feat(windows): Add signing of binaries

Author: peterdragun

README.md

@@ -134,6 +134,24 @@ This will create executable named `my_script` instead of `__main__.py`.
     test-command-args: '--version'
 ```
 
+### Signing Windows Binaries
+
+If you would like to sign Windows binaries, you can set `certificate` and the action will also take care of signing all binaries.
+It is also recommended to use `certificate-password`.
+
+The `certificate` should be a PFX (Personal Information Exchange) certificate file encoded in base64 format.
+
+```yaml
+- name: Build Python executable
+  uses: ./.github/actions/pyinstaller-build-multiarch
+  with:
+    scripts: 'app.py'
+    output-dir: './dist'
+    target-platform: 'windows-amd64'
+    certificate: ${{ secrets.CERTIFICATE }}
+    certificate-password: ${{ secrets.CERTIFICATE_PASSWORD }}
+```
+
 ### Complete Workflow
 
 Here you can see a simplified version of workflow used in [esptool](https://github.com/espressif/esptool/) repository:
@@ -180,7 +198,7 @@ jobs:
           target-platform: ${{ matrix.platform }}
           include-data-dirs: |
             {
-              "epstool.py": [
+              "esptool.py": [
                 {"src": "${{ env.STUBS_DIR }}1", "dest": "${{ env.STUBS_DIR }}1"},
                 {"src": "${{ env.STUBS_DIR }}2", "dest": "${{ env.STUBS_DIR }}2"},
               ]
@@ -221,9 +239,11 @@ jobs:
 | `install-deps-command`    | Command to install project dependencies   | `"pip install --user --prefer-binary -e ."` | `"pip install -r requirements.txt"`     |
 | `additional-arm-packages` | ARMv7 ONLY: Additional system packages    | `""`                                        | `"openssl libffi-dev"`                  |
 | `test-command-args`       | Command arguments to test binaries        | `"--help"`                                  | `"--version"`                           |
+| `certificate`             | Certificate to use for signing binaries   | `""`                                        | `${{ secrets.CERTIFICATE }}`            |
+| `certificate-password`    | Password for the certificate              | `""`                                        | `${{ secrets.CERTIFICATE_PASSWORD }}`   |
 
 > [!IMPORTANT]
-> Be careful when changing `pyinstaller-version` as it might lead to increased false positives with anti-virus software. It is recommended to check your binaries with antivurs software such as [Virustotal](https://www.virustotal.com/gui/home/upload).
+> Be careful when changing `pyinstaller-version` as it might lead to increased false positives with anti-virus software. It is recommended to check your binaries with antivirus software such as [Virustotal](https://www.virustotal.com/gui/home/upload).
 
 ## Outputs
 

Sign-File.ps1

@@ -0,0 +1,78 @@
+[CmdletBinding()]
+param (
+    [Parameter()]
+    [String]
+    $Path
+)
+
+
+function FindSignTool {
+    $SignTool = "signtool.exe"
+    if (Get-Command $SignTool -ErrorAction SilentlyContinue) {
+        return $SignTool
+    }
+    $SignTool = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x64\signtool.exe"
+    if (Test-Path -Path $SignTool -PathType Leaf) {
+        return $SignTool
+    }
+    $SignTool = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\x86\signtool.exe"
+    if (Test-Path -Path $SignTool -PathType Leaf) {
+        return $SignTool
+    }
+    $sdkVers = "10.0.22000.0", "10.0.20348.0", "10.0.19041.0", "10.0.17763.0"
+    Foreach ($ver in $sdkVers)
+    {
+        $SignTool = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\${ver}\x64\signtool.exe"
+        if (Test-Path -Path $SignTool -PathType Leaf) {
+            return $SignTool
+        }
+    }
+    "signtool.exe not found"
+    Exit 1
+}
+
+function SignEsptool {
+    param(
+        [Parameter()]
+        [String]
+        $Path
+    )
+
+    $SignTool = FindSignTool
+    "Using: $SignTool"
+    $CertificateFile = [system.io.path]::GetTempPath() + "certificate.pfx"
+
+    if ($null -eq $env:CERTIFICATE) {
+        "CERTIFICATE variable not set, unable to sign the file"
+        Exit 1
+    }
+
+    if ("" -eq $env:CERTIFICATE) {
+        "CERTIFICATE variable is empty, unable to sign the file"
+        Exit 1
+    }
+
+    $SignParameters = @("sign", "/tr", 'http://timestamp.digicert.com', "/td", "SHA256", "/f", $CertificateFile, "/fd", "SHA256")
+    if ($env:CERTIFICATE_PASSWORD) {
+        "CERTIFICATE_PASSWORD detected, using the password"
+        $SignParameters += "/p"
+        $SignParameters += $env:CERTIFICATE_PASSWORD
+    }
+    $SignParameters += $Path
+
+    [byte[]]$CertificateBytes = [convert]::FromBase64String($env:CERTIFICATE)
+    [IO.File]::WriteAllBytes($CertificateFile, $CertificateBytes)
+
+    &$SignTool $SignParameters
+
+    if (0 -eq $LASTEXITCODE) {
+        Remove-Item $CertificateFile
+    } else {
+        Remove-Item $CertificateFile
+        "Signing failed"
+        Exit 1
+    }
+
+}
+
+SignEsptool ${Path}

action.yml

@@ -60,6 +60,14 @@ inputs:
     description: Command arguments to test binaries (e.g. "--help")
     required: false
     default: --help
+  certificate:
+    description: Certificate to use for signing binaries
+    required: false
+    default: ''
+  certificate-password:
+    description: Password for the certificate
+    required: false
+    default: ''
 
 outputs:
   executable-extension:
@@ -320,3 +328,22 @@ runs:
             exit 1
           fi
         done
+
+    - name: Sign binaries
+      if: inputs.target-platform == 'windows-amd64'
+      env:
+        CERTIFICATE: ${{ inputs.certificate }}
+        CERTIFICATE_PASSWORD: ${{ inputs.certificate-password }}
+      shell: pwsh
+      run: |-
+        if ([string]::IsNullOrEmpty($env:CERTIFICATE)) {
+          Write-Host "::warning title=Signing::Certificate is not set, skipping signing"
+          exit 0
+        }
+
+        $pythonFiles = "${{ env.PYTHON_FILES_STR }}".Split(' ')
+        foreach ($file in $pythonFiles) {
+          $baseName = [System.IO.Path]::GetFileNameWithoutExtension($file)
+          $executable = "./${{ inputs.output-dir }}/${baseName}${{ steps.setup-platform.outputs.exe-extension }}"
+          & (Join-Path $env:GITHUB_ACTION_PATH "Sign-File.ps1") -Path $executable
+        }