Sign ffdec.jar and ffdec_lib.jar

.github/workflows/main.yml

@@ -419,7 +419,7 @@ jobs:
 #        path: resources/ffdec.exe
         
   sign_and_msi:
-    name: Generate MSI, Sign EXE+MSI
+    name: Code signing, MSI installer
     runs-on: windows-latest
     needs: 
         - compute-version
@@ -444,13 +444,30 @@ jobs:
         with:
           name: dist
           path: dist/
+          
+      - name: Download lib_dist artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: dist_lib
+          path: libsrc/ffdec_lib/dist/
         
       - name: Download unsigned EXE artifact
         uses: actions/download-artifact@v4
         with:
           name: unsigned_exe
           path: dist/
-        
+          
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: adopt
+          architecture: x64
+          java-version: 23
+          
+      - name: Build alt signer
+        working-directory: altsigner
+        run: mvn clean package
+          
       - id: auth
         uses: google-github-actions/auth@v2
         with:
@@ -501,6 +518,41 @@ jobs:
 
           Start-Process msiexec.exe -Wait -ArgumentList "/i `"$($msi.FullName)`" /qn /norestart"
 
+      - name: Sign ffdec.jar
+        shell: pwsh
+        run: |
+          $kc = "projects/$env:GCP_PROJECT_ID/locations/$env:GCP_LOCATION/keyRings/$env:KMS_KEYRING/cryptoKeys/$env:KMS_KEY/cryptoKeyVersions/$env:KMS_KEY_VERSION"
+          java -cp altsigner\target\kms-jarsigner-1.0.jar com.jpexs.kmsjarsigner.SignJar dist/ffdec.jar dist/ffdec-signed.jar cert/cert-chain.pem $kc http://timestamp.sectigo.com 
+          move dist/ffdec-signed.jar dist/ffdec.jar
+          
+      - name: Verify ffdec.jar signature
+        shell: pwsh
+        run: jarsigner.exe -verify -strict dist/ffdec-signed.jar
+          
+      - name: Upload signed JAR artifact
+        uses: actions/upload-artifact@v4
+        with:
+            name: signed_jar
+            path: dist/ffdec.jar
+
+      - name: Sign ffdec_lib.jar
+        shell: pwsh
+        run: |
+          $kc = "projects/$env:GCP_PROJECT_ID/locations/$env:GCP_LOCATION/keyRings/$env:KMS_KEYRING/cryptoKeys/$env:KMS_KEY/cryptoKeyVersions/$env:KMS_KEY_VERSION"
+          java -cp altsigner\target\kms-jarsigner-1.0.jar com.jpexs.kmsjarsigner.SignJar libsrc/ffdec_lib/dist/ffdec_lib.jar libsrc/ffdec_lib/dist/ffdec_lib-signed.jar cert/cert-chain.pem $kc http://timestamp.sectigo.com 
+          move libsrc/ffdec_lib/dist/ffdec_lib-signed.jar libsrc/ffdec_lib/dist/ffdec_lib.jar
+      
+      - name: Verify ffdec_lib.jar signature
+        shell: pwsh
+        run: jarsigner.exe -verify -strict libsrc/ffdec_lib/dist/ffdec_lib.jar
+        
+      - name: Upload signed lib JAR artifact
+        uses: actions/upload-artifact@v4
+        with:
+            name: signed_lib_jar
+            path: libsrc/ffdec_lib/dist/ffdec_lib.jar
+
+
       - name: Locate signtool
         id: signtool
         shell: pwsh
@@ -727,11 +779,26 @@ jobs:
           name: dist
           path: dist/
     
+    - name: Download signed jar artifact
+      uses: actions/download-artifact@v4
+      with:
+          name: signed_jar
+          path: dist/    
+    
     - name: Download lib dist artifact
       uses: actions/download-artifact@v4
       with:
           name: lib_dist
           path: libsrc/ffdec_lib/dist/
+    
+    - name: Download signed lib jar artifact
+      uses: actions/download-artifact@v4
+      with:
+          name: signed_lib_jar
+          path: libsrc/ffdec_lib/dist/
+          
+    - name: Copy signed ffdec_lib.jar to lib main dir
+      run: cp libsrc/ffdec_lib/dist/ffdec_lib.jar lib/ffdec_lib.jar        
           
     - name: Download signed EXE artifact
       uses: actions/download-artifact@v4