-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Windows builds using a new ssl.com code signing certificate #3050
Changes from 1 commit
3e64826
22602cb
9f447ff
0142260
dd2f7df
adff638
1efdf97
19c01e3
c048ce8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,9 +8,13 @@ inputs: | |
required: true | ||
|
||
# Windows Inputs | ||
csc_key_password: | ||
ssl_com_username: | ||
required: true | ||
csc_link: | ||
ssl_com_password: | ||
required: true | ||
ssl_com_totp_secret: | ||
required: true | ||
ssl_com_credential_id: | ||
required: true | ||
|
||
# Mac Inputs | ||
|
@@ -47,16 +51,45 @@ runs: | |
security find-identity -p codesigning -v | ||
shell: bash | ||
|
||
- name: Checkout esigner-codesign repository | ||
if: runner.os == 'Windows' | ||
uses: actions/checkout@v3 | ||
with: | ||
repository: 'SSLcom/esigner-codesign' | ||
path: esigner-codesign | ||
|
||
- name: Make values from package.json available in Actions steps | ||
id: zui-package | ||
uses: RadovanPelka/github-action-json@v1.0.1 | ||
with: | ||
path: apps/zui/package.json | ||
|
||
- name: Build & Publish | ||
run: ${{ inputs.cmd }} | ||
shell: bash | ||
env: | ||
GH_TOKEN: ${{ inputs.gh_token }} | ||
WIN_CSC_KEY_PASSWORD: ${{ inputs.csc_key_password }} | ||
WIN_CSC_LINK: ${{ inputs.csc_link }} | ||
APPLE_ID: ${{ inputs.apple_id }} | ||
APPLE_ID_PASSWORD: ${{ inputs.apple_id_password }} | ||
APPLE_TEAM_ID: ${{ inputs.apple_team_id }} | ||
CODE_SIGN_SCRIPT_PATH: ${{ github.workspace }}/esigner-codesign/dist/index.js | ||
INPUT_COMMAND: sign | ||
INPUT_FILE_PATH: ${{ github.workspace }}/dist/apps/zui/${{ fromJSON(steps.zui-package.outputs.productName) }} Setup ${{ fromJSON(steps.zui-package.outputs.version) }}.exe | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The |
||
INPUT_OVERRIDE: true | ||
INPUT_MALWARE_BLOCK: false | ||
INPUT_CLEAN_LOGS: false | ||
INPUT_JVM_MAX_MEMORY: 1024M | ||
INPUT_ENVIRONMENT_NAME: PROD | ||
INPUT_USERNAME: ${{ inputs.ssl_com_username }} | ||
INPUT_PASSWORD: ${{ inputs.ssl_com_password }} | ||
INPUT_TOTP_SECRET: ${{ inputs.ssl_com_totp_secret }} | ||
INPUT_CREDENTIAL_ID: ${{ inputs.ssl_com_credential_id }} | ||
|
||
- name: Check for successful signing with SignTool | ||
if: runner.os == 'Windows' | ||
run: | | ||
"C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" verify /pa "${{ github.workspace }}/dist/apps/zui/${{ fromJSON(steps.zui-package.outputs.productName) }} Setup ${{ fromJSON(steps.zui-package.outputs.version) }}.exe" | ||
shell: cmd | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. While getting the esigner tool working with electron-builder, one buggy-seeming thing I encountered is that even if the custom signing code returns This would have made it likely that we could one day be producing unsigned builds and not be aware. I found via web searches that this |
||
|
||
- name: Check notorization with gatekeeper | ||
if: runner.os == 'macOS' | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
const { execSync } = require('child_process'); | ||
const zuiPackage = require('./package.json') | ||
|
||
const config = { | ||
appId: "io.brimdata.zui", | ||
asar: true, | ||
asarUnpack: ["zdeps", "LICENSE.txt", "acknowledgments.txt", "**/*.node"], | ||
directories: {output: "../../dist/apps/zui"}, | ||
protocols: [{name: "zui", "schemes": ["zui"]}], | ||
win: {target: ["nsis"]}, | ||
linux: {target: ["deb", "rpm"]}, | ||
rpm: {depends: ["openssl"]}, | ||
deb: {depends: ["openssl"]}, | ||
nsis: {oneClick: false, perMachine: false}, | ||
forceCodeSigning: true, | ||
afterSign: "electron-builder-notarize", | ||
publish: { | ||
provider: "github" | ||
}, | ||
files: [ | ||
"dist/**", | ||
"out/**", | ||
"build/**", | ||
"zdeps/**", | ||
"LICENSE.txt", | ||
"acknowledgments.txt", | ||
"package.json" | ||
], | ||
} | ||
|
||
// Code below for code signing with SSL.com cert in electron-builder via GitHub | ||
// Actions taken from: | ||
// https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1994110062 | ||
if (process.env.CODE_SIGN_SCRIPT_PATH) { | ||
const version = zuiPackage.version; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The code I borrowed from the GitHub issue was doing this via:
I don't know why he didn't opt to just |
||
const productName = zuiPackage.productName; | ||
const versionedExe = `${productName} Setup ${version}.exe`; | ||
|
||
config.win.sign = (configuration) => { | ||
console.log("Requested signing for ", configuration.path); | ||
|
||
// Only proceed if the versioned exe file is in the configuration path - skip signing everything else | ||
if (!configuration.path.includes(versionedExe)) { | ||
console.log("Configuration path does not include the versioned exe, signing skipped."); | ||
return true; | ||
} | ||
|
||
const scriptPath = process.env.CODE_SIGN_SCRIPT_PATH; | ||
|
||
try { | ||
// Execute the sign script synchronously | ||
const output = execSync(`node "${scriptPath}"`).toString(); | ||
console.log(`Script output: ${output}`); | ||
} catch (error) { | ||
console.error(`Error executing script: ${error.message}`); | ||
if (error.stdout) { | ||
console.log(`Script stdout: ${error.stdout.toString()}`); | ||
} | ||
if (error.stderr) { | ||
console.error(`Script stderr: ${error.stderr.toString()}`); | ||
} | ||
return false; | ||
} | ||
|
||
return true; // Return true at the end of successful signing | ||
}; | ||
|
||
// Sign only for Windows 10 and above | ||
config.win.signingHashAlgorithms = ["sha256"]; | ||
|
||
} | ||
|
||
module.exports = config; |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
const config = { | ||
extends: "./electron-builder-config.js", | ||
appId: "io.brimdata.zui-insiders", | ||
mac: { | ||
icon: "build/insiders/icon.icns" | ||
}, | ||
win: { | ||
icon: "build/insiders/icon.ico" | ||
}, | ||
publish: { | ||
provider: "github", | ||
releaseType: "release" | ||
} | ||
} | ||
|
||
module.exports = config; |
This file was deleted.
This file was deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added this because one of the env variables to be passed to the esigner tool is the expected filename of what would be signed, and that filename includes both the app name (
Zui
orZui Insiders
) and the version string, both of which are inpackage.json
.