feat: add support for windows patch signing

bin/internal/flutter.version

@@ -1 +1 @@
-a0e228f47bb038c9adc770a23477df7d0ce76ac5
+39dff68b27253d66b45c1adaca6eb81d4d25548c

packages/shorebird_cli/lib/src/artifact_builder.dart

@@ -569,8 +569,7 @@ Either run `flutter pub get` manually, or follow the steps in ${cannotRunInVSCod
         executable,
         arguments,
         runInShell: true,
-        // TODO(bryanoltman): support this
-        // environment: base64PublicKey?.toPublicKeyEnv(),
+        environment: base64PublicKey?.toPublicKeyEnv(),
       );
 
       buildProcess.stdout

packages/shorebird_cli/lib/src/commands/patch/windows_patcher.dart

@@ -9,9 +9,12 @@ import 'package:shorebird_cli/src/archive_analysis/windows_archive_differ.dart';
 import 'package:shorebird_cli/src/artifact_builder.dart';
 import 'package:shorebird_cli/src/artifact_manager.dart';
 import 'package:shorebird_cli/src/code_push_client_wrapper.dart';
+import 'package:shorebird_cli/src/code_signer.dart';
 import 'package:shorebird_cli/src/commands/patch/patcher.dart';
+import 'package:shorebird_cli/src/common_arguments.dart';
 import 'package:shorebird_cli/src/doctor.dart';
 import 'package:shorebird_cli/src/executables/executables.dart';
+import 'package:shorebird_cli/src/extensions/arg_results.dart';
 import 'package:shorebird_cli/src/logging/logging.dart';
 import 'package:shorebird_cli/src/patch_diff_checker.dart';
 import 'package:shorebird_cli/src/platform/platform.dart';
@@ -80,7 +83,9 @@ class WindowsPatcher extends Patcher {
 
     final Directory releaseDir;
     try {
-      releaseDir = await artifactBuilder.buildWindowsApp();
+      releaseDir = await artifactBuilder.buildWindowsApp(
+        base64PublicKey: argResults.encodedPublicKey,
+      );
       buildAppBundleProgress.complete();
     } on Exception catch (e) {
       buildAppBundleProgress.fail(e.toString());
@@ -118,6 +123,16 @@ class WindowsPatcher extends Patcher {
     // build/windows/x64/runner/Release
     final appSoPath = p.join(tempDir.path, 'data', 'app.so');
 
+    final privateKeyFile = argResults.file(
+      CommonArguments.privateKeyArg.name,
+    );
+    final hashSignature = privateKeyFile != null
+        ? codeSigner.sign(
+            message: hash,
+            privateKeyPemFile: privateKeyFile,
+          )
+        : null;
+
     final String diffPath;
     try {
       diffPath = await artifactManager.createDiff(
@@ -137,6 +152,7 @@ class WindowsPatcher extends Patcher {
         path: diffPath,
         hash: hash,
         size: File(diffPath).lengthSync(),
+        hashSignature: hashSignature,
       ),
     };
   }

packages/shorebird_cli/lib/src/commands/release/windows_releaser.dart

@@ -37,6 +37,8 @@ class WindowsReleaser extends Releaser {
 
   @override
   Future<void> assertArgsAreValid() async {
+    argResults.assertAbsentOrValidPublicKey();
+
     if (argResults.wasParsed('release-version')) {
       logger.err(
         '''
@@ -88,12 +90,14 @@ For more information see: ${supportedFlutterVersionsUrl.toLink()}''',
       'Building Windows app with Flutter $flutterVersionString',
     );
 
+    final base64PublicKey = argResults.encodedPublicKey;
     final Directory releaseDir;
     try {
       releaseDir = await artifactBuilder.buildWindowsApp(
         flavor: flavor,
         target: target,
         args: argResults.forwardedArgs,
+        base64PublicKey: base64PublicKey,
         buildProgress: buildAppBundleProgress,
       );
       buildAppBundleProgress.complete();

