From 0a9d761c83fe87e8f96b2c8a2b6babc751d6c39f Mon Sep 17 00:00:00 2001
From: Kyle Carberry <kyle@coder.com>
Date: Mon, 19 Aug 2024 20:33:37 -0400
Subject: [PATCH] chore: sign the windows installer (#14353)

(cherry picked from commit 6f9b3c1592bca6412ef01fb98758c068902757b8)
---
 scripts/build_windows_installer.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/scripts/build_windows_installer.sh b/scripts/build_windows_installer.sh
index 3b4d15a3cee9c..1a20a2cca3fb3 100755
--- a/scripts/build_windows_installer.sh
+++ b/scripts/build_windows_installer.sh
@@ -19,6 +19,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
 agpl="${CODER_BUILD_AGPL:-0}"
 output_path=""
 version=""
+sign_windows="${CODER_SIGN_WINDOWS:-0}"
 
 args="$(getopt -o "" -l agpl,output:,version: -- "$@")"
 eval set -- "$args"
@@ -51,6 +52,11 @@ if [[ "$output_path" == "" ]]; then
 	error "--output is a required parameter"
 fi
 
+if [[ "$sign_windows" == 1 ]]; then
+	dependencies java
+	requiredenvs JSIGN_PATH EV_KEYSTORE EV_KEY EV_CERTIFICATE_PATH EV_TSA_URL GCLOUD_ACCESS_TOKEN
+fi
+
 if [[ "$#" != 1 ]]; then
 	error "Exactly one argument must be provided to this script, $# were supplied"
 fi
@@ -125,3 +131,7 @@ popd
 cp "$temp_dir/installer.exe" "$output_path"
 
 rm -rf "$temp_dir"
+
+if [[ "$sign_windows" == 1 ]]; then
+	execrelative ./sign_windows.sh "$output_path" 1>&2
+fi