From d8fe0aaf5a479b74327759393a3c6eb4ffaa0da9 Mon Sep 17 00:00:00 2001
From: Scott Chacon <schacon@gmail.com>
Date: Fri, 13 Dec 2024 16:49:00 +0100
Subject: [PATCH] re-sign the binary for Tauri after the self-hosted EV sign

---
 .github/workflows/publish.yaml | 55 ++++++++++++++++++++++++++++++----
 1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index e60c6553b7..0bd0f49666 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -220,7 +220,7 @@ jobs:
           path: tauri-aux-artifacts/
           if-no-files-found: error
 
-  sign-tauri:
+  sign-windows:
     needs: build-tauri
     runs-on: [self-hosted, evcodesignd]
     strategy:
@@ -242,12 +242,57 @@ jobs:
           find release -name "*.msi" -type f -print0 | xargs -0 -n1 -I{} python3 /sign-with-evcodesignd.py "{}"
         env:
           EVCODESIGND_PSK: ${{ secrets.EVCODESIGND_PSK }}
-      - name: Compress signed msi
+      - name: Upload signed artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: '${{ needs.build-tauri.outputs.channel }}-${{ matrix.platform }}-${{ github.run_number }}'
+          path: release/
+          if-no-files-found: error
+          overwrite: true
+
+  sign-tauri:
+    needs: [sign-windows, build-tauri]
+    runs-on: windows-latest
+    strategy:
+      matrix:
+        platform:
+          - windows-latest # [windows, x64]
+    steps:
+      - name: Clean artifact directory
         shell: bash
+        run: rm -rf release
+      - name: Download ev-signed artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: '${{ needs.build-tauri.outputs.channel }}-${{ matrix.platform }}-${{ github.run_number }}'
+          path: release
+      - name: Set file as a variable
+        shell: bash
+        id: set-path
         run: |
-          apt update && apt install -y zip
-          find release -name "*.msi" -type f -print0 | zip "release/$(find release -name "*.msi" -type f -printf '%P\n').zip" -@
-      - name: Upload signed artifacts
+          msi_file=$(find release -name "*.msi" -type f -printf '%P\n')
+          echo "msi_file=$msi_file" >> $GITHUB_OUTPUT
+      - name: Sign our EV signed file
+        shell: bash
+        run: |
+          set -x  
+          curl -O https://gitbutler-public.s3.us-east-1.amazonaws.com/_win/minisign.exe
+          chmod +x minisign.exe  # Add this line to make the file executable
+          echo "sign release/${{ steps.set-path.outputs.msi_file }}"
+          timestamp=$(date +%s)
+          TRUSTED_COMMENT="timestamp:$timestamp	file:${{ steps.set-path.outputs.msi_file }}"
+          UNTRUSTED_COMMENT="signature from tauri secret key"
+          echo "untrusted comment: signature from tauri secret key" > ./minisign.key
+          echo "${{ secrets.TAURI_PRIVATE_KEY }}" >> ./minisign.key
+          ls
+          cat ./minisign.key
+          echo ${{ secrets.TAURI_KEY_PASSWORD }} | ./minisign.exe -S -s minisign.key -t "$TRUSTED_COMMENT" -c "$UNTRUSTED_COMMENT" -m release/${{ steps.set-path.outputs.msi_file }}
+          perl -MMIME::Base64 -0777 -ne 'print encode_base64($_, "")' < release/${{ steps.set-path.outputs.msi_file }}.minisig > release/${{ steps.set-path.outputs.msi_file }}.sig
+          rm release/${{ steps.set-path.outputs.msi_file }}.minisig
+      - name: Compress files into a ZIP archive
+        run: |
+          Compress-Archive -Path "release/${{ steps.set-path.outputs.msi_file }}" -DestinationPath "release/${{ steps.set-path.outputs.msi_file }}.zip"
+      - name: Upload re-signed artifacts
         uses: actions/upload-artifact@v4
         with:
           name: '${{ needs.build-tauri.outputs.channel }}-${{ matrix.platform }}-${{ github.run_number }}'