chore: updated windows code signing (#8668)

* updated windows code signing

* pfx cert fix

* removed pass

* added find to see what's going on

* set working directory and used more verbose ls

* shuffled lines around

* alpha7

* added no-revoke

* added -k

* little cleanup

* revert: version bump

---------

Co-authored-by: Begoña Alvarez <[email protected]>

Author: shufps

.github/workflows/build-and-release-desktop.yml

@@ -150,9 +150,47 @@ jobs:
 
             - name: Build Electron app (Windows)
               run: yarn compile:${env:STAGE}:win
+              working-directory: packages/desktop
+              if: matrix.os == 'windows-2019'
+
+            - name: Restore client certificates for signing
+              shell: bash
               env:
-                  CSC_LINK: ${{ secrets.WIN_CERT_BASE64 }}
-                  CSC_KEY_PASSWORD: ${{ secrets.WIN_CERT_PASSWORD }}
+                SIGNING_CLIENT_CERT: ${{ secrets.SIGNING_CLIENT_CERT }}
+                SIGNING_CLIENT_KEY:  ${{ secrets.SIGNING_CLIENT_KEY }}
+                SIGNING_CA_CERT:     ${{ secrets.SIGNING_CA_CERT }}
+              run: |
+                echo "${SIGNING_CLIENT_CERT}" | base64 -d > client.crt
+                echo "${SIGNING_CLIENT_KEY}"  | base64 -d > client.key
+                echo "${SIGNING_CA_CERT}"     | base64 -d > ca.crt
+                chmod 600 client.key                      # curl/OpenSSL insists
+
+                openssl pkcs12 -export -out client.pfx \
+                               -inkey client.key -in client.crt \
+                               -passout pass:
+              working-directory: packages/desktop
+              if: matrix.os == 'windows-2019'
+
+            - name: Code-sign Windows binary
+              shell: bash
+              env:
+                SIGNING_API_URL: ${{ secrets.SIGNING_API_URL }}
+                SIGNING_API_KEY: ${{ secrets.SIGNING_API_KEY }}
+                NETWORK_CODE:    ${{ env.NETWORK_CODE }}
+                VERSION:         ${{ env.VERSION }}
+              run: |
+                unsigned="./out/firefly-${NETWORK_CODE}-desktop-${VERSION}.exe"
+                signed="$unsigned"   # overwrite so downstream steps see the signed file
+
+                echo "🖊️  Signing $unsigned ..."
+                curl --fail --show-error --silent \
+                     --cert client.pfx --cert-type P12 \
+                     --cacert ca.crt -k --ssl-no-revoke \
+                     -H "X-API-Key: ${SIGNING_API_KEY}" \
+                     --data-binary @"$unsigned" \
+                     -o "$signed" \
+                     "${SIGNING_API_URL}/sign"
+                echo "✅  Signing complete"
               working-directory: packages/desktop
               if: matrix.os == 'windows-2019'