From e56c78a3647508f8f933b101971982a2235e6879 Mon Sep 17 00:00:00 2001
From: nate smith <vilmibm@github.com>
Date: Fri, 7 Jan 2022 12:31:06 -0600
Subject: [PATCH 1/6] Sign Windows .exes in a post-build hook

---
 .github/workflows/releases.yml    |  3 ++-
 .goreleaser.yml                   |  6 ++++++
 script/sign-windows-executable.sh | 28 ++++++++++++++++++++++++++++
 3 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100755 script/sign-windows-executable.sh

diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index f44689804..b1f4d7e17 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -33,6 +33,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
+          GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
+          DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
       - name: Checkout documentation site
         uses: actions/checkout@v2
         with:
@@ -61,7 +63,6 @@ jobs:
             api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
           done
           echo "moved ${#cards[@]} cards to the Done column"
-      
       - name: Install packaging dependencies
         run: sudo apt-get install -y rpm reprepro
       - name: Set up GPG
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 95d43500d..45624cc9d 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -32,6 +32,12 @@ builds:
     id: windows
     goos: [windows]
     goarch: [386, amd64]
+    hooks:
+      post:
+        - cmd: ./script/sign-windows-executable.sh {{ .Path }}
+          env:
+            - GITHUB_CERT_PASSWORD={{ .Env.GITHUB_CERT_PASSWORD }}
+            - DESKTOP_CERT_TOKEN={{ .Env.DESKTOP_CERT_TOKEN }}
 
 archives:
   - id: nix
diff --git a/script/sign-windows-executable.sh b/script/sign-windows-executable.sh
new file mode 100755
index 000000000..098758ee1
--- /dev/null
+++ b/script/sign-windows-executable.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+set -e
+
+EXECUTABLE_PATH=$1
+
+curl \
+  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
+  -H "Accept: application/vnd.github.v3.raw" \
+  --output windows-certificate.pfx \
+  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+
+PROGRAM_NAME="GitHub CLI"
+
+# Convert private key to the expected format
+openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
+openssl rsa -in private-key.pem -outform PVK -pvk-none -out private-key.pvk
+
+# Convert certificate chain into the expected format
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
+openssl crl2pkcs7 -nocrl -certfile certificate.pem -outform DER -out certificate.spc
+
+signcode \
+  -spc certificate.spc \
+  -v private-key.pvk \
+  -n $PROGRAM_NAME \
+  -t http://timestamp.digicert.com \
+  -a sha256 \
+$EXECUTABLE_PATH

From 45adc4ad76fb73cc7ed031313b26a24204f7f936 Mon Sep 17 00:00:00 2001
From: Matthew Preble <mpreble@indeed.com>
Date: Fri, 7 Jan 2022 20:56:33 -0600
Subject: [PATCH 2/6] Migrate to osslsigncode.

---
 .github/workflows/releases.yml    |  2 ++
 script/sign-windows-executable.sh | 24 +++++++++++-------------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
index b1f4d7e17..216fa9dba 100644
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@@ -25,6 +25,8 @@ jobs:
             -q .body > CHANGELOG.md
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Install osslsigncode
+        run: sudo apt-get install -y osslsigncode
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
diff --git a/script/sign-windows-executable.sh b/script/sign-windows-executable.sh
index 098758ee1..68af9e5d8 100755
--- a/script/sign-windows-executable.sh
+++ b/script/sign-windows-executable.sh
@@ -9,20 +9,18 @@ curl \
   --output windows-certificate.pfx \
   https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
 
-PROGRAM_NAME="GitHub CLI"
-
-# Convert private key to the expected format
 openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
-openssl rsa -in private-key.pem -outform PVK -pvk-none -out private-key.pvk
-
-# Convert certificate chain into the expected format
 openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
-openssl crl2pkcs7 -nocrl -certfile certificate.pem -outform DER -out certificate.spc
 
-signcode \
-  -spc certificate.spc \
-  -v private-key.pvk \
-  -n $PROGRAM_NAME \
+osslsigncode sign \
+  -certs certificate.pem \
+  -key private-key.pem \
+  -n "GitHub CLI" \
   -t http://timestamp.digicert.com \
-  -a sha256 \
-$EXECUTABLE_PATH
+  -in $EXECUTABLE_PATH \
+  -out gh_signed.exe
+
+# Oddly, there can be a delay before the file is *actually* available - wait for it
+while [ ! -f gh_signed.exe ]; do sleep 1; done;
+
+mv gh_signed.exe $EXECUTABLE_PATH

From f30b7dbf72df4311a0982ee1ee83867a9e08a40d Mon Sep 17 00:00:00 2001
From: nate smith <vilmibm@github.com>
Date: Mon, 10 Jan 2022 15:51:32 -0600
Subject: [PATCH 3/6] Work around parallel race condition problems

---
 .goreleaser.yml                   |  6 ++----
 script/prepare-windows-cert.sh    | 13 +++++++++++++
 script/sign-windows-executable.sh | 20 ++++++++------------
 3 files changed, 23 insertions(+), 16 deletions(-)
 create mode 100755 script/prepare-windows-cert.sh

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 45624cc9d..b5abae4a8 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -9,6 +9,7 @@ before:
   hooks:
     - go mod tidy
     - make manpages GH_VERSION={{.Version}}
+    - ./script/prepare-windows-cert.sh "{{.Env.GITHUB_CERT_PASSWORD}}" "{{.Env.DESKTOP_CERT_TOKEN}}"
 
 builds:
   - <<: &build_defaults
@@ -34,10 +35,7 @@ builds:
     goarch: [386, amd64]
     hooks:
       post:
-        - cmd: ./script/sign-windows-executable.sh {{ .Path }}
-          env:
-            - GITHUB_CERT_PASSWORD={{ .Env.GITHUB_CERT_PASSWORD }}
-            - DESKTOP_CERT_TOKEN={{ .Env.DESKTOP_CERT_TOKEN }}
+        - ./script/sign-windows-executable.sh {{ .Path }}
 
 archives:
   - id: nix
diff --git a/script/prepare-windows-cert.sh b/script/prepare-windows-cert.sh
new file mode 100755
index 000000000..579694ce8
--- /dev/null
+++ b/script/prepare-windows-cert.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+GITHUB_CERT_PASSWORD=$1
+DESKTOP_CERT_TOKEN=$2
+
+curl \
+  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
+  -H "Accept: application/vnd.github.v3.raw" \
+  --output windows-certificate.pfx \
+  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+
+openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD} || echo "no bueno 1"
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD} || echo "no bueno 2"
\ No newline at end of file
diff --git a/script/sign-windows-executable.sh b/script/sign-windows-executable.sh
index 68af9e5d8..77cf78ca8 100755
--- a/script/sign-windows-executable.sh
+++ b/script/sign-windows-executable.sh
@@ -3,14 +3,13 @@ set -e
 
 EXECUTABLE_PATH=$1
 
-curl \
-  -H "Authorization: token $DESKTOP_CERT_TOKEN" \
-  -H "Accept: application/vnd.github.v3.raw" \
-  --output windows-certificate.pfx \
-  https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
+ARCH="386"
 
-openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
-openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
+if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then
+  ARCH="amd64"
+fi
+
+OUT_PATH=gh_signed-${ARCH}.exe
 
 osslsigncode sign \
   -certs certificate.pem \
@@ -18,9 +17,6 @@ osslsigncode sign \
   -n "GitHub CLI" \
   -t http://timestamp.digicert.com \
   -in $EXECUTABLE_PATH \
-  -out gh_signed.exe
+  -out $OUT_PATH
 
-# Oddly, there can be a delay before the file is *actually* available - wait for it
-while [ ! -f gh_signed.exe ]; do sleep 1; done;
-
-mv gh_signed.exe $EXECUTABLE_PATH
+mv $OUT_PATH $EXECUTABLE_PATH
\ No newline at end of file

From a23bdcd84daccc248519017811f101aae5ad51b9 Mon Sep 17 00:00:00 2001
From: nate smith <vilmibm@github.com>
Date: Fri, 14 Jan 2022 16:24:04 -0600
Subject: [PATCH 4/6] clean up leftover debugging, add -e

---
 script/prepare-windows-cert.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/script/prepare-windows-cert.sh b/script/prepare-windows-cert.sh
index 579694ce8..92926c4d6 100755
--- a/script/prepare-windows-cert.sh
+++ b/script/prepare-windows-cert.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e
 
 GITHUB_CERT_PASSWORD=$1
 DESKTOP_CERT_TOKEN=$2
@@ -9,5 +10,5 @@ curl \
   --output windows-certificate.pfx \
   https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
 
-openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD} || echo "no bueno 1"
-openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD} || echo "no bueno 2"
\ No newline at end of file
+openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
\ No newline at end of file