packages/shorebird_cli/test/src/artifact_builder_test.dart

@@ -1537,6 +1537,37 @@ Please file a bug at https://github.com/shorebirdtech/shorebird/issues/new with
           );
         });
       });
+
+      group('when public key is provided', () {
+        const publicKey = 'publicKey';
+
+        setUp(() {
+          when(
+            () => buildProcess.exitCode,
+          ).thenAnswer((_) async => ExitCode.success.code);
+        });
+
+        test('provides public key as environment variable', () async {
+          await runWithOverrides(
+            () => builder.buildWindowsApp(base64PublicKey: publicKey),
+          );
+
+          verify(
+            () => shorebirdProcess.start(
+              'flutter',
+              [
+                'build',
+                'windows',
+                '--release',
+              ],
+              runInShell: any(named: 'runInShell'),
+              environment: {
+                'SHOREBIRD_PUBLIC_KEY': publicKey,
+              },
+            ),
+          ).called(1);
+        });
+      });
     });
 
     group('findAppDill', () {

packages/shorebird_cli/test/src/commands/patch/windows_patcher_test.dart

@@ -12,7 +12,9 @@ import 'package:shorebird_cli/src/archive_analysis/archive_analysis.dart';
 import 'package:shorebird_cli/src/artifact_builder.dart';
 import 'package:shorebird_cli/src/artifact_manager.dart';
 import 'package:shorebird_cli/src/code_push_client_wrapper.dart';
+import 'package:shorebird_cli/src/code_signer.dart';
 import 'package:shorebird_cli/src/commands/commands.dart';
+import 'package:shorebird_cli/src/common_arguments.dart';
 import 'package:shorebird_cli/src/doctor.dart';
 import 'package:shorebird_cli/src/engine_config.dart';
 import 'package:shorebird_cli/src/executables/executables.dart';
@@ -40,6 +42,7 @@ void main() {
     late ArtifactBuilder artifactBuilder;
     late ArtifactManager artifactManager;
     late CodePushClientWrapper codePushClientWrapper;
+    late CodeSigner codeSigner;
     late Doctor doctor;
     late EngineConfig engineConfig;
     late Directory projectRoot;
@@ -62,6 +65,7 @@ void main() {
           artifactBuilderRef.overrideWith(() => artifactBuilder),
           artifactManagerRef.overrideWith(() => artifactManager),
           codePushClientWrapperRef.overrideWith(() => codePushClientWrapper),
+          codeSignerRef.overrideWith(() => codeSigner),
           doctorRef.overrideWith(() => doctor),
           engineConfigRef.overrideWith(() => engineConfig),
           loggerRef.overrideWith(() => logger),
@@ -91,6 +95,7 @@ void main() {
       artifactBuilder = MockArtifactBuilder();
       artifactManager = MockArtifactManager();
       codePushClientWrapper = MockCodePushClientWrapper();
+      codeSigner = MockCodeSigner();
       doctor = MockDoctor();
       engineConfig = MockEngineConfig();
       flavorValidator = MockFlavorValidator();
@@ -448,6 +453,52 @@ void main() {
           );
         });
       });
+
+      group('when signing keys are provided', () {
+        setUp(() {
+          when(
+            () => artifactManager.createDiff(
+              releaseArtifactPath: any(named: 'releaseArtifactPath'),
+              patchArtifactPath: any(named: 'patchArtifactPath'),
+            ),
+          ).thenAnswer((_) async => diffFile.path);
+          when(() => argResults[CommonArguments.publicKeyArg.name])
+              .thenReturn('public-key.pem');
+          when(() => argResults[CommonArguments.privateKeyArg.name])
+              .thenReturn('private-key.pem');
+          when(
+            () => codeSigner.sign(
+              message: any(named: 'message'),
+              privateKeyPemFile: any(named: 'privateKeyPemFile'),
+            ),
+          ).thenReturn('signature');
+        });
+
+        test('signs patch', () async {
+          final result = await runWithOverrides(
+            () => patcher.createPatchArtifacts(
+              appId: appId,
+              releaseId: releaseId,
+              releaseArtifact: releaseArtifact,
+            ),
+          );
+
+          expect(result[Arch.x86_64]!.hashSignature, equals('signature'));
+          verify(
+            () => codeSigner.sign(
+              message: any(named: 'message'),
+              privateKeyPemFile: any(
+                named: 'privateKeyPemFile',
+                that: isA<File>().having(
+                  (f) => f.path,
+                  'path',
+                  equals('private-key.pem'),
+                ),
+              ),
+            ),
+          ).called(1);
+        });
+      });
     });
 
