Merge pull request #11747 from derrod/dual-sign-sigh

CI: Add ARM and Game Capture Dual-Signing

.github/actions/windows-signing/action.yaml

@@ -14,6 +14,10 @@ inputs:
     description: Update channel
     required: false
     default: 'stable'
+  architecture:
+    description: OBS build architecture
+    required: false
+    default: 'x64'
 
 runs:
   using: composite
@@ -71,6 +75,7 @@ runs:
         Invoke-External msiexec /i $msiPath /qn /norestart
 
     - name: Install rclone
+      if: inputs.architecture == 'x64'
       shell: pwsh
       run: |
         choco install rclone --version=1.64.2 -y --no-progress
@@ -81,7 +86,15 @@ runs:
         workload_identity_provider: ${{ inputs.gcpWorkloadIdentityProvider }}
         service_account: ${{ inputs.gcpServiceAccountName }}
 
+    - name: Ensure previous build directory exists
+      if: inputs.architecture != 'x64'
+      shell: pwsh
+      run: |
+        . ${env:GITHUB_ACTION_PATH}\Ensure-Location.ps1
+        Ensure-Location "${{ github.workspace }}/old_builds"
+
     - name: Download Previous Build
+      if: inputs.architecture == 'x64'
       shell: pwsh
       env:
         RCLONE_GCS_ENV_AUTH: 'true'
@@ -90,12 +103,28 @@ runs:
         Ensure-Location "${{ github.workspace }}/old_builds"
         rclone copy --transfers 100 ":gcs:obs-latest/${{ inputs.channel }}" .
 
+    - name: Sign Game Capture with RSA cert
+      shell: pwsh
+      run: |
+        . ${env:GITHUB_ACTION_PATH}\Invoke-External.ps1
+        $SignToolExe = "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe"
+        $signArgs = @(
+           "sign"
+           "/fd",   "sha256"
+           "/t",    "http://timestamp.digicert.com"
+           "/f",    "repo/.github/actions/windows-signing/prod-gc.crt"
+           "/csp",  "Google Cloud KMS Provider"
+           "/kc",   "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/game-capture-release-sign-hsm/cryptoKeyVersions/1"
+           "${{ github.workspace }}/build/data/obs-plugins/win-capture/*.dll"
+        )
+        Invoke-External $SignToolExe @signArgs
+
     - name: Run bouf
       shell: pwsh
       run: |
         . ${env:GITHUB_ACTION_PATH}\Invoke-External.ps1
         $boufArgs = @(
-           "--config",     "${env:GITHUB_ACTION_PATH}/config.toml",
+           "--config",     "${env:GITHUB_ACTION_PATH}/config_${{ inputs.architecture }}.toml"
            "--version",    "${{ inputs.version }}"
            "--branch",     "${{ inputs.channel }}"
            "-i",           "${{ github.workspace }}/build"
@@ -106,6 +135,7 @@ runs:
         Invoke-External "${{ github.workspace }}\bouf\bin\bouf.exe" @boufArgs
 
     - name: Sync Latest Build
+      if: inputs.architecture == 'x64'
       shell: pwsh
       env:
         RCLONE_INCLUDE: '**/${{ inputs.version }}/**'
@@ -115,6 +145,7 @@ runs:
         rclone sync --delete-excluded --transfers 100 "${{ github.workspace }}/old_builds" ":gcs:obs-latest/${{ inputs.channel }}"
 
     - name: Upload Build to Archive
+      if: inputs.architecture == 'x64'
       shell: pwsh
       env:
         RCLONE_GCS_ENV_AUTH: 'true'

.github/actions/windows-signing/config_arm64.toml

@@ -0,0 +1,47 @@
+[general]
+log_level = "trace"
+
+[env]
+# On CI these should be in %PATH%
+sevenzip_path = "7z"
+makensis_path = "makensis"
+pandoc_path = "pandoc"
+pdbcopy_path = "C:/Program Files (x86)/Windows Kits/10/Debuggers/x64/pdbcopy.exe"
+
+## Preparation steps
+[prepare]
+
+[prepare.copy]
+never_copy = [
+    "bin/32bit",
+    "obs-plugins/32bit",
+    ".keepme",
+]
+
+[prepare.codesign]
+sign_cert_file = "repo/.github/actions/windows-signing/prod.crt"
+sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1"
+sign_digest = "sha384"
+sign_ts_serv = "http://timestamp.digicert.com"
+sign_ts_algo = "sha256"
+sign_exts = ['exe', 'dll', 'pyd']
+sign_append = true
+
+[prepare.strip_pdbs]
+# PDBs to not strip
+exclude = [
+    "obs-frontend-api.pdb",
+    "obs64.pdb",
+    "obs.pdb",
+]
+
+[package]
+[package.installer]
+skip = true
+
+[package.zip]
+name = "OBS-Studio-{version}-arm64.zip"
+pdb_name = "OBS-Studio-{version}-arm64-pdbs.zip"
+
+[package.updater]
+skip_sign = true

.github/actions/windows-signing/config.toml → .github/actions/windows-signing/config_x64.toml

@@ -23,8 +23,9 @@ sign_cert_file = "repo/.github/actions/windows-signing/prod.crt"
 sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1"
 sign_digest = "sha384"
 sign_ts_serv = "http://timestamp.digicert.com"
+sign_ts_algo = "sha256"
 sign_exts = ['exe', 'dll', 'pyd']
-sign_append = false
+sign_append = true
 
 [prepare.strip_pdbs]
 # PDBs to not strip
@@ -34,15 +35,6 @@ exclude = [
     "obs.pdb",
 ]
 
-## Delta patch generation
-[generate]
-patch_type = "zstd"
-compress_files = true
-
-exclude_from_parallel = [
-    "libcef.dll"
-]
-
 [package]
 [package.installer]
 nsis_script = "bouf/nsis/mp-installer.nsi"
@@ -52,5 +44,4 @@ name = "OBS-Studio-{version}-x64.zip"
 pdb_name = "OBS-Studio-{version}-pdbs.zip"
 
 [package.updater]
-vc_redist_path = "bouf/nsis/VC_redist.x64.exe"
 skip_sign = true

.github/actions/windows-signing/prod-gc.crt

@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIHYDCCBUigAwIBAgIQBt9dqZiAp4FVJf/AvIvPsjANBgkqhkiG9w0BAQsFADBp
+MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
+OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
+IDIwMjEgQ0ExMB4XDTI1MDExNjAwMDAwMFoXDTI4MDExNTIzNTk1OVowaDELMAkG
+A1UEBhMCVVMxEDAOBgNVBAgTB1d5b21pbmcxETAPBgNVBAcTCFNoZXJpZGFuMRkw
+FwYDVQQKExBPQlMgUHJvamVjdCwgTExDMRkwFwYDVQQDExBPQlMgUHJvamVjdCwg
+TExDMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA07e66QJeFjyk8p5l
+1/hOBt5qXf8paJIFoBsdy38qnkC6ZTJzrmSfERilRBM7UQ7Pzo9aE/On7aUrghdW
+ZfG/U/3s4KKYZMh+mQscHdx37Y4sUC0Yk/3s+1H3jAz5tEx9FlUgO30MKjSTr3Lc
+HjqoibokGrZOzqSF2pLqTmSX92/P7E9ii2EnZnTSDWHHLtVmS0YkE6TKQ5v2VHYP
+ynRVWuOl2wJFNctCYbcZAmBeVFne4k6w443Zvkz70m4lgtaJB24r2y2ay+vyQx2Q
+gEg3RgcW+3/zh/sqjCQ6RhUjFvdBHP9nPrhCw72P/2J04JrpMnTlHbwUp1ULyH9v
+rOYDu+8gk2sFgwjgKYGrjuehtwG8IokCppWPxUUyDTklFXbjDVlLQizmoPjwfUKy
+K6kJd6w6WR3jUdRZYIXuHPzzIQE3G2aB68tSyYANuXjQAOXtVKkFlMiI/KGATIKb
+FCnhFriqFOlG1vxeKUgqMNQqcaz52V8ZGEtVAOMZVP0FzZIDqrFwvDTQwsRVsRUU
+c6ACUGZVL5X5nn90XTYIf4oZGFIs7U/P+LmH7Hngb3ZnrvwhurSreaELR554ncOl
+fLJGpiJlTShkvubXycmYIiM+XLVkdziZlRFlMef5hp02fuT+825ivuWzaNTB0min
+hMatLBKIwxjO5Xlk6CztRQD6ezMCAwEAAaOCAgMwggH/MB8GA1UdIwQYMBaAFGg3
+4Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBSNjnGJqRrmOQnj5YyA9Ax8ZpJ/
+ejA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3
+LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
+AQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
+LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIw
+MjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNl
+cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDCB
+lAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj
+ZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t
+L0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNB
+MS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAaTE2qTXwECkUafRQ
+TlWT26xO9hZON1CxW+OUsHaaH35YkNwo4UZ6s46fIX4/bbCFGz5duplDfAmVs/LG
++AehgWKA0dyMBSyFc89XXhzvfr0bXMbUxD3kgrmJzH8QMbZGwJU89/U3Zo1OYPjd
+Xgm7xK2GdCKyW7Vz0vxi1U/lYZNPXm9SPpH2xlOqECZCrG7IHQWGMt6EWStp2o2j
+7Jxj4NyRTKhR5sXGXfUXJlPuW3/82lvZxTHFe9V7QSAm1gswOZYWaOfjyvkoObUL
+abZ4XNrxpzdVeJLMXX/a7F67mFwYpTWHSujGWVJpFzEpY267S+Exsvm15ZZkK1Ih
+seT+Qks5JZZMMJjHCxaUyjit0UKADe/uDglW/6kimCMIGCgigZkx+hOAfPeRxouk
+gC6jXfbGs+DLFom9wYPN8VFpFpwnoH+acglCSVZtF8BCMCI62/viwYE65v9p/Qmq
+qSrR61y4EIkF9gAVDReCCTzvXDLBWx7jpRFXcPmG4JaLFesHj7rezgkTe/YA57KI
+vc1geLf06UlucvxQ3sotiElMsTEZkB9blqd36PMsrLdPwJ/Q37zZX1XHfZKEF09N
+DXXolHdqgWiiG56gNtFoXN3aT/9V/cRz8muZIy5l6Jm0vvK4jkyTV1D5bEutfgcK
+k57TSjQGzCNnVLphmQTNIJNWQ7s=
+-----END CERTIFICATE-----

.github/workflows/push.yaml

@@ -207,7 +207,7 @@ jobs:
 
   sign-windows-build:
     name: Windows Signing ✍️
-    uses: obsproject/obs-studio/.github/workflows/sign-windows.yaml@dc7a58484d3ef2c610a5184dd05d1d02dbd3e549
+    uses: obsproject/obs-studio/.github/workflows/sign-windows.yaml@65f417d65c32857f44e7d0871753ba0c099130fd
     if: github.repository_owner == 'obsproject' && github.ref_type == 'tag'
     needs: build-project
     permissions:

.github/workflows/sign-windows.yaml

@@ -3,7 +3,10 @@ on:
   workflow_call:
 jobs:
   create-windows-update:
-    name: Create Windows Update 🥩
+    name: Sign Windows Build 🥩
+    strategy:
+      matrix:
+        architecture: [x64, arm64]
     runs-on: windows-2022
     environment:
       name: bouf
@@ -41,7 +44,7 @@ jobs:
       - name: Download Artifact 📥
         uses: actions/download-artifact@v4
         with:
-          name: obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}
+          name: obs-studio-windows-${{ matrix.architecture }}-${{ steps.setup.outputs.commitHash }}
           path: ${{ github.workspace }}/build
 
       - name: Run bouf 🥩
@@ -51,29 +54,31 @@ jobs:
           gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
           version: ${{ github.ref_name }}
           channel: ${{ steps.setup.outputs.channel }}
+          architecture: ${{ matrix.architecture }}
 
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1
         with:
-          subject-path: ${{ github.workspace }}/output/*-x64.zip
+          subject-path: ${{ github.workspace }}/output/*-${{ matrix.architecture }}.zip
 
       - name: Upload Signed Build
         uses: actions/upload-artifact@v4
         with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-signed
+          name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-signed
           compression-level: 0
-          path: ${{ github.workspace }}/output/*-x64.zip
+          path: ${{ github.workspace }}/output/*-${{ matrix.architecture }}.zip
 
       - name: Upload PDBs
         uses: actions/upload-artifact@v4
         with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
+          name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-pdbs
           compression-level: 0
           path: ${{ github.workspace }}/output/*-pdbs.zip
 
       - name: Upload Installer
         uses: actions/upload-artifact@v4
+        if: matrix.architecture == 'x64'
         with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-installer
+          name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-installer
           compression-level: 0
           path: ${{ github.workspace }}/output/*.exe