Update code signing process (#2126) (#2133)

* Update code signing process

scripts/build-win64.bat

@@ -8,6 +8,12 @@ set DISABLE_REBUILD=true
 set NODE_REQUIRED_VERSION=18.16.0
 set SNYK_ORG=sda
 set SNYK_PROJECT_NAME="Symphony Desktop Application"
+set SCREENSHARE_INDICATOR_PATH="node_modules\screen-share-indicator-frame\ScreenShareIndicatorFrame.exe"
+set NATIVE_WINDOW_HANDLE_PATH="node_modules\symphony-native-window-handle-helper\SymphonyNativeWindowHandleHelper.exe"
+set SCREEN_SNIPPET_PATH="node_modules\screen-snippet\ScreenSnippet.exe"
+set SYMPHONY_EXE_PATH=%WORKSPACE%\dist\win-unpacked\Symphony.exe
+set SYMPHONY_SYMVER_EXE_PATH=%WORKSPACE%\dist\Symphony-%SYMVER%-win.exe
+set SYMPHONY_MSI_PATH="WixSharpInstaller\Symphony.msi"
 
 set PATH=%PATH%;C:\Program Files\nodejs\;C:\Program Files\Git\cmd
 echo %PATH%
@@ -44,24 +50,22 @@ sed -i -e "s/\"version\"[[:space:]]*\:[[:space:]]\"\(.*\)\"/\"version\": \"\1-%P
 echo "Installing dependencies..."
 call npm install
 
-:: Signing screen snippet and screen share indicator
-
-if NOT EXIST %SIGNING_FILE_PATH% (
-    echo Signing failed, 'signing.bat' not found.
-    exit /b -1
-)
-
-call %SIGNING_FILE_PATH% node_modules\screen-share-indicator-frame\ScreenShareIndicatorFrame.exe
-
-call %SIGNING_FILE_PATH% node_modules\symphony-native-window-handle-helper\SymphonyNativeWindowHandleHelper.exe
+echo "Sign screen-share indicator..."
+echo %SS_FOLDER%
+call smctl sign  --fingerprint %DIGICERT_FINGERPRINT% --input %SCREENSHARE_INDICATOR_PATH% --tool signtool --verbose
+smctl sign verify --input node_modules\screen-share-indicator-frame\ScreenShareIndicatorFrame.exe
 
+smctl sign  --tool signtool --fingerprint %DIGICERT_FINGERPRINT% --input %NATIVE_WINDOW_HANDLE_PATH%
+smctl sign verify --input %NATIVE_WINDOW_HANDLE_PATH%
 
 IF %errorlevel% neq 0 (
 	echo "Signing failed"
 	exit /b -1
 )
 
-call %SIGNING_FILE_PATH% node_modules\screen-snippet\ScreenSnippet.exe
+smctl sign  --tool signtool --fingerprint %DIGICERT_FINGERPRINT% --input %SCREEN_SNIPPET_PATH%
+smctl sign verify --input %SCREEN_SNIPPET_PATH%
+
 IF %errorlevel% neq 0 (
 	echo "Signing failed"
 	exit /b -1
@@ -85,9 +89,6 @@ call npm run unpacked-win
 
 echo "creating 64 bit msi..."
 
-set PATH="%PATH%";C:\Program Files\nodejs\
-echo %PATH%
-
 call node -e "console.log(require('./package.json').version);" > version.txt
 set /p baseVer=<version.txt
 
@@ -112,23 +113,20 @@ set installerDir="%CD%\installer\win"
 set distDir="%CD%\dist"
 set rootDir="%CD%"
 
-if NOT EXIST "%PFX_DIR%\%PFX_FILE%" (
-  echo "can not find .pfx file" "%pfxDir%\%pfxFile%"
-  exit /b -1
-)
-
-copy /y "%PFX_DIR%\%PFX_FILE%" "%installerDir%\%PFX_FILE%"
 
 cd %installerDir%
 
-
-call %SIGNING_FILE_PATH% ..\..\dist\win-unpacked\Symphony.exe
+echo "Signing Symphony.exe file.."
+smctl sign  --tool signtool --fingerprint %DIGICERT_FINGERPRINT% --input %SYMPHONY_EXE_PATH%
+smctl sign verify --input %SYMPHONY_EXE_PATH%
 IF %errorlevel% neq 0 (
 	echo "Signing failed"
 	exit /b -1
 )
 
-call %SIGNING_FILE_PATH% ..\..\dist\Symphony-%SYMVER%-win.exe
+echo "Signing Symphony-SYMVER-win.exe file.."
+smctl sign  --tool signtool --fingerprint %DIGICERT_FINGERPRINT% --input %SYMPHONY_SYMVER_EXE_PATH%
+smctl sign verify --input %SYMPHONY_SYMVER_EXE_PATH%
 IF %errorlevel% neq 0 (
 	echo "Signing failed"
 	exit /b -1
@@ -140,7 +138,9 @@ node ..\..\scripts\windows_update_checksum.js "..\..\dist\Symphony-%SYMVER%-win.
 echo "Building new installer with Wix Sharp"
 call "BuildWixSharpInstaller.bat"
 
-call %SIGNING_FILE_PATH% WixSharpInstaller\Symphony.msi
+echo "Signing MSI file.."
+smctl sign  --tool signtool --fingerprint %DIGICERT_FINGERPRINT% --input  %SYMPHONY_MSI_PATH%
+smctl sign verify --input %SYMPHONY_MSI_PATH%
 IF %errorlevel% neq 0 (
 	echo "Failed to sign installer"
 	exit /b -1