updated Windows code-signing using Signpath

.github/workflows/build-windows.yml

@@ -12,14 +12,18 @@ on:
       installer_base_name:
         required: true
         type: string
+      use_self_signed_cert:
+        description: "Use self-signed code signing certificate"
+        required: false
+        type: boolean
+        default: false # when true, uses self-signed certificate
 
 jobs:
   build-windows:
     env:
-      AC_USERNAME: ${{ secrets.AC_USERNAME }}
-      AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
       BUILD_TYPE: ${{ inputs.build_type }}
       VERSION: ${{ inputs.version }}
+      SIGNPATH_SIGNING_POLICY: ${{ inputs.use_self_signed_cert && vars.SIGNPATH_SIGNING_POLICY_SLUG_TEST || vars.SIGNPATH_SIGNING_POLICY_SLUG }}
     permissions:
       contents: "read"
       id-token: "write"
@@ -99,42 +103,103 @@ jobs:
           Write-Host "APP_NAME=$name"
           Write-Host "APP_VERSION=$version"
 
-      - name: Build Windows release
+      - name: Build Windows binaries
         shell: pwsh
-        env:
-          FULL_INSTALLER_NAME: ${{ inputs.installer_base_name }}${{ inputs.build_type != 'production' && format('-{0}', inputs.build_type) || '' }}
         run: |
           dart pub global activate flutter_distributor
           make windows-release
+          if ($LASTEXITCODE -ne 0) {
+            Write-Error "make windows-release failed with exit code $LASTEXITCODE"
+            exit $LASTEXITCODE
+          }
+
+          Write-Host "=== Files in build/windows/x64/runner/Release/ ==="
+          if (Test-Path "build/windows/x64/runner/Release/") {
+            Get-ChildItem -Path "build/windows/x64/runner/Release/" -Recurse | Select-Object -First 20 FullName
+          } else {
+            Write-Warning "Release directory does not exist"
+          }
+
+      - name: Sign embedded binaries
+        shell: pwsh
+        env:
+          SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
+        run: |
+          $buildDir = "build/windows/x64/runner/Release"
+          $signScript = "./scripts/ci/sign-windows.ps1"
+
+          # Third-party binaries that are already signed by their vendors
+          $thirdParty = @(
+            'wintun.dll',           # WinTun
+            'flutter_windows.dll',  # Google/Flutter
+            'WebView2Loader.dll',   # Microsoft
+            'WinSparkle.dll'        # WinSparkle
+          )
+
+          # Discover all EXEs and DLLs, excluding third-party signed binaries
+          $binaries = Get-ChildItem -Path $buildDir -Include '*.exe','*.dll' -Recurse -File |
+            Where-Object { $thirdParty -notcontains $_.Name } |
+            Select-Object -ExpandProperty FullName
+          # Sign each binary
+          foreach ($binary in $binaries) {
+            if (Test-Path $binary) {
+              Write-Host "Signing $binary..."
+              & $signScript `
+                -FilePath $binary `
+                -SigningPolicy "${{ env.SIGNPATH_SIGNING_POLICY }}" `
+                -OrganizationId "${{ vars.SIGNPATH_ORG_ID }}" `
+                -ProjectSlug "${{ vars.SIGNPATH_PROJECT_SLUG }}" `
+                -ApiToken $env:SIGNPATH_API_TOKEN `
+                -Description "GitHub Actions build ${{ inputs.version }}"
+
+              if ($LASTEXITCODE -ne 0) {
+                Write-Error "Failed to sign $binary"
+                exit 1
+              }
+            } else {
+              Write-Warning "Binary not found, skipping: $binary"
+            }
+          }
+
+          Write-Host "All binaries signed successfully"
+
+      - name: Package installer
+        shell: pwsh
+        env:
+          FULL_INSTALLER_NAME: ${{ inputs.installer_base_name }}${{ inputs.build_type != 'production' && format('-{0}', inputs.build_type) || '' }}
+        run: |
           flutter_distributor package `
             --platform windows `
             --targets "exe" `
             --skip-clean `
             --build-dart-define=BUILD_TYPE=${{ env.BUILD_TYPE }} `
             --build-dart-define=VERSION=${{ inputs.version }} `
             --flutter-build-args=verbose
+
+          Write-Host ""
+          Write-Host "=== Contents of dist/$env:APP_VERSION/ ==="
+          Get-ChildItem -Path "dist/$env:APP_VERSION/" -Recurse | Select-Object FullName
+          Write-Host ""
+
           Move-Item "dist/$env:APP_VERSION/$env:APP_NAME-$env:APP_VERSION-windows-setup.exe" "$env:FULL_INSTALLER_NAME.exe"
 
