Added one-time signing keys to windows build

.github/workflows/build.yml

@@ -62,7 +62,8 @@ jobs:
         run: |
           git fetch --tags
           git for-each-ref --count=1 --sort=-creatordate --format '%(refname)' refs/tags > raw_tag.txt
-          echo "GITHUB_TAG=$(git name-rev --tags --name-only $(cat raw_tag.txt))" >> $GITHUB_ENV
+          GITHUB_TAG=$(git name-rev --tags --name-only $(cat raw_tag.txt))
+          echo "GITHUB_TAG=${GITHUB_TAG#v}" >> $GITHUB_ENV
       - name: Build Executables (Ubuntu)
         if: matrix.os == 'ubuntu-latest'
         run: |

build/win/keygen_config.txt

@@ -0,0 +1,23 @@
+[ req ]
+prompt              = no
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+
+string_mask         = utf8only
+default_md          = sha256
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+countryName                     = NL
+stateOrProvinceName             = ZH
+localityName                    = nl_NL
+organizationName                = Delft University of Technology
+organizationalUnitName          = Tribler
+commonName                      = Tribler
+emailAddress                    = [email protected]
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature

build/win/makedist_win.bat

@@ -43,23 +43,24 @@ REM Sandip, 2024-03-26: Some openssl dlls are missing so need to be copied manua
 copy C:\Program Files\OpenSSL\bin\*.dll dist\tribler\lib
 
 
-@echo Running NSIS
-cd dist\tribler
-
 REM Arno: Sign Tribler.exe so MS "Block / Unblock" dialog has publisher info.
 REM --- Doing this in ugly way for now
 if not defined SKIP_SIGNING_TRIBLER_BINARIES (
-    REM Get password for code signing
-    set /p PASSWORD="Enter the PFX password:"
-    signtool.exe sign /f C:\build\certs\certificate.pfx /p "%PASSWORD%" /d "Tribler" /t "http://timestamp.digicert.com" tribler.exe
+    openssl req  -nodes -new -x509 -config build\win\keygen_config.txt -keyout key.pem -out pub_key.pem
+    openssl pkcs12 -export -in pub_key.pem -inkey key.pem -out ot_cert.pfx -passout pass:
+    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f ot_cert.pfx /d "Tribler" /t "http://timestamp.digicert.com" dist\tribler\tribler.exe
 )
+
+@echo Running NSIS
+cd dist\tribler
+
 :makeinstaller
 %NSIS% /DVERSION=%GITHUB_TAG% tribler.nsi || exit /b
 move Tribler_*.exe ..
 cd ..
 REM Arno: Sign installer
 if not defined SKIP_SIGNING_TRIBLER_BINARIES (
-    signtool.exe sign /f c:\build\certs\certificate.pfx /p "%PASSWORD%" /d "Tribler" /t "http://timestamp.digicert.com" Tribler_*.exe
+    "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f ..\ot_cert.pfx /d "Tribler" /t "http://timestamp.digicert.com" Tribler_*.exe
 )
 
 endlocal