Revert "attempt sign of all windows files"

This reverts commit 9c99895.

Author: davegarthsimpson

.github/workflows/build.yml

@@ -75,16 +75,12 @@ env:
       artifacts:
         - path: '*Windows_64bit.exe'
           name: Windows_X86-64_interactive_installer
-        - path: '*Windows_64bit_unsigned.exe'
-          name: Windows_X86-64_interactive_installer_unsigned
+        - path: '*Windows_64bit_signed.exe'
+          name: Windows_X86-64_interactive_installer_signed
         - path: '*Windows_64bit.msi'
           name: Windows_X86-64_MSI
-        - path: '*Windows_64bit_unsigned.msi'
-          name: Windows_X86-64_MSI_unsigned
         - path: '*Windows_64bit.zip'
           name: Windows_X86-64_zip
-        - path: '*Windows_64bit_unsigned.zip'
-          name: Windows_X86-64_zip_unsigned
     - config:
         name: Linux
         runs-on: ubuntu-latest
@@ -437,59 +433,38 @@ jobs:
           name: ${{ env.JOB_TRANSFER_ARTIFACT }}
           path: ${{ env.BUILD_ARTIFACTS_PATH }}
 
-      - name: Find and process artifacts
+      - name: Save artifact path to variable
         shell: bash
         run: |
-          shopt -s nullglob
-          for ARTIFACT in "${{ env.BUILD_ARTIFACTS_PATH }}"/*_unsigned.{exe,zip,msi}; do
-            echo "Processing $ARTIFACT"
-            FILENAME=$(basename "$ARTIFACT")
-            BASE_NAME="${FILENAME%.*}"
-            EXTENSION="${FILENAME##*.}"
-            # Remove '_unsigned' from the base name
-            SIGNED_BASE_NAME="${BASE_NAME%_unsigned}"
-            
-            # Sign and rename EXE and MSI files
-            if [[ "$EXTENSION" == "exe" || "$EXTENSION" == "msi" ]]; then
-              echo "Signing $ARTIFACT"
-              "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "$ARTIFACT"
-              SIGNED_ARTIFACT_PATH="${{ env.BUILD_ARTIFACTS_PATH }}/${SIGNED_BASE_NAME}.${EXTENSION}"
-              mv "$ARTIFACT" "$SIGNED_ARTIFACT_PATH"
-              echo "Renamed $ARTIFACT to $SIGNED_ARTIFACT_PATH"
-            fi
-            
-            # Unzip, Sign, and Rezip ZIP file without '_unsigned' in the name
-            if [[ "$EXTENSION" == "zip" ]]; then
-              TEMP_DIR=$(mktemp -d)
-              unzip "$ARTIFACT" -d "$TEMP_DIR"
-              find "$TEMP_DIR" -type f -name '*.exe' -exec "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v {} \;
-              SIGNED_ARTIFACT_PATH="${{ env.BUILD_ARTIFACTS_PATH }}/${SIGNED_BASE_NAME}.${EXTENSION}"
-              pushd "$TEMP_DIR"
-              zip -r "$SIGNED_ARTIFACT_PATH" .
-              popd
-              rm -rf "$TEMP_DIR"
-              echo "Processed and re-zipped $ARTIFACT"
-            fi
-          done
+          ARTIFACT=$(find "${{ env.BUILD_ARTIFACTS_PATH }}" -name "*Windows_64bit.exe" | head -n 1)
+          # Convert to Windows-style path with forward slashes
+          FULL_PATH=$(cygpath -w $ARTIFACT | sed 's|\\|/|g')
+          echo "ARTIFACT_PATH=$FULL_PATH" >> $GITHUB_ENV
 
-      - name: Upload signed EXE
-        uses: actions/upload-artifact@v3
-        with:
-          name: Windows_X86-64_interactive_installer
-          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*Windows_64bit.exe
+      - name: Save Win signing certificate to file
+        run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER }}
 
-      - name: Upload signed MSI
-        uses: actions/upload-artifact@v3
-        with:
-          name: Windows_X86-64_MSI
-          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*Windows_64bit.msi
-
-
-      - name: Upload signed ZIP
+      - name: Sign EXE
+        env:
+          CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
+          CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
+          # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
+        run: |
+          "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino IDE" -f ${{ env.INSTALLER_CERT_WINDOWS_CER }} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v ${{ env.ARTIFACT_PATH }}
+      
+      - name: Rename signed EXE
+        shell: bash
+        run: |
+          BASE_NAME=$(echo "${{ env.ARTIFACT_PATH }}" | sed 's/.exe$//')
+          SIGNED_EXE_PATH="${BASE_NAME}_signed.exe"
+          mv "${{ env.ARTIFACT_PATH }}" "$SIGNED_EXE_PATH"
+          echo "SIGNED_ARTIFACT_PATH=$SIGNED_EXE_PATH" >> $GITHUB_ENV
+  
+      - name: Upload artifacts with signed EXE
         uses: actions/upload-artifact@v3
         with:
-          name: Windows_X86-64_zip
-          path: ${{ env.BUILD_ARTIFACTS_PATH }}/*Windows_64bit.zip
+          name: Windows_X86-64_interactive_installer_signed
+          path: ${{ env.SIGNED_ARTIFACT_PATH }}
 
         # This step is needed because the self hosted runner does not delete files automatically
       - name: Clean up artifacts

electron-app/scripts/package.js

@@ -100,7 +100,7 @@ async function getArtifactName(version) {
   switch (platform) {
     case 'win32': {
       if (arch === 'x64') {
-        return `${name}_${version}_Windows_64bit_unsigned.\$\{ext}`;
+        return `${name}_${version}_Windows_64bit.\$\{ext}`;
       }
       throw new Error(`Unsupported platform, arch: ${platform}, ${arch}`);
     }