chore: implement remote executable signing for windows binary builds (#28636)

* chore: implement remote executable signing for windows to comply with
new  signing key storage requirements [run ci]

* bump circleci cache to avoid electron install issues [run ci]

* chore: use fs-extra to ensure and create directory for temporary files and use os package to locate OS tmp directory

Author: AtofStryker

.circleci/cache-version.txt

@@ -1,3 +1,3 @@
 # Bump this version to force CI to re-create the cache from scratch.
 
-01-02-24
+01-04-24

.circleci/workflows.yml

@@ -79,7 +79,10 @@ windowsWorkflowFilters: &windows-workflow-filters
     # use the following branch as well to ensure that v8 snapshot cache updates are fully tested
     - equal: [ 'update-v8-snapshot-cache-on-develop', << pipeline.git.branch >> ]
     - equal: [ 'feature/experimental-retries', << pipeline.git.branch >> ]
-    - equal: [ 'ryanm/fix/service-worker-capture', << pipeline.git.branch >> ]
+    - equal: [ 'chore/update_windows_signing', << pipeline.git.branch >> ]
+    - equal: [ 'lerna-optimize-tasks', << pipeline.git.branch >> ]
+    - equal: [ 'em/shallow-checkout', << pipeline.git.branch >> ]
+    - equal: [ 'mschile/mochaEvents_win_sep', << pipeline.git.branch >> ]
     - matches:
         pattern: /^release\/\d+\.\d+\.\d+$/
         value: << pipeline.git.branch >>
@@ -149,7 +152,7 @@ commands:
           name: Set environment variable to determine whether or not to persist artifacts
           command: |
             echo "Setting SHOULD_PERSIST_ARTIFACTS variable"
-            echo 'if ! [[ "$CIRCLE_BRANCH" != "develop" && "$CIRCLE_BRANCH" != "release/"* && "$CIRCLE_BRANCH" != "publish-binary" && "$CIRCLE_BRANCH" != "ryanm/fix/service-worker-capture" ]]; then
+            echo 'if ! [[ "$CIRCLE_BRANCH" != "develop" && "$CIRCLE_BRANCH" != "release/"* && "$CIRCLE_BRANCH" != "publish-binary" && "$CIRCLE_BRANCH" != "chore/update_windows_signing" ]]; then
                 export SHOULD_PERSIST_ARTIFACTS=true
             fi' >> "$BASH_ENV"
   # You must run `setup_should_persist_artifacts` command and be using bash before running this command
@@ -1150,8 +1153,10 @@ commands:
           # set variable CSC_FOR_PULL_REQUEST=true
           command: |
             set -e
-            NEEDS_CODE_SIGNING=`node -p 'process.platform === "win32" || process.platform === "darwin"'`
-            if [[ "$NEEDS_CODE_SIGNING" == "true" ]]; then
+            NEEDS_CODE_SIGNING_WINDOWS=`node -p 'process.platform === "win32"'`
+            NEEDS_CODE_SIGNING_MAC=`node -p 'process.platform === "darwin"'`
+
+            if [[ "$NEEDS_CODE_SIGNING_MAC" == "true" ]]; then
               echo "Checking for required environment variables..."
               if [ -z "$CSC_LINK" ]; then
                 echo "Need to provide environment variable CSC_LINK"
@@ -1164,6 +1169,29 @@ commands:
                 exit 1
               fi
               echo "Succeeded."
+            elif [[ "$NEEDS_CODE_SIGNING_WINDOWS" == "true" ]]; then
+              echo "Checking for required environment variables..."
+              if [ -z "$WINDOWS_SIGN_USER_NAME" ]; then
+                echo "Need to provide environment variable WINDOWS_SIGN_USER_NAME"
+                echo "with password for fetching and signing certificate"
+                exit 1
+              fi
+              if [ -z "$WINDOWS_SIGN_USER_PASSWORD" ]; then
+                echo "Need to provide environment variable WINDOWS_SIGN_USER_PASSWORD"
+                echo "for fetching and signing certificate"
+                exit 1
+              fi
+              if [ -z "$WINDOWS_SIGN_CREDENTIAL_ID" ]; then
+                echo "Need to provide environment variable WINDOWS_SIGN_CREDENTIAL_ID"
+                echo "for identifying certificate"
+                exit 1
+              fi
+              if [ -z "$WINDOWS_SIGN_USER_TOTP" ]; then
+                echo "Need to provide environment variable WINDOWS_SIGN_USER_TOTP"
+                echo "for signing certificate"
+                exit 1
+              fi
+              echo "Succeeded."
             else
               echo "Not code signing for this platform"
             fi

