linux', '--target_arch=arm64', '--target_libc=glibc']
+} else {
+	console.error('Unknown platform')
+	process.exit(1)
+}
+
+// HACK: skip this as it is trying to rebuild everything from source and failing
+// if (!platform) {
+// 	// If for our own platform, make sure the correct deps are installed
+// 	await $`electron-builder install-app-deps`
+// }
+// console.log('pregyp args:', nodePreGypArgs)
+
+// perform the electron build
+await fs.remove('./electron-output')
+
+const options: electronBuilder.Configuration = {
+	publish: [],
+	productName: 'Companion Satellite',
+	appId: 'remote.companion.bitfocus.no',
+	afterSign: 'tools/notarize.cjs',
+	npmRebuild: false,
+	directories: {
+		buildResources: 'assets/',
+		output: '../electron-output/',
+	},
+	mac: {
+		category: 'no.bitfocus.companion.remote',
+		target: 'dmg',
+		extendInfo: {
+			LSBackgroundOnly: 1,
+			LSUIElement: 1,
+		},
+		hardenedRuntime: true,
+		gatekeeperAssess: false,
+		entitlements: 'satellite/entitlements.mac.plist',
+		entitlementsInherit: 'satellite/entitlements.mac.plist',
+	},
+	dmg: {
+		artifactName: 'companion-satellite-${arch}.dmg',
+		sign: !!process.env.CSC_LINK, // Only sign in ci
+	},
+	win: {
+		target: 'nsis',
+		signingHashAlgorithms: ['sha256'],
+
+		sign: async function sign(config, packager) {
+			// Do not sign if no certificate is provided.
+			if (!config.cscInfo) {
+				return
+			}
+
+			if (!packager) throw new Error('Packager is required')
+
+			const targetPath = config.path
+			// Do not sign elevate file, because that prompts virus warning?
+			if (targetPath.endsWith('elevate.exe')) {
+				return
+			}
+
+			if (!process.env.BF_CODECERT_KEY) throw new Error('BF_CODECERT_KEY variable is not set')
+
+			const vm = await packager.vm.value
+			await vm.exec(
+				'powershell.exe',
+				['c:\\actions-runner-bitfocus\\sign.ps1', targetPath, `-Description`, 'Bitfocus Companion Satellite'],
+				{
+					timeout: 10 * 60 * 1000,
+					env: process.env,
+				},
+			)
+		},
+	},
+	nsis: {
+		createStartMenuShortcut: true,
+		perMachine: true,
+		oneClick: false,
+		allowElevation: true,
+		artifactName: 'companion-satellite-x64.exe',
+	},
+	linux: {
+		target: 'tar.gz',
+		artifactName: 'companion-satellite-${arch}.tar.gz',
+		extraFiles: [
+			{
+				from: 'assets/linux',
+				to: '.',
+			},
+		],
+	},
+	files: ['**/*', 'assets/*', '!.nvmrc', '!.node_version', '!docs', '!samples', '!src', '!tools', '!pi-image'],
+	extraResources: [
+		{
+			from: '../webui/dist',
+			to: 'webui',
+		},
+	],
+}
+
+// perform the electron build
+await electronBuilder.build({
+	targets: electronBuilder.Platform.fromString(platformInfo.platform).createTarget(null, platformInfo.arch),
+	config: options,
+	projectDir: 'satellite',
+})
diff --git a/tools/tsconfig.json b/tools/tsconfig.json
@@ -0,0 +1,16 @@
+{
+	"extends": "@tsconfig/node20/tsconfig.json",
+	"include": ["**/*.ts", "**/*.cts", "**/*.mts"],
+	"compilerOptions": {
+		"outDir": "./dist",
+		"baseUrl": "./",
+		"paths": {
+			"*": ["./node_modules/*"],
+		},
+		"types": ["node"],
+		"lib": ["dom"],
+		"skipLibCheck": true,
+		"resolveJsonModule": true,
+		"declaration": true
+	}
+}
diff --git a/tsconfig.json b/tsconfig.json
@@ -3,6 +3,7 @@
 	"references": [
 		//
 		{ "path": "satellite" },
-		{ "path": "webui" }
+		{ "path": "webui" },
+		{ "path": "tools" }
 	]
 }
diff --git a/yarn.lock b/yarn.lock
@@ -3060,6 +3060,7 @@ __metadata:
     husky: "npm:^9.1.6"
     lint-staged: "npm:^15.2.10"
     prettier: "npm:^3.3.3"
+    tsx: "npm:^4.19.2"
     typescript: "npm:~5.6.3"
     typescript-eslint: "npm:^8.11.0"
     zx: "npm:^8.1.9"