CI: wire up Azure Trusted Signing for Windows builds

Installs the Microsoft.Trusted.Signing.Client dlib via NuGet, locates signtool.exe from the Windows SDK, and passes AZURE_* secrets to the Make step. Removes the unused .pfx-based signing step.

.github/workflows/build.yml

@@ -59,14 +59,14 @@ jobs:
         env:
           MACOS_CERT_P12: ${{ secrets.MACOS_CERT_P12 }}
           MACOS_CERT_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }}
-      - name: Set Windows signing certificate
+      - name: Set up Azure Trusted Signing
-        if: matrix.os == 'windows-latest'
+        if: matrix.os == 'windows-latest' && startsWith(github.ref, 'refs/tags/')
-        continue-on-error: true
+        shell: pwsh
-        id: write_file
+        run: |
-        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
+          nuget install Microsoft.Trusted.Signing.Client -Version 1.0.60 -OutputDirectory . -NonInteractive
-        with:
+          $signtool = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe | Where-Object { $_.FullName -like "*\x64\*" } | Sort-Object FullName -Descending | Select-Object -First 1
-          fileName: 'win-certificate.pfx'
+          echo "SIGNTOOL_PATH=$($signtool.FullName)" >> $env:GITHUB_ENV
-          encodedString: ${{ secrets.WINDOWS_CODESIGN_P12 }}
+          echo "AZURE_CODE_SIGNING_DLIB=$((Resolve-Path 'Microsoft.Trusted.Signing.Client.1.0.60/bin/x64/Azure.CodeSigning.Dlib.dll').Path)" >> $env:GITHUB_ENV
       - name: Download disk image (ps1)
         run: tools/download-disk.ps1
         if: matrix.os == 'windows-latest' && startsWith(github.ref, 'refs/tags/')
@@ -86,8 +86,11 @@ jobs:
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          WINDOWS_CODESIGN_FILE: ${{ steps.write_file.outputs.filePath }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          WINDOWS_CODESIGN_PASSWORD: ${{ secrets.WINDOWS_CODESIGN_PASSWORD }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_CODE_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_CODE_SIGNING_ACCOUNT_NAME }}
+          AZURE_CODE_SIGNING_CERTIFICATE_PROFILE_NAME: ${{ secrets.AZURE_CODE_SIGNING_CERTIFICATE_PROFILE_NAME }}
       - name: Release
         uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         if: startsWith(github.ref, 'refs/tags/')

forge.config.js

@@ -15,17 +15,22 @@ const FLAGS = {
   APPLE_ID_PASSWORD: process.env.APPLE_ID_PASSWORD,
 }
 
-fs.writeFileSync(FLAGS.AZURE_METADATA_JSON, JSON.stringify({
+let windowsSign;
-  Endpoint: process.env.AZURE_CODE_SIGNING_ENDPOINT || "https://wcus.codesigning.azure.net",
+if (FLAGS.AZURE_TENANT_ID && FLAGS.SIGNTOOL_PATH) {
-  CodeSigningAccountName: process.env.AZURE_CODE_SIGNING_ACCOUNT_NAME,
+  fs.writeFileSync(FLAGS.AZURE_METADATA_JSON, JSON.stringify({
-  CertificateProfileName: process.env.AZURE_CODE_SIGNING_CERTIFICATE_PROFILE_NAME,
+    Endpoint: process.env.AZURE_CODE_SIGNING_ENDPOINT || "https://wcus.codesigning.azure.net",
-}, null, 2));
+    CodeSigningAccountName: process.env.AZURE_CODE_SIGNING_ACCOUNT_NAME,
+    CertificateProfileName: process.env.AZURE_CODE_SIGNING_CERTIFICATE_PROFILE_NAME,
+  }, null, 2));
 
-const windowsSign = {
+  windowsSign = {
-  signToolPath: FLAGS.SIGNTOOL_PATH,
+    signToolPath: FLAGS.SIGNTOOL_PATH,
-  signWithParams: `/v /dlib ${FLAGS.AZURE_CODE_SIGNING_DLIB} /dmdf ${FLAGS.AZURE_METADATA_JSON}`,
+    signWithParams: `/v /dlib ${FLAGS.AZURE_CODE_SIGNING_DLIB} /dmdf ${FLAGS.AZURE_METADATA_JSON}`,
-  timestampServer: "http://timestamp.acs.microsoft.com",
+    timestampServer: "http://timestamp.acs.microsoft.com",
-  hashes: ["sha256"],
+    hashes: ["sha256"],
+  };
+} else {
+  console.warn('AZURE_TENANT_ID / SIGNTOOL_PATH not set; Windows binaries will not be signed');
 }
 
 module.exports = {