Migrate to signpath.io

.github/workflows/ci.yaml

@@ -1,10 +1,13 @@
 name: "CI"
 on:
   workflow_dispatch:
-  pull_request:
+  # NOTE: disable before merge
+  # FIXME: FYI
+  # pull_request:
 
 jobs:
   quality:
+    name: Quality
     runs-on: "ubuntu-latest"
     steps:
       - uses: actions/checkout@v4
@@ -34,6 +37,7 @@ jobs:
         run: pnpm lint
 
   cargo-fmt:
+    name: Cargo Format
     runs-on: "ubuntu-latest"
     steps:
       - uses: actions/checkout@v4

.github/workflows/release.yaml

@@ -1,60 +1,42 @@
-name: "Create Release"
+name: "Release"
 
 on:
   # Allow manual
   workflow_dispatch:
+  push:
+    branches:
+      # TODO: REMOVE ME BEFORE MERGE
+      # FIXME: fr fr ong pls remove
+      - migrate/codesign
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  create-release:
-    permissions:
-      contents: write
-    runs-on: ubuntu-latest
-    outputs:
-      release_id: ${{ steps.create-release.outputs.result }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: setup node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - name: Get app version
-        run: echo "PACKAGE_VERSION=$(node -p "require('./apps/desktop/src-tauri/tauri.conf.json').package.version")" >> $GITHUB_ENV
-      - name: Create release or skip
-        id: create-release
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const { script } = await import('${{ github.workspace }}/scripts/actions/create-release.js')
-            return await script({ github, context });
-
   build-tauri:
     name: Build (${{ matrix.settings.os }})
-    needs: create-release
     permissions:
       contents: write
     strategy:
       fail-fast: false
       matrix:
         settings:
-          - host: macos-latest
-            target: universal-apple-darwin
-            toolchain: aarch64-apple-darwin,x86_64-apple-darwin
-            bundles: app,dmg
-            os: darwin
+          # - host: macos-latest
+          #   target: universal-apple-darwin
+          #   toolchain: aarch64-apple-darwin,x86_64-apple-darwin
+          #   bundles: app,dmg
+          #   os: darwin
           - host: windows-latest
             target: x86_64-pc-windows-msvc
             toolchain: x86_64-pc-windows-msvc
             bundles: msi,nsis
             os: windows
-          - host: ubuntu-latest
-            target: x86_64-unknown-linux-gnu
-            toolchain: x86_64-unknown-linux-gnu
-            bundles: deb,appimage
-            os: linux
+          # - host: ubuntu-latest
+          #   target: x86_64-unknown-linux-gnu
+          #   toolchain: x86_64-unknown-linux-gnu
+          #   bundles: deb,appimage
+          #   os: linux
     env:
       APP_DIR: "apps/desktop"
     runs-on: ${{ matrix.settings.host }}
@@ -82,6 +64,7 @@ jobs:
       - name: install frontend dependencies
         run: pnpm install
       - uses: tauri-apps/tauri-action@dev
+        id: tauri
         env:
           APPLE_ID: "${{ secrets.APPLE_ID }}"
           APPLE_PASSWORD: "${{ secrets.APPLE_PASSWORD }}"
@@ -95,54 +78,94 @@ jobs:
           VITE_AXIOM_TOKEN: "${{ secrets.VITE_AXIOM_TOKEN }}"
           VITE_SENTRY_AUTH_TOKEN: "${{ secrets.VITE_SENTRY_AUTH_TOKEN }}"
         with:
+          # NOTE: we only use this action to build the project bins for each platform
+          # because we need to do code signing for windows we will upload manually after the signing is completed
           projectPath: "${{ env.APP_DIR }}"
-          releaseId: ${{ needs.create-release.outputs.release_id }}
           args: --target ${{ matrix.settings.target }} --bundles ${{ matrix.settings.bundles }},updater
-
-  sign-windows:
-    runs-on: ubuntu-latest
-    needs: [create-release, build-tauri]
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download draft binaries
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const { script } = await import('${{ github.workspace }}/scripts/actions/download-draft-bins.js')
-            const id = "${{ needs.create-release.outputs.release_id }}";
-            await script({ github, context }, id);
-        env:
-          # NOTE: we need this to download the bins
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # TODO: figure out where the binary are in the fs from the above action
       - name: Presign
         run: |
-          ls -hal binaries
-          sha1sum binaries/*
+          # Create binaries directory if it doesn't exist
+          New-Item -ItemType Directory -Force -Path "./binaries"
+
+          # Parse artifactPaths to extract .exe and .msi files
+          $artifactPaths = '${{ steps.tauri.outputs.artifactPaths }}'
+
+          # Parse as JSON array
+          $paths = $artifactPaths | ConvertFrom-Json
+
+          # Extract .exe and .msi files (excluding .sig and .zip files)
