Fix sign script

appveyor.yml

@@ -79,6 +79,8 @@ build_script:
 
       C:\projects\gdevelop\eSignerCKA/eSignerCKATool.exe config -mode product -user "$Env:ESIGNER_USER_NAME" -pass "$Env:ESIGNER_USER_PASSWORD" -totp "$Env:ESIGNER_USER_TOTP" -key "C:\projects\gdevelop\eSignerCKA\master.key" -r
 
+      echo eSigner Username: $Env:ESIGNER_USER_NAME
+
       C:\projects\gdevelop\eSignerCKA/eSignerCKATool.exe unload
 
       C:\projects\gdevelop\eSignerCKA/eSignerCKATool.exe load
@@ -89,6 +91,44 @@ build_script:
 
       echo Certificate: $CodeSigningCert
 
+      C:\projects\gdevelop\eSignerCKA\eSignerCKATool.exe list
+
+      # Check the certificate private key is loaded
+
+      $maxRetries = 10
+
+      $retryDelay = 5
+
+      $certAvailable = $false
+
+      for ($i = 0; $i -lt $maxRetries; $i++) {
+
+        $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Where-Object { $_.Subject -like "*GDevelop Ltd*" }
+
+        if ($CodeSigningCert -and $CodeSigningCert.HasPrivateKey) {
+
+          Write-Host "✅ Certificate is loaded and has private key."
+
+          $certAvailable = $true
+
+          break
+
+        }
+
+        Write-Host "⏳ Waiting for certificate to load with private key... ($($i + 1)/$maxRetries)"
+
+        Start-Sleep -Seconds $retryDelay
+
+      }
+
+      if (-not $certAvailable) {
+
+        throw "❌ Certificate failed to load with private key after $maxRetries attempts."
+
+      }
+
+      C:\projects\gdevelop\eSignerCKA\eSignerCKATool.exe list
+
       # Use a custom signtool path because of the signtool.exe bundled withy electron-builder not working for some reason.
       # Can also be found in versioned folders like "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe".
 
@@ -100,6 +140,8 @@ build_script:
 
       $Env:GD_SIGNTOOL_SUBJECT_NAME = ($CodeSigningCert.Subject -replace ", ?", "`n" | ConvertFrom-StringData).CN
 
+      Get-ChildItem Cert:\CurrentUser\My | Format-List -Property Subject, Thumbprint, HasPrivateKey, PrivateKey
+
       # Build the nsis installer (signed: electron-builder will use SignTool.exe with the certificate)
 
       node scripts/build.js --win nsis --publish=never

newIDE/electron-app/electron-builder-config.js

@@ -45,6 +45,8 @@ const config = {
   },
   win: {
     executableName: 'GDevelop',
+    // This is the default configuration that works for the AppX. See below
+    // for the changes done for signing the nsis build.
   },
   nsis: {
     oneClick: false,
@@ -69,6 +71,7 @@ const config = {
       'SL',
     ],
   },
+  // Notarization script for macOS:
   afterSign: 'scripts/electron-builder-after-sign.js',
   publish: [
     {
@@ -98,9 +101,12 @@ if (
 
   // Seems required, see https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1587045539.
   config.win.signingHashAlgorithms = ['sha256'];
-  console.log('ℹ️ Set Windows build signing options:', config.win);
+
+  config.win.sign = './scripts/electron-builder-win-sign.js',
+
+  console.log('ℹ️ Set Windows build signing options (this should be for the "nsis" build):', config.win);
 } else {
-  console.log('ℹ️ No Windows build signing options set.');
+  console.log('ℹ️ No Windows build signing options set (this should be for the "appx" build).');
 }
 
 module.exports = config;

newIDE/electron-app/scripts/electron-builder-win-sign.js

@@ -0,0 +1,68 @@
+const { execFile, execFileSync } = require('child_process');
+const path = require('path');
+
+module.exports = async function customSigner(configuration) {
+  return new Promise((resolve, reject) => {
+    const fileToSign = configuration.path;
+
+    // Dynamically fetch the container name
+    const getContainerName = () => {
+      const command = `
+        $cert = Get-ChildItem Cert:\\CurrentUser\\My | Where-Object { $_.Subject -like "*GDevelop Ltd*" };
+        $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
+        `;
+      const container = execFileSync(
+        'powershell.exe',
+        ['-NoProfile', '-Command', command],
+        { encoding: 'utf-8' }
+      ).trim();
+      return container;
+    };
+    const keyContainer = getContainerName();
+
+    const signtool = process.env.SIGNTOOL_PATH;
+    if (!signtool) {
+      console.error('❌ SIGNTOOL_PATH is not set');
+      return reject(new Error('SIGNTOOL_PATH is not set'));
+    }
+
+    const args = [
+      'sign',
+      '/n',
+      'GDevelop Ltd',
+      '/csp',
+      'eSignerKSP',
+      '/k',
+      keyContainer, // Required with /csp
+      '/fd',
+      'sha256',
+      '/td',
+      'sha256',
+      '/tr',
+      'http://timestamp.digicert.com',
+      '/d',
+      'GDevelop 5',
+      '/du',
+      'https://gdevelop.io',
+      '/debug',
+      fileToSign,
+    ];
+
+    console.log(`🔏 Signing ${fileToSign} using eSignerKSP...`);
+    console.log(`🔧 Key container: ${keyContainer}`);
+    console.log(`🔏 Signtool path: ${signtool}`);
+    console.log(`🔏 Args: ${args.join(' ')}`);
+
+    execFile(signtool, args, (error, stdout, stderr) => {
+      if (error) {
+        console.error('❌ SignTool failed.');
+        console.error(stdout);
+        console.error(stderr);
+        return reject(error);
+      }
+
+      console.log(`✅ Successfully signed: ${fileToSign}`);
+      resolve();
+    });
+  });
+};