From e6b4fe632b8efd8218a292af63d54c104f788051 Mon Sep 17 00:00:00 2001
From: nate smith <vilmibm@github.com>
Date: Fri, 14 Jan 2022 16:32:56 -0600
Subject: [PATCH 5/6] skip signing if env vars not in place

---
 .goreleaser.yml                   | 4 ++--
 script/prepare-windows-cert.sh    | 5 +++++
 script/sign-windows-executable.sh | 6 +++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index b5abae4a8..01c727d93 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -9,7 +9,7 @@ before:
   hooks:
     - go mod tidy
     - make manpages GH_VERSION={{.Version}}
-    - ./script/prepare-windows-cert.sh "{{.Env.GITHUB_CERT_PASSWORD}}" "{{.Env.DESKTOP_CERT_TOKEN}}"
+    - ./script/prepare-windows-cert.sh '{{ if index .Env "GITHUB_CERT_PASSWORD"  }}{{ .Env.GITHUB_CERT_PASSWORD}}{{ end }}' '{{ if index .Env "DESKTOP_CERT_TOKEN"  }}{{ .Env.DESKTOP_CERT_TOKEN}}{{ end }}'
 
 builds:
   - <<: &build_defaults
@@ -35,7 +35,7 @@ builds:
     goarch: [386, amd64]
     hooks:
       post:
-        - ./script/sign-windows-executable.sh {{ .Path }}
+        - ./script/sign-windows-executable.sh '{{ .Path }}'
 
 archives:
   - id: nix
diff --git a/script/prepare-windows-cert.sh b/script/prepare-windows-cert.sh
index 92926c4d6..8bcd7d9b2 100755
--- a/script/prepare-windows-cert.sh
+++ b/script/prepare-windows-cert.sh
@@ -4,6 +4,11 @@ set -e
 GITHUB_CERT_PASSWORD=$1
 DESKTOP_CERT_TOKEN=$2
 
+if [[ -z "$GITHUB_CERT_PASSWORD" || -z "$DESKTOP_CERT_TOKEN" ]]; then
+  echo "skipping windows signing prep; cert password or token not found"
+  exit 0
+fi
+
 curl \
   -H "Authorization: token $DESKTOP_CERT_TOKEN" \
   -H "Accept: application/vnd.github.v3.raw" \
diff --git a/script/sign-windows-executable.sh b/script/sign-windows-executable.sh
index 77cf78ca8..6712ac764 100755
--- a/script/sign-windows-executable.sh
+++ b/script/sign-windows-executable.sh
@@ -1,8 +1,12 @@
 #!/bin/bash
 set -e
 
-EXECUTABLE_PATH=$1
+if [[ ! -e certificate.pem || ! -e private-key.pem ]]; then
+  echo "skipping windows signing; cert or key not found"
+  exit 0
+fi
 
+EXECUTABLE_PATH=$1
 ARCH="386"
 
 if [[ $EXECUTABLE_PATH =~ "amd64" ]]; then

From 2ade4e5608912fe7a294bee4c779064a7893ae7d Mon Sep 17 00:00:00 2001
From: nate smith <vilmibm@github.com>
Date: Fri, 14 Jan 2022 16:46:56 -0600
Subject: [PATCH 6/6] add newlines to end of file

---
 script/prepare-windows-cert.sh    | 2 +-
 script/sign-windows-executable.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/script/prepare-windows-cert.sh b/script/prepare-windows-cert.sh
index 8bcd7d9b2..d52d12b1d 100755
--- a/script/prepare-windows-cert.sh
+++ b/script/prepare-windows-cert.sh
@@ -16,4 +16,4 @@ curl \
   https://api.github.com/repos/desktop/desktop-secrets/contents/windows-certificate.pfx
 
 openssl pkcs12 -in windows-certificate.pfx -nocerts -nodes -out private-key.pem  -passin pass:${GITHUB_CERT_PASSWORD}
-openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
\ No newline at end of file
+openssl pkcs12 -in windows-certificate.pfx -nokeys -nodes -out certificate.pem -passin pass:${GITHUB_CERT_PASSWORD}
diff --git a/script/sign-windows-executable.sh b/script/sign-windows-executable.sh
index 6712ac764..2141c9552 100755
--- a/script/sign-windows-executable.sh
+++ b/script/sign-windows-executable.sh
@@ -23,4 +23,4 @@ osslsigncode sign \
   -in $EXECUTABLE_PATH \
   -out $OUT_PATH
 
-mv $OUT_PATH $EXECUTABLE_PATH
\ No newline at end of file
+mv $OUT_PATH $EXECUTABLE_PATH