diff --git a/.github/workflows/stable-windows.yml b/.github/workflows/stable-windows.yml index 23e2b4b7354..410e2c76090 100644 --- a/.github/workflows/stable-windows.yml +++ b/.github/workflows/stable-windows.yml @@ -214,6 +214,45 @@ jobs: run: ./build/windows/package.sh if: env.SHOULD_BUILD == 'yes' + - name: Prepare application binaries for signing + run: | + mkdir -p app_signing_input app_signing_output + find VSCode-win32-${{ matrix.vscode_arch }} -type f \( -name "*.exe" -o -name "*.dll" \) | while read f; do + newname=$(echo "$f" | tr '/' '_') + cp "$f" "app_signing_input/$newname" + echo "$newname|$f" >> app_signing_map.txt + done + echo "Files to sign:" + ls -la app_signing_input/ + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + shell: bash + + - name: Sign application binaries with SSL.com eSigner + uses: sslcom/esigner-codesign@develop + with: + command: batch_sign + username: ${{ secrets.ES_USERNAME }} + password: ${{ secrets.ES_PASSWORD }} + credential_id: ${{ secrets.ES_CREDENTIAL_ID }} + totp_secret: ${{ secrets.ES_TOTP_SECRET }} + dir_path: ${GITHUB_WORKSPACE}/app_signing_input + output_path: ${GITHUB_WORKSPACE}/app_signing_output + environment_name: PROD + override: true + malware_block: true + clean_logs: true + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + + - name: Restore signed application binaries + run: | + while IFS='|' read -r newname origpath; do + cp "app_signing_output/$newname" "$origpath" + done < app_signing_map.txt + rm -rf app_signing_input app_signing_output app_signing_map.txt + echo "Signed binaries restored to VSCode-win32-${{ matrix.vscode_arch }}/" + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + shell: bash + - name: Prepare assets run: ./prepare_assets.sh if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') @@ -229,20 +268,35 @@ jobs: retention-days: 1 if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') - # - name: Signing - # uses: signpath/github-action-submit-signing-request@v1 - # with: - # api-token: ${{ secrets.SIGNPATH_API_TOKEN }} - # organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} - # project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }} - # signing-policy-slug: ${{ secrets.SIGNPATH_POLICY_SLUG }} - # github-artifact-id: ${{ steps.upload-unsigned-artifacts.outputs.artifact-id }} - # artifact-configuration-slug: ${{ matrix.vscode_arch }} - # wait-for-completion: true - # # 3h to manually approve the request - # wait-for-completion-timeout-in-seconds: 10800 - # output-artifact-directory: assets/ - # if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + - name: Prepare files for signing + run: | + mkdir -p signing_input signing_output + mv assets/*.exe signing_input/ || true + mv assets/*.msi signing_input/ || true + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + + - name: Sign Windows Artifacts with SSL.com eSigner + uses: sslcom/esigner-codesign@develop + with: + command: batch_sign + username: ${{ secrets.ES_USERNAME }} + password: ${{ secrets.ES_PASSWORD }} + credential_id: ${{ secrets.ES_CREDENTIAL_ID }} + totp_secret: ${{ secrets.ES_TOTP_SECRET }} + dir_path: ${GITHUB_WORKSPACE}/signing_input + output_path: ${GITHUB_WORKSPACE}/signing_output + environment_name: PROD + override: true + malware_block: true + clean_logs: true + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + + - name: Move signed files back + run: | + mv signing_output/*.exe assets/ || true + mv signing_output/*.msi assets/ || true + rm -rf signing_input signing_output + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') - name: Prepare checksums run: ./prepare_checksums.sh diff --git a/CLAUDE.md b/CLAUDE.md index 609d972a484..8cf078fb10d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -231,6 +231,13 @@ When merging upstream, these are our key customizations that must be preserved: - `patches/user/microphone.patch` - Codex-specific - Minor modifications to other patches for branding +6. **Windows Code Signing** (`.github/workflows/stable-windows.yml`) + - SSL.com eSigner integration for code signing + - Signs application binaries (.exe, .dll) before packaging + - Signs installer packages (.exe, .msi) after packaging + - Required secrets: `ES_USERNAME`, `ES_PASSWORD`, `ES_CREDENTIAL_ID`, `ES_TOTP_SECRET` + - **Must preserve**: The signing steps between "Build" and "Prepare assets", and after "Upload unsigned artifacts" + ### Merge Strategy #### Option A: Incremental Merge (Recommended for small gaps) @@ -308,6 +315,7 @@ When upstream updates patches that we've also modified: | File/Area | Typical Resolution | |-----------|-------------------| | `.github/workflows/*.yml` | Keep our simplified versions, cherry-pick important CI fixes | +| `.github/workflows/stable-windows.yml` | **Preserve code signing steps** - keep SSL.com eSigner integration intact | | `patches/*.patch` | Take upstream's version, verify our branding placeholders work | | `prepare_vscode.sh` | Keep our branding URLs/names, adopt new build logic | | `build/windows/msi/` | Keep our `codex.*` files, apply equivalent changes from `vscodium.*` |