From 52d757c66064334f42918563d2f9282e6e4a22b1 Mon Sep 17 00:00:00 2001 From: Matthieu Gautier Date: Thu, 29 Aug 2024 14:35:41 +0200 Subject: [PATCH 1/3] Publish kiwix-desktop Windows build in Windows CI --- .github/scripts/build_definition.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/build_definition.py b/.github/scripts/build_definition.py index 89692fa..a87f2ac 100644 --- a/.github/scripts/build_definition.py +++ b/.github/scripts/build_definition.py @@ -24,7 +24,7 @@ BUILD_DEF = """ # On Windows, we build only libzim for now. And only native_mixed as xapian doesn't compile as dll | windows | native_static | Bd | d | d | d | | win-x86_64 | win-x86_64-static | | windows | native_dyn | Bd | | | | | win-x86_64 | win-x86_64-dyn | - | windows | native_mixed | BPd | d | | | Bd | win-x86_64 | win-x86_64-mixed | + | windows | native_mixed | BPd | d | | | BPd | win-x86_64 | win-x86_64-mixed | ---------------------------------------------------------------------------------------------------------------------------------------------- # Osx builds, build binaries on native_dyn and native_static. On anyother things, build only the libraries | macos | native_dyn | d | d | dB | B | | | macos-x86_64-dyn | From de90c6fefc39e41102029a7184ee92664a89317d Mon Sep 17 00:00:00 2001 From: Matthieu Gautier Date: Thu, 29 Aug 2024 14:28:00 +0200 Subject: [PATCH 2/3] Setup kiwix-destkop signature on Windows. Fix #713 --- .github/workflows/releaseNigthly.yml | 31 ++++++++++++++++++++++++ scripts/package_kiwix-desktop_windows.py | 20 ++++++++++++--- 2 files changed, 48 insertions(+), 3 deletions(-) diff --git a/.github/workflows/releaseNigthly.yml b/.github/workflows/releaseNigthly.yml index 4181dc5..c874f9c 100644 --- a/.github/workflows/releaseNigthly.yml +++ b/.github/workflows/releaseNigthly.yml @@ -52,6 +52,37 @@ jobs: echo "${{secrets.ssh_key}}" > $SSH_KEY env: SSH_KEY: ${{ runner.temp }}/id_rsa + - name: Install and configure eSigner CKA and Windows SDK + if: github.event_name == 'push' + env: + ESIGNER_URL: https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.7/SSL.COM-eSigner-CKA_1.0.7.zip + run: | + Set-StrictMode -Version 'Latest' + + # Download and Unzip eSignerCKA Setup + Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip "$env:ESIGNER_URL" + Expand-Archive -Force eSigner_CKA_Setup.zip + Remove-Item eSigner_CKA_Setup.zip + Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe” + + # Install eSignerCKA + New-Item -ItemType Directory -Force -Path "C:\esigner" + ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\esigner” /TYPE=automatic | Out-Null + Remove-Item "eSigner_CKA_Installer.exe" + + # Configure the CKA with SSL.com credentials + C:\esigner\eSignerCKATool.exe config -mode product -user "${{ secrets.ESIGNER_USERNAME }}" -pass "${{ secrets.ESIGNER_PASSWORD }}" -totp "${{ secrets.ESIGNER_TOTP_SECRET }}" -key "C:\esigner\master.key" -r + C:\esigner\eSignerCKATool.exe unload + C:\esigner\eSignerCKATool.exe load + + # Find certificate + $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 + echo Certificate: $CodeSigningCert + + # Extract thumbprint and subject name + $Thumbprint = $CodeSigningCert.Thumbprint + echo "SIGNTOOL_THUMBPRINT=$Thumbprint" >> $env:GITHUB_ENV + - name: Ensure base deps run: | python .github\\scripts\\ensure_base_deps.py diff --git a/scripts/package_kiwix-desktop_windows.py b/scripts/package_kiwix-desktop_windows.py index 0c4ceb8..7b17c93 100644 --- a/scripts/package_kiwix-desktop_windows.py +++ b/scripts/package_kiwix-desktop_windows.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -import sys, subprocess, shutil, argparse +import sys, subprocess, shutil, argparse, os from pathlib import Path parser = argparse.ArgumentParser() @@ -48,9 +48,23 @@ ssl_directory = Path("C:/") / "Program Files" / "OpenSSL" shutil.copy2(ssl_directory / "libcrypto-1_1-x64.dll", out_dir) shutil.copy2(ssl_directory / "libssl-1_1-x64.dll", out_dir) -# [TODO] Sign binary if args.sign: - pass + # We assume here that signtool and certificate are properly configured. + # Env var `SIGNTOOL_THUMBPRINT` must contain thumbprint of the certificate to use. + command = [ + "signtool.exe", + "sign", + "/fd", + "sha256", + "/tr", + "http://ts.ssl.com", + "/td", + "sha256", + "/sha1", + os.environ["SIGNTOOL_THUMBPRINT"], + str(out_dir / "kiwix-desktop.exe"), + ] + subprocess.run(command, check=True) print( f"""Create archive From 8b9d9f87e53e0a63a668f65137161e48f5d4d1f3 Mon Sep 17 00:00:00 2001 From: renaud gaudin Date: Thu, 29 Aug 2024 16:15:29 +0000 Subject: [PATCH 3/3] Use specific version of signtool Default version of signtool in PATH does not work properly with our CKA. We could also load an SDK's env batch file instead but setting this on the workflow is more maintainable as we'll get a clear missing file error on GA Image change --- .github/workflows/releaseNigthly.yml | 1 + scripts/package_kiwix-desktop_windows.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/releaseNigthly.yml b/.github/workflows/releaseNigthly.yml index c874f9c..8d1f287 100644 --- a/.github/workflows/releaseNigthly.yml +++ b/.github/workflows/releaseNigthly.yml @@ -92,6 +92,7 @@ jobs: run: | python .github\\scripts\\build_release_nightly.py env: + SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe" SSH_KEY: ${{ runner.temp }}/id_rsa - name: Upload failure logs if: failure() diff --git a/scripts/package_kiwix-desktop_windows.py b/scripts/package_kiwix-desktop_windows.py index 7b17c93..3da393b 100644 --- a/scripts/package_kiwix-desktop_windows.py +++ b/scripts/package_kiwix-desktop_windows.py @@ -52,7 +52,7 @@ if args.sign: # We assume here that signtool and certificate are properly configured. # Env var `SIGNTOOL_THUMBPRINT` must contain thumbprint of the certificate to use. command = [ - "signtool.exe", + os.getenv("SIGNTOOL_PATH", "signtool.exe"), "sign", "/fd", "sha256",