all: sign windows

Makefile

@@ -23,6 +23,7 @@ VERBOSE.MACRO = $${VERBOSE:-0}
 CHANNEL = development
 CLIENT_DIR = client
 COMMIT = $$( git rev-parse --short HEAD )
+DEPLOY_SCRIPT_PATH = not/a/real/path
 DIST_DIR = dist
 GOAMD64 = v1
 GOPROXY = https://proxy.golang.org|direct
@@ -37,6 +38,7 @@ NPM_INSTALL_FLAGS = $(NPM_FLAGS) --quiet --no-progress --ignore-engines\
 	--ignore-optional --ignore-platform --ignore-scripts
 RACE = 0
 SIGN = 1
+SIGNER_API_KEY = not-a-real-key
 VERSION = v0.0.0
 YARN = yarn
 
@@ -60,6 +62,7 @@ BUILD_RELEASE_DEPS_1 = go-deps
 ENV = env\
 	CHANNEL='$(CHANNEL)'\
 	COMMIT='$(COMMIT)'\
+	DEPLOY_SCRIPT_PATH='$(DEPLOY_SCRIPT_PATH)' \
 	DIST_DIR='$(DIST_DIR)'\
 	GO="$(GO.MACRO)"\
 	GOAMD64='$(GOAMD64)'\
@@ -72,6 +75,7 @@ ENV = env\
 	PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\
 	RACE='$(RACE)'\
 	SIGN='$(SIGN)'\
+	SIGNER_API_KEY='$(SIGNER_API_KEY)' \
 	NEXTAPI='$(NEXTAPI)'\
 	VERBOSE="$(VERBOSE.MACRO)"\
 	VERSION="$(VERSION)"\

bamboo-specs/release.yaml

@@ -89,6 +89,11 @@
     'other':
         'clean-working-dir': true
     'tasks':
+      - 'checkout':
+            'repository': 'bamboo-deploy-publisher'
+            # The paths are always relative to the working directory.
+            'path': 'bamboo-deploy-publisher'
+            'force-clean-build': true
       - 'checkout':
             'force-clean-build': true
       - 'script':
@@ -99,6 +104,12 @@
 
                 set -e -f -u -x
 
+                # Follow the working repository path.
+                cd "${bamboo.name}"
+
+                # Explicitly checkout the revision that we need.
+                git checkout "${bamboo.repository.revision.number}"
+
                 # Run the build with the specified channel.
                 echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
                         | awk '{ gsub(/\\n/, "\n"); print; }'\
@@ -107,6 +118,8 @@
                 make\
                         CHANNEL=${bamboo.channel}\
                         GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\
+                        DEPLOY_SCRIPT_PATH="../bamboo-deploy-publisher/deploy.sh"\
+                        SIGNER_API_KEY="${bamboo.adguardDnsClientWinSignerSecretApiKey}"\
                         FRONTEND_PREBUILT=1\
                         PARALLELISM=1\
                         VERBOSE=2\

bamboo-specs/test.yaml

@@ -143,6 +143,11 @@
     'other':
          'clean-working-dir': true
     'tasks':
+      - 'checkout':
+            'repository': 'bamboo-deploy-publisher'
+            # The paths are always relative to the working directory.
+            'path': 'bamboo-deploy-publisher'
+            'force-clean-build': true
       - 'checkout':
             'force-clean-build': true
       - 'script':
@@ -153,13 +158,27 @@
 
                 set -e -f -u -x
 
+                # Follow the working repository path.
+                cd "${bamboo.name}"
+
+                # Explicitly checkout the revision that we need.
+                git checkout "${bamboo.repository.revision.number}"
+
+                # Run the build with the specified channel.
+                echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
+                        | awk '{ gsub(/\\n/, "\n"); print; }'\
+                        | gpg --import --batch --yes
+
                 make\
                         ARCH="amd64"\
                         CHANNEL=${bamboo.channel}\
+                        GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\
+                        DEPLOY_SCRIPT_PATH="../bamboo-deploy-publisher/deploy.sh"\
+                        SIGNER_API_KEY="${bamboo.adguardDnsClientWinSignerSecretApiKey}"\
                         FRONTEND_PREBUILT=1\
                         OS="windows darwin linux"\
                         PARALLELISM=1\
-                        SIGN=0\
+                        SIGN=1\
                         VERBOSE=2\
                         build-release
     'requirements':

scripts/make/build-release.sh

@@ -83,11 +83,15 @@ if [ "$sign" -eq '1' ]
 then
 	gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}"
 	gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}"
+	signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}"
+	deploy_script_path="${DEPLOY_SCRIPT_PATH:?please set DEPLOY_SCRIPT_PATH or unset SIGN}"
 else
 	gpg_key_passphrase=''
 	gpg_key=''
+	signer_api_key=''
+	deploy_script_path=''
 fi
-readonly gpg_key_passphrase gpg_key
+readonly gpg_key_passphrase gpg_key signer_api_key deploy_script_path
 
 # The default distribution files directory is dist.
 dist="${DIST_DIR:-dist}"
@@ -149,6 +153,46 @@ windows  amd64     -   -
 windows  arm64     -   -"
 readonly platforms
 
+# Function sign signs the specified build as intended by the target operating
+# system.
+sign() {
+	# Only sign if needed.
+	if [ "$sign" -ne '1' ]
+	then
+		return
+	fi
+
+	# Get the arguments.  Here and below, use the "sign_" prefix for all
+	# variables local to function sign.
+	sign_os="$1"
+	sign_bin_path="$2"
+
+	if [ "$sign_os" != 'windows' ]
+	then
+		gpg\
+			--default-key "$gpg_key"\
+			--detach-sig\
+			--passphrase "$gpg_key_passphrase"\
+			--pinentry-mode loopback\
+			-q\
+			"$sign_bin_path"\
+			;
+
+		return
+	fi
+
+	signed_bin_path="${sign_bin_path}.signed"
+
+	env\
+		INPUT_FILE="$sign_bin_path"\
+		OUTPUT_FILE="$signed_bin_path"\
+		SIGNER_API_KEY="$signer_api_key"\
+		"$deploy_script_path" sign-executable\
+		;
+
+	mv "$signed_bin_path" "$sign_bin_path"
+}
+
 # Function build builds the release for one platform.  It builds a binary and an
 # archive.
 build() {
@@ -189,17 +233,7 @@ build() {
 
 	log "$build_output"
 
-	if [ "$sign" -eq '1' ]
-	then
-		gpg\
-			--default-key "$gpg_key"\
-			--detach-sig\
-			--passphrase "$gpg_key_passphrase"\
-			--pinentry-mode loopback\
-			-q\
-			"$build_output"\
-			;
-	fi
+	sign "$os" "$build_output"
 
 	# Prepare the build directory for archiving.
 	cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir"