From b268fe9478e74f20eb610b3e6fb8c79350fc21b7 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Fri, 23 Aug 2024 15:00:39 -0700
Subject: [PATCH] Sign Windows binaries with Azure Trusted Signing.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 package.json        |  7 ++++++-
 scripts/win-sign.js | 20 ++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 scripts/win-sign.js

diff --git a/package.json b/package.json
index 143ace99..4e5a89d7 100644
--- a/package.json
+++ b/package.json
@@ -120,7 +120,11 @@
         }
       ],
       "icon": "build/icon.ico",
-      "publisherName": "Kandra Labs, Inc."
+      "publisherName": "Kandra Labs, Inc.",
+      "sign": "./scripts/win-sign.js",
+      "signingHashAlgorithms": [
+        "sha256"
+      ]
     },
     "msi": {
       "artifactName": "${productName}-${version}-${arch}.${ext}"
@@ -308,6 +312,7 @@
       },
       {
         "files": [
+          "scripts/win-sign.js",
           "tests/**/*.js"
         ],
         "parserOptions": {
diff --git a/scripts/win-sign.js b/scripts/win-sign.js
new file mode 100644
index 00000000..a6272a57
--- /dev/null
+++ b/scripts/win-sign.js
@@ -0,0 +1,20 @@
+"use strict";
+
+const childProcess = require("node:child_process");
+const {promisify} = require("node:util");
+
+const exec = promisify(childProcess.exec);
+
+exports.default = async ({path, hash}) => {
+  await exec(
+    `powershell.exe Invoke-TrustedSigning \
+-Endpoint https://eus.codesigning.azure.net/ \
+-CodeSigningAccountName kandralabs \
+-CertificateProfileName kandralabs \
+-Files '${path}' \
+-FileDigest '${hash}' \
+-TimestampRfc3161 http://timestamp.acs.microsoft.com \
+-TimestampDigest '${hash}'`,
+    {stdio: "inherit"},
+  );
+};