From a748c9c6187df51c1fc56253dd77a25efdd9c609 Mon Sep 17 00:00:00 2001
From: Jelle Spijker <j.spijker@ultimaker.com>
Date: Fri, 6 Jan 2023 08:50:03 +0100
Subject: [PATCH] Sign the Windows installer

Contributes to CURA-8607
---
 .github/workflows/cura-installer.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/cura-installer.yml b/.github/workflows/cura-installer.yml
index 082c707488..919b393a17 100644
--- a/.github/workflows/cura-installer.yml
+++ b/.github/workflows/cura-installer.yml
@@ -61,6 +61,8 @@ env:
     MACOS_CERT_USER: ${{ secrets.MACOS_CERT_USER }}
     GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
     MACOS_CERT_PASSPHRASE: ${{ secrets.MACOS_CERT_PASSPHRASE }}
+    WIN_CERT_INSTALLER_CER: ${{ secrets.WIN_CERT_INSTALLER_CER }}
+    WIN_CERT_INSTALLER_CER_PASS: ${{ secrets.WIN_CERT_INSTALLER_CER_PASS }}
     CURA_CONAN_VERSION: ${{ inputs.cura_conan_version }}
     ENTERPRISE: ${{ inputs.enterprise }}
     STAGING: ${{ inputs.staging }}
@@ -153,6 +155,17 @@ jobs:
                     p12-file-base64: ${{ secrets.MACOS_CERT_P12 }}
                     p12-password: ${{ secrets.MACOS_CERT_PASSPHRASE }}
 
+            -   name: Create PFX certificate from BASE64_PFX_CONTENT secret
+                if: ${{ runner.os == 'Windows' }}
+                id: create-pfx
+                env:
+                    PFX_CONTENT: ${{ secrets.WIN_CERT_INSTALLER_CER }}
+                run: |
+                    $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"; 
+                    $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT); 
+                    Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
+                    Write-Output "::set-output name=PFX_PATH::$pfxPath";
+
             -   name: Clean Conan local cache
                 if: ${{ inputs.conan_clean_local_cache }}
                 run: conan remove "*" -f
@@ -230,6 +243,14 @@ jobs:
                     python ..\cura_inst\packaging\NSIS\create_windows_installer.py ../cura_inst . "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
                 working-directory: dist
 
+            - name: Sign the Windows exe installer (Powershell)
+              if: ${{ github.event.inputs.installer == 'true' && runner.os == 'Windows' }}
+              env:
+                  PFX_PATH: ${{ steps.create-pfx.outputs.PFX_PATH }}
+              run: |
+                  SignTool sign /f $Env:PFX_PATH /p "$Env:WIN_CERT_INSTALLER_CER_PASS" /fd SHA256 /t http://timestamp.digicert.com "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
+              working-directory: dist
+
             -   name: Create the Linux AppImage (Bash)
                 if: ${{ github.event.inputs.installer == 'true' && runner.os == 'Linux' }}
                 run: python ../cura_inst/packaging/AppImage/create_appimage.py ./UltiMaker-Cura $CURA_VERSION_FULL "UltiMaker-Cura-$CURA_VERSION_FULL-${{ inputs.os_name }}.AppImage"