PICARD-2760: Use SignTool for all Windows code signing

This tool is more flexible then the than the Powershell commandlet and
unifies code signing between .exe and .appx packages.

.github/workflows/package.yml

@@ -188,8 +188,10 @@ jobs:
     - name: Build Windows 10 signed app package
       if: matrix.type == 'signed-app' && env.CODESIGN == '1'
       run: |
-        $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText
-        & .\scripts\package\win-package-appx.ps1 -BuildNumber $Env:BUILD_NUMBER -CertificateFile .\codesign.pfx -CertificatePassword $CertPassword
+        $CertificateFile = ".\codesign.pfx"
+        $CertificatePassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText
+        & .\scripts\package\win-package-appx.ps1 -BuildNumber $Env:BUILD_NUMBER `
+          -CertificateFile $CertificateFile -CertificatePassword $CertPassword
         Move-Item .\dist\*.msix .\artifacts
       env:
         CODESIGN_P12_PASSWORD: ${{ secrets.CODESIGN_P12_PASSWORD }}
@@ -198,12 +200,14 @@ jobs:
       run: |
         # choco install nsis
         If ($Env:CODESIGN -eq "1") {
-          $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText
-          $Certificate = Get-PfxCertificate -FilePath .\codesign.pfx -Password $CertPassword
+          $CertificateFile = ".\codesign.pfx"
+          $CertificatePassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText
         } Else {
-          $Certificate = $null
+          $CertificateFile = $null
+          $CertificatePassword = $null
         }
-        & .\scripts\package\win-package-installer.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate
+        & .\scripts\package\win-package-installer.ps1 -BuildNumber $Env:BUILD_NUMBER `
+          -CertificateFile $CertificateFile -CertificatePassword $CertPassword
         Move-Item .\installer\*.exe .\artifacts
         dist\picard\fpcalc -version
       env:
@@ -212,12 +216,14 @@ jobs:
       if: matrix.type == 'portable'
       run: |
         If ($Env:CODESIGN -eq "1") {
-          $CertPassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText
-          $Certificate = Get-PfxCertificate -FilePath .\codesign.pfx -Password $CertPassword
+          $CertificateFile = ".\codesign.pfx"
+          $CertificatePassword = ConvertTo-SecureString -String $Env:CODESIGN_P12_PASSWORD -Force -AsPlainText
         } Else {
-          $Certificate = $null
+          $CertificateFile = $null
+          $CertificatePassword = $null
         }
-        & .\scripts\package\win-package-portable.ps1 -BuildNumber $Env:BUILD_NUMBER -Certificate $Certificate
+        & .\scripts\package\win-package-portable.ps1 -BuildNumber $Env:BUILD_NUMBER `
+          -CertificateFile $CertificateFile -CertificatePassword $CertPassword
         Move-Item .\dist\*.exe .\artifacts
       env:
         CODESIGN_P12_PASSWORD: ${{ secrets.CODESIGN_P12_PASSWORD }}

scripts/package/win-common.ps1

@@ -1,8 +1,11 @@
 # Common functions for Windows packaging scripts
 
 Param(
-  [System.Security.Cryptography.X509Certificates.X509Certificate]
-  $Certificate
+  [ValidateScript({ (Test-Path $_ -PathType Leaf) -or ($_ -eq $null) })]
+  [String]
+  $CertificateFile,
+  [SecureString]
+  $CertificatePassword
 )
 