-      - name: Sign EXE with Azure Code Signing
-        uses: getlantern/trusted-signing-action@main
-        with:
-          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-          endpoint: https://wus2.codesigning.azure.net/
-          code-signing-account-name: code-signing
-          certificate-profile-name: Lantern
-          files-folder: ${{ github.workspace }}/
-          files-folder-filter: exe,dll,msix
-          file-digest: SHA256
-          timestamp-rfc3161: http://timestamp.acs.microsoft.com
-          timestamp-digest: SHA256
+      - name: Sign installer
+        shell: pwsh
+        env:
+          SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
+          FULL_INSTALLER_NAME: ${{ inputs.installer_base_name }}${{ inputs.build_type != 'production' && format('-{0}', inputs.build_type) || '' }}
+        run: |
+          ./scripts/ci/sign-windows.ps1 `
+            -FilePath "$env:FULL_INSTALLER_NAME.exe" `
+            -SigningPolicy "${{ env.SIGNPATH_SIGNING_POLICY }}" `
+            -OrganizationId "${{ vars.SIGNPATH_ORG_ID }}" `
+            -ProjectSlug "${{ vars.SIGNPATH_PROJECT_SLUG }}" `
+            -ApiToken $env:SIGNPATH_API_TOKEN `
+            -Description "Installer - GitHub Actions build ${{ inputs.version }}"
 
       - name: Upload Windows installer
         uses: actions/upload-artifact@v4
-        env:
-          FULL_INSTALLER_NAME: ${{ inputs.installer_base_name }}${{ inputs.build_type != 'production' && format('-{0}', inputs.build_type) || '' }}
         with:
           name: lantern-installer-exe
-          path: ${{ env.FULL_INSTALLER_NAME }}.exe
+          path: ${{ inputs.installer_base_name }}${{ inputs.build_type != 'production' && format('-{0}', inputs.build_type) || '' }}.exe
           retention-days: 2

.github/workflows/release.yml

@@ -188,6 +188,16 @@ jobs:
       build_type: ${{ needs.set-metadata.outputs.build_type }}
       installer_base_name: ${{ needs.set-metadata.outputs.installer_base_name }}
 
+  build-windows:
+    needs: [set-metadata, release-create]
+    uses: ./.github/workflows/build-windows.yml
+    secrets: inherit
+    if: ${{ needs.set-metadata.outputs.platform == 'all' || contains(needs.set-metadata.outputs.platform, 'windows') }}
+    with:
+      version: ${{ needs.set-metadata.outputs.version }}
+      build_type: ${{ needs.set-metadata.outputs.build_type }}
+      installer_base_name: ${{ needs.set-metadata.outputs.installer_base_name }}
+
   build-linux:
     needs: [set-metadata, release-create]
     uses: ./.github/workflows/build-linux.yml
@@ -265,10 +275,19 @@ jobs:
             --notes "Build [in progress](${WORKFLOW_URL})..."
 
   upload-s3:
-    needs: [set-metadata, build-macos, build-linux, build-android, build-ios]
+    needs:
+      [
+        set-metadata,
+        build-macos,
+        build-windows,
+        build-linux,
+        build-android,
+        build-ios,
+      ]
     if: |
       !cancelled() &&
       (needs.build-macos.result == 'success' || needs.build-macos.result == 'skipped') &&
+      (needs.build-windows.result == 'success' || needs.build-windows.result == 'skipped') &&
       (needs.build-linux.result == 'success' || needs.build-linux.result == 'skipped') &&
       (needs.build-android.result == 'success' || needs.build-android.result == 'skipped') &&
       (needs.build-ios.result == 'success' || needs.build-ios.result == 'skipped')
@@ -336,6 +355,7 @@ jobs:
         set-metadata,
         release-create,
         build-macos,
+        build-windows,
         build-linux,
         build-android,
         build-ios,
@@ -344,6 +364,7 @@ jobs:
       !cancelled() &&
       needs.release-create.result == 'success' &&
       (needs.build-macos.result == 'success' || needs.build-macos.result == 'skipped') &&
+      (needs.build-windows.result == 'success' || needs.build-windows.result == 'skipped') &&
       (needs.build-linux.result == 'success' || needs.build-linux.result == 'skipped') &&
       (needs.build-android.result == 'success' || needs.build-android.result == 'skipped') &&
       (needs.build-ios.result == 'success' || needs.build-ios.result == 'skipped')
@@ -393,6 +414,7 @@ jobs:
           }
 