     group('extractReleaseVersionFromArtifact', () {

packages/shorebird_cli/test/src/commands/release/windows_releaser_test.dart

@@ -10,7 +10,9 @@ import 'package:scoped_deps/scoped_deps.dart';
 import 'package:shorebird_cli/src/artifact_builder.dart';
 import 'package:shorebird_cli/src/artifact_manager.dart';
 import 'package:shorebird_cli/src/code_push_client_wrapper.dart';
+import 'package:shorebird_cli/src/code_signer.dart';
 import 'package:shorebird_cli/src/commands/commands.dart';
+import 'package:shorebird_cli/src/common_arguments.dart';
 import 'package:shorebird_cli/src/doctor.dart';
 import 'package:shorebird_cli/src/executables/executables.dart';
 import 'package:shorebird_cli/src/logging/logging.dart';
@@ -34,6 +36,7 @@ void main() {
     late ArtifactBuilder artifactBuilder;
     late ArtifactManager artifactManager;
     late CodePushClientWrapper codePushClientWrapper;
+    late CodeSigner codeSigner;
     late Directory releaseDirectory;
     late Doctor doctor;
     late ShorebirdLogger logger;
@@ -54,6 +57,7 @@ void main() {
           artifactBuilderRef.overrideWith(() => artifactBuilder),
           artifactManagerRef.overrideWith(() => artifactManager),
           codePushClientWrapperRef.overrideWith(() => codePushClientWrapper),
+          codeSignerRef.overrideWith(() => codeSigner),
           doctorRef.overrideWith(() => doctor),
           loggerRef.overrideWith(() => logger),
           powershellRef.overrideWith(() => powershell),
@@ -76,6 +80,7 @@ void main() {
       artifactBuilder = MockArtifactBuilder();
       artifactManager = MockArtifactManager();
       codePushClientWrapper = MockCodePushClientWrapper();
+      codeSigner = MockCodeSigner();
       doctor = MockDoctor();
       flavorValidator = MockFlavorValidator();
       powershell = MockPowershell();
@@ -146,6 +151,22 @@ To change the version of this release, change your app's version in your pubspec
           ).called(1);
         });
       });
+
+      group('when public key is provided but file does not exist', () {
+        setUp(() {
+          when(() => argResults.wasParsed(CommonArguments.publicKeyArg.name))
+              .thenReturn(true);
+          when(() => argResults[CommonArguments.publicKeyArg.name])
+              .thenReturn('nonexistent');
+        });
+
+        test('fails progress, exits', () async {
+          await expectLater(
+            () => runWithOverrides(releaser.assertArgsAreValid),
+            exitsWithCode(ExitCode.usage),
+          );
+        });
+      });
     });
 
     group('assertPreconditions', () {
@@ -310,6 +331,42 @@ For more information see: ${supportedFlutterVersionsUrl.toLink()}''',
           expect(releaseDir, projectRoot);
         });
       });
+
+      group('when public key is passed as an arg', () {
+        setUp(() {
+          when(
+            () => artifactBuilder.buildWindowsApp(
+              flavor: any(named: 'flavor'),
+              target: any(named: 'target'),
+              args: any(named: 'args'),
+              buildProgress: any(named: 'buildProgress'),
+              base64PublicKey: any(named: 'base64PublicKey'),
+            ),
+          ).thenAnswer((_) async => projectRoot);
+          when(
+            () => argResults.wasParsed(CommonArguments.publicKeyArg.name),
+          ).thenReturn(true);
+          when(
+            () => argResults[CommonArguments.publicKeyArg.name],
+          ).thenReturn('public_key');
+          when(
+            () => codeSigner.base64PublicKey(any()),
+          ).thenReturn('encoded_public_key');
+        });
+
+        test('passes public key to buildWindowsApp', () async {
+          await runWithOverrides(releaser.buildReleaseArtifacts);
+          verify(
+            () => artifactBuilder.buildWindowsApp(
+              base64PublicKey: 'encoded_public_key',
+              flavor: any(named: 'flavor'),
+              target: any(named: 'target'),
+              args: any(named: 'args'),
+              buildProgress: any(named: 'buildProgress'),
+            ),
+          ).called(1);
+        });
+      });
     });
 
     group('getReleaseVersion', () {