From 097ce7504e780908891fa51e59a077e80393b87f Mon Sep 17 00:00:00 2001
From: Brian van de Boogaard <bboogaard@backblaze.com>
Date: Fri, 25 Jul 2025 11:37:15 -0600
Subject: [PATCH 1/4] Update Windows code signing to use KeyLocker

---
 .github/workflows/cd.yml                    | 29 ++++++++-------
 changelog.d/+keylocker_migration.changed.md |  1 +
 noxfile.py                                  | 41 ++++++++++-----------
 3 files changed, 37 insertions(+), 34 deletions(-)
 create mode 100644 changelog.d/+keylocker_migration.changed.md

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 9ce190af..dbae302a 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -95,8 +95,10 @@ jobs:
   deploy-windows-bundle:
     needs: deploy
     env:
-      B2_WINDOWS_CODE_SIGNING_CERTIFICATE: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE }}
-      B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD }}
+      SM_HOST: ${{ secrets.SM_HOST }}
+      SM_API_KEY: ${{ secrets.SM_API_KEY }}
+      SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
+      SM_CLIENT_CERT_PASSWORD: ${{ secrets. SM_CLIENT_CERT_PASSWORD }}
     runs-on: windows-2019
     steps:
       - uses: actions/checkout@v4
@@ -112,18 +114,19 @@ jobs:
         id: bundle
         shell: bash
         run: nox -vs bundle
-      - name: Import certificate
-        id: windows_import_cert
-        if: ${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE != '' }}
-        uses: timheuer/base64-to-file@v1
-        with:
-          fileName: 'cert.pfx'
-          encodedString: ${{ secrets.B2_WINDOWS_CODE_SIGNING_CERTIFICATE }}
-      - name: Sign the bundle
-        if: ${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE != '' }}
-        id: sign
+      - name: Install client for code signing with Software Trust Manager
+        uses: digicert/ssm-code-signing@v1.1.0
+        env:
+          FORCE_DOWNLOAD_TOOLS: 'true'
+      - name: Set up client authentication certificate
+        id: client_cert
+        run: |
+          echo "${{ env.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
+          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
         shell: bash
-        run: nox -vs sign -- '${{ steps.windows_import_cert.outputs.filePath }}' '${{ env.B2_WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD }}'
+      - name: Sign the bundle using a keypair alais
+        id: sign
+        run: nox -vs sign -- '${{ secrets.SM_KEYPAIR_ALIAS }}' '${{ secrets.SM_CERT_FINGERPRINT }}'
       - name: Generate hashes
         id: hashes
         run: nox -vs make_dist_digest
diff --git a/changelog.d/+keylocker_migration.changed.md b/changelog.d/+keylocker_migration.changed.md
new file mode 100644
index 00000000..2bcd7bbf
--- /dev/null
+++ b/changelog.d/+keylocker_migration.changed.md
@@ -0,0 +1 @@
+Switched to cloud-based signing using DigiCert KeyLocker
diff --git a/noxfile.py b/noxfile.py
index 3c1eb868..83e2a813 100644
--- a/noxfile.py
+++ b/noxfile.py
@@ -365,42 +365,41 @@ def bundle(session: nox.Session):
 def sign(session):
     """Sign the bundled distribution (macOS and Windows only)."""
 
-    def sign_windows(cert_file, cert_password):
-        session.run('certutil', '-f', '-p', cert_password, '-importpfx', cert_file)
+    def sign_windows(keypair_alias, cert_fingerprint):
         for binary_name in ['b2'] + get_versions():
+            binary_path = f'dist/{binary_name}.exe'
+
+            # Sign the binary
             session.run(
-                WINDOWS_SIGNTOOL_PATH,
+                'smctl',
                 'sign',
-                '/f',
-                cert_file,
-                '/p',
-                cert_password,
-                '/tr',
-                WINDOWS_TIMESTAMP_SERVER,
-                '/td',
-                'sha256',
-                '/fd',
-                'sha256',
-                f'dist/{binary_name}.exe',
+                '--keypair-alias',
+                keypair_alias,
+                '--input',
+                binary_path,
                 external=True,
             )
+
+            # Verify the signature
             session.run(
-                WINDOWS_SIGNTOOL_PATH,
+                'smctl',
+                'sign',
                 'verify',
-                '/pa',
-                '/all',
-                f'dist/{binary_name}.exe',
+                '--fingerprint',
+                cert_fingerprint,
+                '--input',
+                binary_path,
                 external=True,
             )
 
     if SYSTEM == 'windows':
         try:
-            certificate_file, certificate_password = session.posargs
+            sm_keypair_alias, sm_cert_fingerprint = session.posargs
         except ValueError:
-            session.error('pass the certificate file and the password as positional arguments')
+            session.error('pass the keypair alias and the cert fingerprint as positional arguments')
             return
 
-        sign_windows(certificate_file, certificate_password)
+        sign_windows(sm_keypair_alias, sm_cert_fingerprint)
     elif SYSTEM == 'linux':
         session.log('signing is not supported for Linux')
     else:

From 904ae438a00c318db14e1652757eb0aabb7d857d Mon Sep 17 00:00:00 2001
From: Brian van de Boogaard <bboogaard@backblaze.com>
Date: Fri, 25 Jul 2025 11:50:39 -0600
Subject: [PATCH 2/4] Add fullstop to changelog entry

---
 changelog.d/+keylocker_migration.changed.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog.d/+keylocker_migration.changed.md b/changelog.d/+keylocker_migration.changed.md
index 2bcd7bbf..82e7cd8c 100644
--- a/changelog.d/+keylocker_migration.changed.md
+++ b/changelog.d/+keylocker_migration.changed.md
@@ -1 +1 @@
-Switched to cloud-based signing using DigiCert KeyLocker
+Switched to cloud-based signing using DigiCert KeyLocker.

From 777847c73ba7e0d2ca02641ba718acc39aeaa864 Mon Sep 17 00:00:00 2001
From: Brian van de Boogaard <bboogaard@backblaze.com>
Date: Fri, 25 Jul 2025 12:01:47 -0600
Subject: [PATCH 3/4] Update to use windows-2022 runner

---
 .github/workflows/cd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index dbae302a..4cc6e60d 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -99,7 +99,7 @@ jobs:
       SM_API_KEY: ${{ secrets.SM_API_KEY }}
       SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
       SM_CLIENT_CERT_PASSWORD: ${{ secrets. SM_CLIENT_CERT_PASSWORD }}
-    runs-on: windows-2019
+    runs-on: windows-2022
     steps:
       - uses: actions/checkout@v4
         with:

From 9b41ede30c3993960209b3aab8862f2148374c2b Mon Sep 17 00:00:00 2001
From: Brian van de Boogaard <brian.boogaard@gmail.com>
Date: Fri, 25 Jul 2025 14:58:17 -0600
Subject: [PATCH 4/4] Update typo in .github/workflows/cd.yml

Co-authored-by: Stephen Byrd <30883208+byrdsteve@users.noreply.github.com>
---
 .github/workflows/cd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 4cc6e60d..406833aa 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -124,7 +124,7 @@ jobs:
           echo "${{ env.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
           echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
         shell: bash
-      - name: Sign the bundle using a keypair alais
+      - name: Sign the bundle using a keypair alias
         id: sign
         run: nox -vs sign -- '${{ secrets.SM_KEYPAIR_ALIAS }}' '${{ secrets.SM_CERT_FINGERPRINT }}'
       - name: Generate hashes