Pull request 2277: AG-29637 Sign Windows

Squashed commit of the following:

commit d22a4cb262c984241863d8dec1e498d83733ac6f
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Wed Sep 11 15:19:01 2024 +0300

    all: resolve tmp todos

commit 4574b050bae921ec9ebed5f90f96f571ca7800cd
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Wed Sep 11 14:55:44 2024 +0300

    bamboo: checkout later

commit 3036a46566c78350f1335cdd9f17f28c837b679f
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Wed Sep 11 14:35:36 2024 +0300

    bamboo: list files

commit eb675abfc0415907e41e08c8c2bc565162697478
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Wed Sep 11 14:28:14 2024 +0300

    bamboo: work with vcs properly

commit 0c34b4dcfd836f0f1c01cbde50cfc505eb46a5ff
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Wed Sep 11 14:15:06 2024 +0300

    bamboo: add repo name var

commit 15da8e294f6ee43643787264492facd881bf7713
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Wed Sep 11 14:06:26 2024 +0300

    bamboo: upd api key

commit b1d353dbc3b1b29596f15fa2c6fcb1d7d5f57d72
Merge: 3309f0703 cbae07e8e
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Sep 10 19:29:29 2024 +0300

    Merge branch 'master' into AG-29637-sign-windows

commit 3309f07031331d6f72170a7bb91c35e0a2e50c46
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Sep 10 19:09:44 2024 +0300

    all: only sign beta

commit f61af53a70b3abd15717f341f07b58091eb4a988
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Sep 10 15:32:31 2024 +0300

    all: sign windows

scripts/make/build-release.sh

@@ -83,11 +83,15 @@ if [ "$sign" -eq '1' ]
 then
 	gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}"
 	gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}"
+	signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}"
+	deploy_script_path="${DEPLOY_SCRIPT_PATH:?please set DEPLOY_SCRIPT_PATH or unset SIGN}"
 else
 	gpg_key_passphrase=''
 	gpg_key=''
+	signer_api_key=''
+	deploy_script_path=''
 fi
-readonly gpg_key_passphrase gpg_key
+readonly gpg_key_passphrase gpg_key signer_api_key deploy_script_path
 
 # The default distribution files directory is dist.
 dist="${DIST_DIR:-dist}"
@@ -149,6 +153,50 @@ windows  amd64     -   -
 windows  arm64     -   -"
 readonly platforms
 
+# Function sign signs the specified build as intended by the target operating
+# system.
+sign() {
+	# Only sign if needed.
+	if [ "$sign" -ne '1' ]
+	then
+		return
+	fi
+
+	# Get the arguments.  Here and below, use the "sign_" prefix for all
+	# variables local to function sign.
+	sign_os="$1"
+	sign_bin_path="$2"
+
+	if [ "$sign_os" != 'windows' ]
+	then
+		gpg\
+			--default-key "$gpg_key"\
+			--detach-sig\
+			--passphrase "$gpg_key_passphrase"\
+			--pinentry-mode loopback\
+			-q\
+			"$sign_bin_path"\
+			;
+
+		return
+	# TODO(e.burkov):  Enable for all releases.
+	elif [ "$channel" != 'beta' ]
+	then
+		return
+	fi
+
+	signed_bin_path="${sign_bin_path}.signed"
+
+	env\
+		INPUT_FILE="$sign_bin_path"\
+		OUTPUT_FILE="$signed_bin_path"\
+		SIGNER_API_KEY="$signer_api_key"\
+		"$deploy_script_path" sign-executable\
+		;
+
+	mv "$signed_bin_path" "$sign_bin_path"
+}
+
 # Function build builds the release for one platform.  It builds a binary and an
 # archive.
 build() {
@@ -189,17 +237,7 @@ build() {
 
 	log "$build_output"
 
-	if [ "$sign" -eq '1' ]
-	then
-		gpg\
-			--default-key "$gpg_key"\
-			--detach-sig\
-			--passphrase "$gpg_key_passphrase"\
-			--pinentry-mode loopback\
-			-q\
-			"$build_output"\
-			;
-	fi
+	sign "$os" "$build_output"
 
 	# Prepare the build directory for archiving.
 	cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir"