From a748c9c6187df51c1fc56253dd77a25efdd9c609 Mon Sep 17 00:00:00 2001
From: Jelle Spijker <j.spijker@ultimaker.com>
Date: Fri, 6 Jan 2023 08:50:03 +0100
Subject: [PATCH 1/5] Sign the Windows installer

Contributes to CURA-8607
---
 .github/workflows/cura-installer.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/cura-installer.yml b/.github/workflows/cura-installer.yml
index 082c707488..919b393a17 100644
--- a/.github/workflows/cura-installer.yml
+++ b/.github/workflows/cura-installer.yml
@@ -61,6 +61,8 @@ env:
     MACOS_CERT_USER: ${{ secrets.MACOS_CERT_USER }}
     GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
     MACOS_CERT_PASSPHRASE: ${{ secrets.MACOS_CERT_PASSPHRASE }}
+    WIN_CERT_INSTALLER_CER: ${{ secrets.WIN_CERT_INSTALLER_CER }}
+    WIN_CERT_INSTALLER_CER_PASS: ${{ secrets.WIN_CERT_INSTALLER_CER_PASS }}
     CURA_CONAN_VERSION: ${{ inputs.cura_conan_version }}
     ENTERPRISE: ${{ inputs.enterprise }}
     STAGING: ${{ inputs.staging }}
@@ -153,6 +155,17 @@ jobs:
                     p12-file-base64: ${{ secrets.MACOS_CERT_P12 }}
                     p12-password: ${{ secrets.MACOS_CERT_PASSPHRASE }}
 
+            -   name: Create PFX certificate from BASE64_PFX_CONTENT secret
+                if: ${{ runner.os == 'Windows' }}
+                id: create-pfx
+                env:
+                    PFX_CONTENT: ${{ secrets.WIN_CERT_INSTALLER_CER }}
+                run: |
+                    $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"; 
+                    $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT); 
+                    Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
+                    Write-Output "::set-output name=PFX_PATH::$pfxPath";
+
             -   name: Clean Conan local cache
                 if: ${{ inputs.conan_clean_local_cache }}
                 run: conan remove "*" -f
@@ -230,6 +243,14 @@ jobs:
                     python ..\cura_inst\packaging\NSIS\create_windows_installer.py ../cura_inst . "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
                 working-directory: dist
 
+            - name: Sign the Windows exe installer (Powershell)
+              if: ${{ github.event.inputs.installer == 'true' && runner.os == 'Windows' }}
+              env:
+                  PFX_PATH: ${{ steps.create-pfx.outputs.PFX_PATH }}
+              run: |
+                  SignTool sign /f $Env:PFX_PATH /p "$Env:WIN_CERT_INSTALLER_CER_PASS" /fd SHA256 /t http://timestamp.digicert.com "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
+              working-directory: dist
+
             -   name: Create the Linux AppImage (Bash)
                 if: ${{ github.event.inputs.installer == 'true' && runner.os == 'Linux' }}
                 run: python ../cura_inst/packaging/AppImage/create_appimage.py ./UltiMaker-Cura $CURA_VERSION_FULL "UltiMaker-Cura-$CURA_VERSION_FULL-${{ inputs.os_name }}.AppImage"

From 992aff17ab7e761ed9fb794856cd6ad2b65afb43 Mon Sep 17 00:00:00 2001
From: Jelle Spijker <j.spijker@ultimaker.com>
Date: Fri, 6 Jan 2023 09:31:05 +0100
Subject: [PATCH 2/5] Use full path of signtool

Contributes to CURA-8607
---
 .github/workflows/cura-installer.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cura-installer.yml b/.github/workflows/cura-installer.yml
index 919b393a17..0c760b19a0 100644
--- a/.github/workflows/cura-installer.yml
+++ b/.github/workflows/cura-installer.yml
@@ -248,7 +248,7 @@ jobs:
               env:
                   PFX_PATH: ${{ steps.create-pfx.outputs.PFX_PATH }}
               run: |
-                  SignTool sign /f $Env:PFX_PATH /p "$Env:WIN_CERT_INSTALLER_CER_PASS" /fd SHA256 /t http://timestamp.digicert.com "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
+                  "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe" sign /f $Env:PFX_PATH /p "$Env:WIN_CERT_INSTALLER_CER_PASS" /fd SHA256 /t http://timestamp.digicert.com "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
               working-directory: dist
 