 # RFC 3161 timestamp server for code signing
@@ -14,9 +17,11 @@ Function CodeSignBinary {
     [String]
     $BinaryPath
   )
-  If ($Certificate) {
-    Set-AuthenticodeSignature -FilePath $BinaryPath -Certificate $Certificate `
-      -TimestampServer $TimeStampServer -ErrorAction Stop
+  If ($CertificateFile) {
+    SignTool sign /v /fd SHA256 /tr "$TimeStampServer" /td sha256 `
+      /f "$CertificateFile" /p (ConvertFrom-SecureString -AsPlainText $CertificatePassword) `
+      $BinaryPath
+    ThrowOnExeError "SignTool failed"
   } Else {
     Write-Output "Skip signing $BinaryPath"
   }

scripts/package/win-package-appx.ps1

@@ -1,9 +1,7 @@
 # Build a MSIX app package for Windows 10
 
 Param(
-  [System.Security.Cryptography.X509Certificates.X509Certificate]
-  $Certificate,
-  [ValidateScript({Test-Path $_ -PathType Leaf})]
+  [ValidateScript({ (Test-Path $_ -PathType Leaf) -or ($_ -eq $null) })]
   [String]
   $CertificateFile,
   [SecureString]
@@ -12,9 +10,6 @@ Param(
   $BuildNumber
 )
 
-# RFC 3161 timestamp server for code signing
-$TimeStampServer = 'http://ts.ssl.com'
-
 # Errors are handled explicitly. Otherwise any output to stderr when
 # calling classic Windows exes causes a script error.
 $ErrorActionPreference = 'Continue'
@@ -28,7 +23,7 @@ If (-Not $Certificate -And $CertificateFile) {
 }
 
 $ScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
-. $ScriptDirectory\win-common.ps1 -Certificate $Certificate
+. $ScriptDirectory\win-common.ps1 -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword
 
 Write-Output "Building Windows 10 app package..."
 
@@ -73,11 +68,4 @@ If ($CertificateFile -or $Certificate) {
 MakeAppx pack /o /h SHA256 /d $PackageDir /p $PackageFile
 ThrowOnExeError "MakeAppx failed"
 
-# Sign package
-If ($CertificateFile) {
-  SignTool sign /v /fd SHA256 /tr "$TimeStampServer" /td sha256 /f "$CertificateFile" /p (ConvertFrom-SecureString -AsPlainText $CertificatePassword) $PackageFile
-  ThrowOnExeError "SignTool failed"
-} ElseIf ($Certificate) {
-  SignTool sign /v /fd SHA256 /tr "$TimeStampServer" /td sha256 /sha1 $Certificate.Thumbprint $PackageFile
-  ThrowOnExeError "SignTool failed"
-}
+CodeSignBinary $PackageFile

scripts/package/win-package-installer.ps1

@@ -1,8 +1,11 @@
 # Build a Windows installer
 
 Param(
-  [System.Security.Cryptography.X509Certificates.X509Certificate]
-  $Certificate,
+  [ValidateScript({ (Test-Path $_ -PathType Leaf) -or ($_ -eq $null) })]
+  [String]
+  $CertificateFile,
+  [SecureString]
+  $CertificatePassword,
   [Int]
   $BuildNumber
 )
@@ -16,7 +19,7 @@ If (-Not $BuildNumber) {
 }
 
 $ScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
-. $ScriptDirectory\win-common.ps1 -Certificate $Certificate
+. $ScriptDirectory\win-common.ps1 -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword
 
 Write-Output "Building Windows installer..."
 

scripts/package/win-package-portable.ps1

@@ -1,8 +1,11 @@
 # Build a portable app
 
 Param(
-  [System.Security.Cryptography.X509Certificates.X509Certificate]
-  $Certificate,
+  [ValidateScript({ (Test-Path $_ -PathType Leaf) -or ($_ -eq $null) })]
+  [String]
+  $CertificateFile,
+  [SecureString]
+  $CertificatePassword,
   [Int]
   $BuildNumber
 )
@@ -16,7 +19,7 @@ If (-Not $BuildNumber) {
 }
 
 $ScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
-. $ScriptDirectory\win-common.ps1 -Certificate $Certificate
+. $ScriptDirectory\win-common.ps1 -CertificateFile $CertificateFile -CertificatePassword $CertificatePassword
 
 Write-Output "Building portable exe..."