From 1895ab523220369c7101331c73b3358d6743549d Mon Sep 17 00:00:00 2001
From: Hiroshiba <hihokaruta@gmail.com>
Date: Thu, 5 Oct 2023 04:11:54 +0900
Subject: [PATCH] =?UTF-8?q?[release-0.14]=20=E3=82=B3=E3=83=BC=E3=83=89?=
 =?UTF-8?q?=E7=BD=B2=E5=90=8D=E3=82=92eSignerCKA=E3=81=AB=20(#627)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/build_and_deploy.yml | 10 +++--
 build_util/codesign.bash               | 54 +++++++++++++++++++-------
 2 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml
index 793c71efa..ab54792e1 100644
--- a/.github/workflows/build_and_deploy.yml
+++ b/.github/workflows/build_and_deploy.yml
@@ -154,8 +154,9 @@ jobs:
         run: |
           bash build_util/codesign.bash "artifact/${{ env.ASSET_NAME }}/voicevox_core.dll"
         env:
-          CERT_BASE64: ${{ secrets.CERT_BASE64 }}
-          CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }}
+          ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
+          ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
+          ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
       - name: Archive artifact
         shell: bash
         run: |
@@ -241,8 +242,9 @@ jobs:
         run: |
           bash build_util/codesign.bash ./${{ matrix.name }}
         env:
-          CERT_BASE64: ${{ secrets.CERT_BASE64 }}
-          CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }}
+          ESIGNERCKA_USERNAME: ${{ secrets.ESIGNERCKA_USERNAME }}
+          ESIGNERCKA_PASSWORD: ${{ secrets.ESIGNERCKA_PASSWORD }}
+          ESIGNERCKA_TOTP_SECRET: ${{ secrets.ESIGNERCKA_TOTP_SECRET }}
       - name: Upload to Release
         if: env.VERSION != 'DEBUG' && env.SKIP_UPLOADING_RELEASE_ASSET == '0'
         uses: softprops/action-gh-release@v1
diff --git a/build_util/codesign.bash b/build_util/codesign.bash
index 8bf3ac8be..5c80cf55f 100755
--- a/build_util/codesign.bash
+++ b/build_util/codesign.bash
@@ -1,14 +1,20 @@
 #!/usr/bin/env bash
 # !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!
 
+# eSignerCKAを使ってコード署名する
+
 set -eu
 
-if [ ! -v CERT_BASE64 ]; then
-    echo "CERT_BASE64が未定義です"
+if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名
+    echo "ESIGNERCKA_USERNAMEが未定義です"
+    exit 1
+fi
+if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード
+    echo "ESIGNERCKA_PASSWORDが未定義です"
     exit 1
 fi
-if [ ! -v CERT_PASSWORD ]; then
-    echo "CERT_PASSWORDが未定義です"
+if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret
+    echo "ESIGNERCKA_TOTP_SECRETが未定義です"
     exit 1
 fi
 
@@ -18,22 +24,44 @@ if [ $# -ne 1 ]; then
 fi
 target_file_glob="$1"
 
-# 証明書
-CERT_PATH=cert.pfx
-echo -n "$CERT_BASE64" | base64 -d - > $CERT_PATH
+# eSignerCKAのセットアップ
+INSTALL_DIR='..\eSignerCKA'
+if [ ! -d "$INSTALL_DIR" ]; then
+    curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip"
+    unzip -o SSL.COM-eSigner-CKA_1.0.6.zip
+    mv ./*eSigner*CKA_*.exe eSigner_CKA_Installer.exe
+    powershell "
+        & ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR='$INSTALL_DIR' | Out-Null
+        & '$INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$INSTALL_DIR\master.key' -r
+        & '$INSTALL_DIR\eSignerCKATool.exe' unload
+    "
+    rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe
+fi
+
+# 証明書を読み込む
+powershell "& '$INSTALL_DIR\eSignerCKATool.exe' load"
+
+# shellcheck disable=SC2016
+THUMBPRINT=$(
+    powershell '
+        $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
+        echo "$($CodeSigningCert.Thumbprint)"
+    '
+)
 
 # 指定ファイルに署名する
 function codesign() {
     TARGET="$1"
-    SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
-    powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $CERT_PATH /p $CERT_PASSWORD '$TARGET'"
+    # shellcheck disable=SC2012
+    SIGNTOOL=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない
+    powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /sha1 '$THUMBPRINT' '$TARGET'"
 }
 
 # 指定ファイルが署名されているか
 function is_signed() {
     TARGET="$1"
     SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
-    powershell "& '$SIGNTOOL' verify /pa '$TARGET'" || return 1
+    powershell "& '$SIGNTOOL' verify /pa '$TARGET'" >/dev/null 2>&1 || return 1
 }
 
 # 署名されていなければ署名
@@ -42,10 +70,10 @@ ls $target_file_glob | while read -r target_file; do
     if is_signed "$target_file"; then
         echo "署名済み: $target_file"
     else
-        echo "署名: $target_file"
+        echo "署名開始: $target_file"
         codesign "$target_file"
     fi
 done
 
-# 証明書を消去
-rm $CERT_PATH
+# 証明書を破棄
+powershell "& '$INSTALL_DIR\eSignerCKATool.exe' unload"