electron-builder.json

@@ -16,6 +16,10 @@
     "executableName": "Cypress"
   },
   "win": {
+    "signingHashAlgorithms": [
+      "sha256"
+    ],
+    "sign": "./scripts/windows-sign.js",
     "target": "dir"
   },
   "afterPack": "./scripts/after-pack-hook.js",

scripts/windows-sign.js

@@ -0,0 +1,63 @@
+// This signing procedure only runs on windows binary builds to leverage remote signing in order to
+// fullfil new requirements around OV and IV code signing.
+// @see https://www.ssl.com/article/code-signing-key-storage-requirements-will-change-on-june-1-2023/ for more details.
+
+// Signing delegation happens inside the electron-builder.json, which can be seen in the configuration:
+// "sign": "./scripts/windows-sign.js"
+// @see https://www.electron.build/configuration/win#how-do-delegate-code-signing for configuration reference.
+
+// sampled from https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-899798533
+const path = require('path')
+const { tmpdir } = require('os')
+const fs = require('fs-extra')
+const childProcess = require('child_process')
+
+const TEMP_DIR = path.join(tmpdir(), 'release', 'tmp')
+
+// create the temp directory we need for CodeSignTool in order to avoid manual confirmations
+fs.ensureDirSync(TEMP_DIR)
+
+function sign (configuration) {
+  // credentials from ssl.com
+  const USER_NAME = process.env.WINDOWS_SIGN_USER_NAME
+  const USER_PASSWORD = process.env.WINDOWS_SIGN_USER_PASSWORD
+  const CREDENTIAL_ID = process.env.WINDOWS_SIGN_CREDENTIAL_ID
+  const USER_TOTP = process.env.WINDOWS_SIGN_USER_TOTP
+
+  if (USER_NAME && USER_PASSWORD && USER_TOTP && CREDENTIAL_ID) {
+    console.log(`Signing ${configuration.path}`)
+    const { name, dir } = path.parse(configuration.path)
+
+    // Since the CodeSignTool can only be run in the directory it is installed, we want to
+    // download the CodeSignTool and explode it into the current directory. This isn't a repeat operation
+    // in this case since we are only signing the executable, which is one file.
+    console.log('downloading CodeSignTool for Windows from ssl.com...')
+    childProcess.execSync('curl https://www.ssl.com/download/codesigntool-for-windows/ -o codesigntool-for-windows.zip')
+    childProcess.execSync('tar -xvf codesigntool-for-windows.zip')
+    childProcess.execSync('rm ./codesigntool-for-windows.zip')
+
+    // CodeSignTool can't sign in place without verifying the overwrite with a
+    // manual interaction so we are creating a new file in a temp directory and
+    // then replacing the original file with the signed file.
+    const tempFile = path.join(TEMP_DIR, name)
+
+    console.log('executing signing...')
+    // Sign the executable with the signing tool. For CLI reference, @see https://www.ssl.com/guide/esigner-codesigntool-command-guide/.
+    childProcess.execSync(`CodeSignTool.bat sign -input_file_path="${configuration.path}" -output_dir_path="${TEMP_DIR}" -credential_id="${CREDENTIAL_ID}" -username="${USER_NAME}" -password="${USER_PASSWORD}" -totp_secret="${USER_TOTP}"`)
+
+    console.log('signing complete! Moving signed files back to package directory...')
+    childProcess.execSync(`mv "${tempFile}" "${dir}"`)
+    console.log('move completed!')
+  } else {
+    console.warn(`windows-sign.js - Can't sign file ${configuration.path}, missing value for:
+${USER_NAME ? '' : 'WINDOWS_SIGN_USER_NAME'}
+${USER_PASSWORD ? '' : 'WINDOWS_SIGN_USER_PASSWORD'}
+${CREDENTIAL_ID ? '' : 'WINDOWS_SIGN_CREDENTIAL_ID'}
+${USER_TOTP ? '' : 'WINDOWS_SIGN_USER_TOTP'}
+`)
+
+    process.exit(1)
+  }
+}
+
+exports.default = sign