+          $exeFiles = $paths | Where-Object { $_ -match '\.exe$' } | Where-Object { $_ -notmatch '\.(sig|zip)$' }
+          $msiFiles = $paths | Where-Object { $_ -match '\.msi$' } | Where-Object { $_ -notmatch '\.(sig|zip)$' }
+
+          Write-Host "Found EXE files:"
+          $exeFiles | ForEach-Object { Write-Host "  $_" }
+
+          Write-Host "Found MSI files:"
+          $msiFiles | ForEach-Object { Write-Host "  $_" }
+
+          # Move the files to binaries folder
+          $exeFiles | ForEach-Object { 
+            $fileName = Split-Path $_ -Leaf
+            Copy-Item $_ -Destination ".\binaries\$fileName"
+          }
+
+          $msiFiles | ForEach-Object { 
+            $fileName = Split-Path $_ -Leaf
+            Copy-Item $_ -Destination ".\binaries\$fileName"
+          }
+
+          # sha sum the files in binaries
+          Get-ChildItem -Path ".\binaries" -File -Recurse | ForEach-Object { Get-FileHash -Path $_.FullName -Algorithm SHA256 }
+
+      - name: Upload Unsigned Windows Binaries
+        id: upload-unsigned-artifact
+        uses: actions/upload-artifact@v4
+        with: 
+          path: ./binaries
       - name: Sign Windows Binaries
-        run: |
-          echo "Starting code sign for windows bins..."
-          docker run -v "./binaries:/code/binaries" ghcr.io/sslcom/codesigner:latest batch_sign \
-            -username=${ES_USERNAME} \
-            -password=${ES_PASSWORD} \
-            -credential_id=${ES_CREDENTIAL_ID} \
-            -totp_secret=${ES_TOTP_SECRET} \
-            -input_dir_path="/code/binaries" \
-            -output_dir_path="/code/binaries/signed"
-        env:
-          ES_USERNAME: "${{ secrets.ES_USERNAME }}"
-          ES_PASSWORD: "${{ secrets.ES_PASSWORD }}"
-          ES_CREDENTIAL_ID: "${{ secrets.ES_CREDENTIAL_ID }}"
-          ES_TOTP_SECRET: "${{ secrets.ES_TOTP_SECRET }}"
+        uses: signpath/[email protected]
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'b2cc34a4-3b75-4753-82e4-b755351770ea'
+          project-slug: 'overlayed'
+          # TODO: when we have the production signing policy update this
+          signing-policy-slug: 'test-signing'
+          github-artifact-id: '${{ steps.upload-unsigned-artifact.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'binaries/signed'
       - name: Postsign
         run: |
-          ls -hal binaries/signed
-          sha1sum binaries/signed/*
+          # using powershell lets list out the sha sum of the signed binaries
+          Get-ChildItem -Path binaries/signed -File -Recurse | ForEach-Object { Get-FileHash -Path $_.FullName -Algorithm SHA256 }
       - name: Upload signed windows binaries
         uses: actions/github-script@v7
         with:
           script: |
             const { script } = await import('${{ github.workspace }}/scripts/actions/upload-signed-bins.js');
             const id = "${{ needs.create-release.outputs.release_id }}";
             await script({ github, context }, id);
+  create-release:
+    needs: build-tauri
+    name: Create or Update
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    outputs:
+      release_id: ${{ steps.create-release.outputs.result }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - name: Get app version
+        run: echo "PACKAGE_VERSION=$(node -p "require('./apps/desktop/src-tauri/tauri.conf.json').package.version")" >> $GITHUB_ENV
+      - name: Create release or skip
+        id: create-release
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { script } = await import('${{ github.workspace }}/scripts/actions/create-release.js')
+            return await script({ github, context });
+

.signpath/policies/overlayed/test-signing.yml

@@ -0,0 +1,24 @@
+github-policies:
+  runners:
+    allowed_groups:
+      - 'GitHub Actions'                         # all jobs need to run on GitHub-hosted runners
+  build:
+    disallow_reruns: true
+  branch_rulesets:
+    - condition:
+        rules:
+        - block_force_pushes:                    # force pushes are prevented
+        - pull_request:                          # code reviews are required
+            min_required_approvals: 1
+            require_code_owner_review: true
+      allow_bypass_actors: false                 # no-one is allowed to bypass this rule
+      enforced_from: EARLIEST                    # rule enforcement history is checked
+    - condition:
+        rules:
+        - require_code_scanning:                 # code scanning must not reveal problems
+            tools:
+              - tool: CodeQL
+                min_alerts_threshold: errors
+                min_security_alerts_threshold: medium
+        allow_bypass_actors: true                # some people may bypass these rules
+        enforced_from: '2025-01-01 00:00'        # had to be reset at some point