           upload_if_exists "lantern-installer-dmg/${FULL_NAME}.dmg"
+          upload_if_exists "lantern-installer-exe/${FULL_NAME}.exe"
           upload_if_exists "lantern-installer-apk/${FULL_NAME}.apk"
           upload_if_exists "lantern-installer-deb/${FULL_NAME}.deb"
           upload_if_exists "lantern-installer-rpm/${FULL_NAME}.rpm"

Makefile

@@ -409,7 +409,7 @@ windows-debug: windows
 .PHONY: build-windows-release
 build-windows-release:
 	@echo "Building Flutter app (release) for Windows..."
-	flutter build windows --release
+	flutter build windows --release --verbose
 
 .PHONY: windows-release
 windows-release: clean windows pubget gen build-windows-release prepare-windows-release

linux/CMakeLists.txt

@@ -117,9 +117,11 @@ endforeach(bundled_library)
 
 # Copy the native assets provided by the build.dart from all packages.
 set(NATIVE_ASSETS_DIR "${PROJECT_BUILD_DIR}native_assets/linux/")
-install(DIRECTORY "${NATIVE_ASSETS_DIR}"
-   DESTINATION "${INSTALL_BUNDLE_LIB_DIR}"
-   COMPONENT Runtime)
+if(EXISTS "${NATIVE_ASSETS_DIR}")
+  install(DIRECTORY "${NATIVE_ASSETS_DIR}"
+     DESTINATION "${INSTALL_BUNDLE_LIB_DIR}"
+     COMPONENT Runtime)
+endif()
 
 # Fully re-copy the assets directory on each build to avoid having stale files
 # from a previous install.

scripts/ci/format.sh

@@ -65,6 +65,10 @@ release-notes)
     echo "- [macOS (.dmg)](${LATEST_URL}/${FULL_INSTALLER_NAME}.dmg) ([permalink](${VERSION_URL}/${FULL_INSTALLER_NAME}.dmg))"
   fi
 
+  if should_include "windows"; then
+    echo "- [Windows (.exe)](${LATEST_URL}/${FULL_INSTALLER_NAME}.exe) ([permalink](${VERSION_URL}/${FULL_INSTALLER_NAME}.exe))"
+  fi
+
   if should_include "android"; then
     echo "- [Android (.apk)](${LATEST_URL}/${FULL_INSTALLER_NAME}.apk) ([permalink](${VERSION_URL}/${FULL_INSTALLER_NAME}.apk))"
   fi
@@ -94,6 +98,10 @@ slack)
     text="${text}\n• macOS <${LATEST_URL}/${FULL_INSTALLER_NAME}.dmg|${FULL_INSTALLER_NAME}.dmg> (<${VERSION_URL}/${FULL_INSTALLER_NAME}.dmg|permalink>)"
   fi
 
+  if should_include "windows"; then
+    text="${text}\n• Windows <${LATEST_URL}/${FULL_INSTALLER_NAME}.exe|${FULL_INSTALLER_NAME}.exe> (<${VERSION_URL}/${FULL_INSTALLER_NAME}.exe|permalink>)"
+  fi
+
   if should_include "android"; then
     text="${text}\n• Android <${LATEST_URL}/${FULL_INSTALLER_NAME}.apk|${FULL_INSTALLER_NAME}.apk> (<${VERSION_URL}/${FULL_INSTALLER_NAME}.apk|permalink>)"
   fi

scripts/ci/publish-to-s3.sh

@@ -84,7 +84,7 @@ upload_artifact() {
 # platform:extension
 declare -a artifacts=(
   "macos:dmg"
-  # "windows:exe" # TODO: re-enable when windows is built
+  "windows:exe"
   "android:apk"
   "linux:deb"
   "linux:rpm"