             -   name: Create the Linux AppImage (Bash)

From b88f7b87b7ca74e7f12e7a4d23f47c54110e56ed Mon Sep 17 00:00:00 2001
From: Jelle Spijker <j.spijker@ultimaker.com>
Date: Fri, 6 Jan 2023 09:31:33 +0100
Subject: [PATCH 3/5] Use env file instead of deprecated set-output

Contributes to CURA-8607
---
 .github/workflows/cura-installer.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cura-installer.yml b/.github/workflows/cura-installer.yml
index 0c760b19a0..e260c7c86d 100644
--- a/.github/workflows/cura-installer.yml
+++ b/.github/workflows/cura-installer.yml
@@ -164,7 +164,7 @@ jobs:
                     $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"; 
                     $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT); 
                     Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
-                    Write-Output "::set-output name=PFX_PATH::$pfxPath";
+                    Add-Content [-Path] $Env:GITHUB_OUTPUT [-Value] "PFX_PATH=$pfxPath";
 
             -   name: Clean Conan local cache
                 if: ${{ inputs.conan_clean_local_cache }}

From 18b3eb8f2be05a99f61080e354385ea6a6f0f026 Mon Sep 17 00:00:00 2001
From: Jelle Spijker <j.spijker@ultimaker.com>
Date: Fri, 6 Jan 2023 09:50:09 +0100
Subject: [PATCH 4/5] Use echo to write to GITHUB_OUTPUT

Contributes to CURA-8607
---
 .github/workflows/cura-installer.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cura-installer.yml b/.github/workflows/cura-installer.yml
index e260c7c86d..596813979e 100644
--- a/.github/workflows/cura-installer.yml
+++ b/.github/workflows/cura-installer.yml
@@ -164,7 +164,7 @@ jobs:
                     $pfxPath = Join-Path -Path $env:RUNNER_TEMP -ChildPath "cert.pfx"; 
                     $encodedBytes = [System.Convert]::FromBase64String($env:PFX_CONTENT); 
                     Set-Content $pfxPath -Value $encodedBytes -AsByteStream;
-                    Add-Content [-Path] $Env:GITHUB_OUTPUT [-Value] "PFX_PATH=$pfxPath";
+                    echo "PFX_PATH=$pfxPath" >> $env:GITHUB_OUTPUT;
 
             -   name: Clean Conan local cache
                 if: ${{ inputs.conan_clean_local_cache }}

From 097067321db0fe56cccf8f3acae5aa5173e6df8b Mon Sep 17 00:00:00 2001
From: Jelle Spijker <j.spijker@ultimaker.com>
Date: Fri, 6 Jan 2023 10:17:44 +0100
Subject: [PATCH 5/5] Use ampersand before signtool command

Contributes to CURA-8607
---
 .github/workflows/cura-installer.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cura-installer.yml b/.github/workflows/cura-installer.yml
index 596813979e..60ed28d2b7 100644
--- a/.github/workflows/cura-installer.yml
+++ b/.github/workflows/cura-installer.yml
@@ -248,7 +248,7 @@ jobs:
               env:
                   PFX_PATH: ${{ steps.create-pfx.outputs.PFX_PATH }}
               run: |
-                  "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe" sign /f $Env:PFX_PATH /p "$Env:WIN_CERT_INSTALLER_CER_PASS" /fd SHA256 /t http://timestamp.digicert.com "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
+                  & "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe" sign /f $Env:PFX_PATH /p "$Env:WIN_CERT_INSTALLER_CER_PASS" /fd SHA256 /t http://timestamp.digicert.com "UltiMaker-Cura-$Env:CURA_VERSION_FULL-${{ inputs.os_name }}.exe"
               working-directory: dist
 
             -   name: Create the Linux AppImage (Bash)