Add Windows package signing functionality

Juniper · Sep 8, 2024 · d5cb994 · d5cb994
1 parent c851601
commit d5cb994
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 12 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -146,13 +146,26 @@ jobs:
               run: npm run make -- --platform=win32 --arch=x64
               working-directory: ./jccm
 
+            - name: Sign Artifact with CodeSignTool
+              uses: sslcom/esigner-codesign@develop
+              continue-on-error: true
+              with:
+                  command: sign
+                  username: ${{secrets.ES_USERNAME}}
+                  password: ${{secrets.ES_PASSWORD}}
+                  credential_id: ${{secrets.ES_CREDENTIAL_ID}}
+                  totp_secret: ${{secrets.ES_TOTP_SECRET}}
+                  file_path: jccm/out/make/squirrel.windows/x64/jccm-windows-x64-setup.exe
+                  malware_block: false
+                  # Overrides the input file after signing, if this parameter is set and no -output_dir_path parameter
+                  override: true
+
             - name: Upload windows artifacts
               uses: actions/upload-artifact@v2
               with:
                   name: windows-installers
                   path: |
                       ./jccm/out/make/squirrel.windows/x64/*.exe
-                      ./jccm/out/make/squirrel.windows/x64/*.msi
 
     build-deb:
         runs-on: ubuntu-latest
@@ -181,10 +194,8 @@ jobs:
               working-directory: ./jccm
               run: |
                   npm run make-deb
-                  ls -al out
-                  ls -al out/make
                   mv out/make/deb/x64/*.deb out/make/deb/x64/jccm-linux-x64.deb
-                  ls -al out/make
+                  ls -alR out/make
 
             - name: Archive .deb artifact
               uses: actions/upload-artifact@v3
@@ -218,11 +229,11 @@ jobs:
             - name: Package Electron app (.rpm)
               working-directory: ./jccm
               run: |
-                  npm run make-rpm
-                  ls -al out
-                  ls -al out/make
-                  mv out/make/rpm/x64/*.rpm out/make/rpm/x64/jccm-linux-x64.rpm
-                  ls -al out/make
+                  npm run make-deb
+                  sudo alien -v -r --scripts out/make/deb/x64/*.deb
+                  mkdir -p out/make/rpm/x64
+                  mv *.rpm out/make/rpm/x64/jccm-linux-x64.rpm
+                  ls -alR out/make
 
             - name: Archive .rpm artifact
               uses: actions/upload-artifact@v3
@@ -232,6 +243,7 @@ jobs:
 
     release:
         needs: [build-macos, build-windows, build-deb, build-rpm]
+
         runs-on: ubuntu-latest
         steps:
             - name: Check out repository

diff --git a/jccm/forge.config.js b/jccm/forge.config.js
@@ -51,7 +51,7 @@ module.exports = {
                 name: 'jccm-windows-x64-setup',
                 arch: 'x64',
                 setupExe: 'jccm-windows-x64-setup.exe', // Name for the setup executable
-                setupMsi: 'jccm-windows-x64-setup.msi', // Name for the MSI installer
+                noMsi: true,
             },
         },
         {
@@ -63,6 +63,9 @@ module.exports = {
                 arch: 'x64',
                 bin: '', // Important note: Use an empty bin name due to a mismatch issue where the Electron app binary path could not be found.
                 desktopTemplate: path.join(__dirname, 'jccm.desktop'), // Specify the custom desktop file
+                scripts: {
+                    postinst: 'scripts/postinst.sh',
+                },
             },
         },
         {

diff --git a/jccm/jccm.desktop b/jccm/jccm.desktop
@@ -1,8 +1,8 @@
 [Desktop Entry]
-Name=jccm
+Name=Juniper Cloud Connection Manager
 Comment=Juniper Cloud Connection Manager
 GenericName=Juniper Cloud Connection Manager
-Exec="/usr/bin/jccm/Juniper Cloud Connection Manager" --no-sandbox %U
+Exec="/usr/lib/jccm/Juniper Cloud Connection Manager" --no-sandbox %U
 Icon=jccm
 Type=Application
 StartupNotify=true

diff --git a/jccm/scripts/postinst.sh b/jccm/scripts/postinst.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Target path for the executable
+TARGET="/usr/bin/jccm"
+
+# Check if the target is a symbolic link and remove it if it is
+if [ -L "$TARGET" ]; then
+    rm -f "$TARGET"
+fi
+
+# Create a new executable file with the required command
+cat << 'EOF' > "$TARGET"
+#!/bin/bash
+"/usr/lib/jccm/Juniper Cloud Connection Manager" --no-sandbox > /dev/null 2>&1
+EOF
+
+# Ensure the script is executable
+chmod +x "$TARGET"
diff --git a/readme.md b/readme.md
@@ -124,6 +124,17 @@ yum -y install ~/Downloads/jccm-linux-x64.rpm
   ```bash
   xattr -cr /Applications/Juniper\ Cloud\ Connection\ Manager.app
 
+
+#### Microsoft Defender SmartScreen
+
+- The jccm app is signed with a developer certificate, yet initially, Microsoft Defender SmartScreen might still display a warning because the app is unrecognized. Over time, as more users install the application, SmartScreen will recognize it as trustworthy.
+
+- **To proceed with installation** when faced with the SmartScreen alert:
+  1. **Click on 'More info'**: This reveals more details about the application.
+  2. **Verify the Publisher**: Check that the publisher's name matches what you expect.
+  3. **Select 'Run anyway'**: This will bypass the SmartScreen alert and allow you to proceed with the installation.
+
+
 ## Inventory Excel File Format
 
 To ensure proper inventory management, the Excel file must include the following mandatory fields in the headers: