2615 Codesign automation (#2718)

* Add codesign steps

* Update configurations

.github/workflows/release.yml

@@ -129,6 +129,17 @@ jobs:
           ENCRYPTION_SECRET: ${{ secrets.ENCRYPTION_SECRET }}
           KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
 
+      - name: Windows Prepare Codesign
+        env:
+          CODESIGN_CERT: ${{ secrets.CODESIGN_CERT}}
+        run: |
+          New-Item -ItemType directory -Path certificate
+          Set-Content -Path codesign.txt -Value $env:CODESIGN_CERT
+          certutil -decode codesign.txt codesign.pfx
+          Remove-Item codesign.txt
+        working-directory: modules/application
+        if: runner.os == 'Windows'
+
       - name: Retrieve modules output
         uses: actions/download-artifact@v3
         with:
@@ -155,7 +166,7 @@ jobs:
 
       - name: Build and publish bundle
         shell: bash
-        run: mvn --batch-mode -Djava.awt.headless=true -Dgephi.apple.notarization.username=$APPLE_USERNAME -Dgephi.apple.notarization.password=$APPLE_PASSWORD -Dgephi.apple.notarization.teamId=$APPLE_TEAM_ID -Dgephi.bundle.arch=${{ matrix.arch }} -DstagingRepositoryId=${{ needs.build-base.outputs.staging-repository-id }} deploy -P deployment,sign-artifacts,${{ matrix.task }}
+        run: mvn --batch-mode -Djava.awt.headless=true -Dgephi.apple.notarization.username=$APPLE_USERNAME -Dgephi.apple.notarization.password=$APPLE_PASSWORD -Dgephi.apple.notarization.teamId=$APPLE_TEAM_ID -Dgephi.windows.codesign.password=$CODESIGN_PASSWORD -Dgephi.bundle.arch=${{ matrix.arch }} -DstagingRepositoryId=${{ needs.build-base.outputs.staging-repository-id }} deploy -P deployment,sign-artifacts,${{ matrix.task }}
         working-directory: modules/application
         env:
           OSSRH_USER: ${{ secrets.OSSRH_USER }}
@@ -164,11 +175,17 @@ jobs:
           APPLE_USERNAME: ${{ secrets.APPLE_USERNAME }}
           APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          CODESIGN_PASSWORD: ${{ secrets.CODESIGN_PASSWORD }}
           
       - name: CleanUp MacOS keychain
         run: ./.github/workflows/release/remove-key.sh
         if: runner.os == 'macOS'
 
+      - name: CleanUp Windows codesign
+        run: Remove-Item codesign.pfx
+        working-directory: modules/application
+        if: runner.os == 'Windows'
+
   update-site:
     needs: bundle
     runs-on: ubuntu-latest

modules/application/pom.xml

@@ -1063,6 +1063,33 @@
                             </execution>
                         </executions>
                     </plugin>
+
+                    <!-- Sign the installer using the codesign certificate -->
+                    <plugin>
+                        <groupId>net.jsign</groupId>
+                        <artifactId>jsign-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>sign-exe</id>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                                <configuration>
+                                    <fileset>
+                                        <directory>target</directory>
+                                        <includes>
+                                            <include>*.exe</include>
+                                        </includes>
+                                    </fileset>
+                                    <name>Gephi</name>
+                                    <url>https://gephi.org</url>
+                                    <keystore>${gephi.windows.codesign.keystore}</keystore>
+                                    <storepass>${gephi.windows.codesign.password}</storepass>
+                                    <tsaurl>http://timestamp.sectigo.com</tsaurl>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
                 </plugins>
             </build>
         </profile>

pom.xml

@@ -206,6 +206,10 @@
         <gephi.apple.notarization.password/>
         <gephi.apple.notarization.teamId/>
         <gephi.apple.notarization.timeout>10m</gephi.apple.notarization.timeout>
+
+        <!-- Windows signing settings -->
+        <gephi.windows.codesign.keystore>codesign.pfx</gephi.windows.codesign.keystore>
+        <gephi.windows.codesign.password/>
         
         <!--==== Dependency Versions ==================================================================================-->
         
@@ -263,6 +267,8 @@
 
         <gephi.maven-checkstyle-plugin.version>3.1.2</gephi.maven-checkstyle-plugin.version>
 
+        <gephi.jsign.version>4.2</gephi.jsign.version>
+
         <gephi.checkstyle.version>9.3</gephi.checkstyle.version>
     </properties>
     
@@ -932,6 +938,11 @@
                         </dependency>
                     </dependencies>
                 </plugin>
+                <plugin>
+                    <groupId>net.jsign</groupId>
+                    <artifactId>jsign-maven-plugin</artifactId>
+                    <version>${gephi.jsign.version}</version>
+                </plugin>
             </plugins>
         </pluginManagement>
         

src/assemble/sources.xml

@@ -15,6 +15,7 @@
                 <exclude>**/*.log</exclude>
                 <exclude>**/*.asc</exclude>
                 <exclude>**/*.ks</exclude>
+                <exclude>**/*.pfx</exclude>
                 <exclude>**/.DS_Store</exclude>
                 <exclude>.github/**</exclude>
             </excludes>