Merge pull request #176 from ppy/trusted-signing

Switch to azure trusted signing

.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "vpk": {
-      "version": "0.0.598-g933b2ab",
+      "version": "0.0.630-g9c52e40",
       "commands": [
         "vpk"
       ]

Builders/WindowsBuilder.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.IO;
+using System.Linq;
 using osu.Desktop.Deploy.Uploaders;
 
 namespace osu.Desktop.Deploy.Builders
@@ -13,13 +14,9 @@ public class WindowsBuilder : Builder
         private const string os_name = "win";
         private const string channel = "win";
 
-        private readonly string? codeSigningPassword;
-
-        public WindowsBuilder(string version, string? codeSigningPassword)
+        public WindowsBuilder(string version)
             : base(version)
         {
-            if (!string.IsNullOrEmpty(Program.WindowsCodeSigningCertPath))
-                this.codeSigningPassword = codeSigningPassword ?? Program.ReadLineMasked("Enter code signing password: ");
         }
 
         protected override string TargetFramework => "net8.0";
@@ -32,8 +29,27 @@ public override Uploader CreateUploader()
                                + $" --icon=\"{installIcon}\""
                                + $" --noPortable";
 
-            if (!string.IsNullOrEmpty(Program.WindowsCodeSigningCertPath))
-                extraArgs += $" --signParams=\"/td sha256 /fd sha256 /f {Path.GetFullPath(Program.WindowsCodeSigningCertPath)} /p {codeSigningPassword} /tr http://timestamp.comodoca.com\"";
+            if (!string.IsNullOrEmpty(Program.WindowsCodeSigningMetadataPath))
+            {
+                string path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".nuget", "packages", "microsoft.trusted.signing.client");
+                const string dll_name = "Azure.CodeSigning.Dlib.dll";
+
+                string? dllPath = Directory.GetFiles(path, dll_name, SearchOption.AllDirectories).LastOrDefault(p => p.Contains("x64"));
+
+                if (dllPath == null)
+                    Logger.Error("Could not find path for Dlib.dll");
+
+                // We're using `signTemplate` here as we need to prefer the system `signtool.exe` in order for it to
+                // run azure code signing correctly on older windows versions.
+                //
+                // This can be changed back to `signParams` if velopack changes the signtool logic to fix this.
+                string signToolPath = Directory.GetDirectories(@"C:\Program Files (x86)\Windows Kits\10\bin", "*", SearchOption.AllDirectories)
+                                               .Select(dir => Path.Combine(dir, @"x64\signtool.exe"))
+                                               .Where(File.Exists)
+                                               .Last();
+
+                extraArgs += $" --signTemplate=\"\\\"{signToolPath}\\\" sign /td sha256 /fd sha256 /dlib \\\"{dllPath}\\\" /dmdf \\\"{Path.GetFullPath(Program.WindowsCodeSigningMetadataPath)}\\\" /tr http://timestamp.acs.microsoft.com {{{{file...}}}}";
+            }
 
             return new WindowsVelopackUploader(app_name, os_name, RuntimeIdentifier, channel, extraArgs: extraArgs);
         }

Program.cs

@@ -37,7 +37,7 @@ internal static class Program
         public static string GitHubRepoUrl => $"https://github.com/{GitHubUsername}/{GitHubRepoName}";
         public static bool CanGitHub => !string.IsNullOrEmpty(GitHubAccessToken);
 
-        public static string? WindowsCodeSigningCertPath => ConfigurationManager.AppSettings["WindowsCodeSigningCertPath"];
+        public static string? WindowsCodeSigningMetadataPath => ConfigurationManager.AppSettings["WindowsCodeSigningMetadataPath"];
         public static string? AndroidCodeSigningCertPath => ConfigurationManager.AppSettings["AndroidCodeSigningCertPath"];
         public static string? AppleCodeSignCertName => ConfigurationManager.AppSettings["AppleCodeSignCertName"];
         public static string? AppleInstallSignCertName => ConfigurationManager.AppSettings["AppleInstallSignCertName"];
@@ -99,7 +99,7 @@ public static void Main(string[] args)
 
             Console.ResetColor();
             Console.WriteLine($"Increment Version:     {IncrementVersion}");
-            Console.WriteLine($"Signing Certificate:   {WindowsCodeSigningCertPath}");
+            Console.WriteLine($"Signing Certificate:   {WindowsCodeSigningMetadataPath}");
             Console.WriteLine($"Upload to GitHub:      {GitHubUpload}");
             Console.WriteLine();
             Console.Write($"Ready to deploy version {version} on platform {targetPlatform}!");
@@ -113,7 +113,7 @@ public static void Main(string[] args)
             switch (targetPlatform)
             {
                 case RuntimeInfo.Platform.Windows:
-                    builder = new WindowsBuilder(version, getArg(0));
+                    builder = new WindowsBuilder(version);
                     break;
 
                 case RuntimeInfo.Platform.Linux:

Uploaders/VelopackUploader.cs

@@ -56,6 +56,7 @@ public override void PublishBuild(string version)
                                          + $" --mainExe=\"{applicationName}\""
                                          + $" --packDir=\"{stagingPath}\""
                                          + $" --channel=\"{channel}\""
+                                         + " --verbose"
                                          + $" {extraArgs}",
                 useSolutionPath: false);
 

osu.Desktop.Deploy.csproj

@@ -7,6 +7,7 @@
     <Nullable>enable</Nullable>
   </PropertyGroup>
   <ItemGroup Label="Package References">
+    <PackageReference Include="Microsoft.Trusted.Signing.Client" Version="1.0.60" />
     <PackageReference Include="NUnit" Version="3.13.3" />
     <PackageReference Include="ppy.osu.Framework" Version="2022.1130.0" />
     <PackageReference Include="System.Configuration.ConfigurationManager" Version="6.0.1" />