Skip to content

Commit

Permalink
feat(windows-sign): add unstable ssl.com windows signing
Browse files Browse the repository at this point in the history
ssldotcom-windows-sign=true
  • Loading branch information
Gankra committed Sep 18, 2023
1 parent 44daca8 commit 6af290a
Show file tree
Hide file tree
Showing 8 changed files with 3,670 additions and 4 deletions.
5 changes: 5 additions & 0 deletions cargo-dist/src/backend/ci/github.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ use tracing::warn;

use crate::{
backend::{diff_files, templates::TEMPLATE_CI_GITHUB},
config::ProductionMode,
errors::DistResult,
DistGraph, SortedMap, SortedSet, TargetTriple,
};
Expand Down Expand Up @@ -39,6 +40,8 @@ pub struct GithubCiInfo {
pub publish_jobs: Vec<String>,
/// whether to create the release or assume an existing one
pub create_release: bool,
/// \[unstable\] whether to add ssl.com windows binary signing
pub ssldotcom_windows_sign: Option<ProductionMode>,
}

impl GithubCiInfo {
Expand All @@ -55,6 +58,7 @@ impl GithubCiInfo {
.unwrap_or(&self_dist_version);
let fail_fast = dist.fail_fast;
let create_release = dist.create_release;
let ssldotcom_windows_sign = dist.ssldotcom_windows_sign.clone();

// Figure out what builds we need to do
let mut needs_global_build = false;
Expand Down Expand Up @@ -123,6 +127,7 @@ impl GithubCiInfo {
pr_run_mode,
global_task,
create_release,
ssldotcom_windows_sign,
}
}

Expand Down
35 changes: 34 additions & 1 deletion cargo-dist/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,11 @@ pub struct DistMetadata {
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(rename = "create-release")]
pub create_release: Option<bool>,

/// \[unstable\] Whether we should sign windows binaries with ssl.com
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(rename = "ssldotcom-windows-sign")]
pub ssldotcom_windows_sign: Option<ProductionMode>,
}

impl DistMetadata {
Expand Down Expand Up @@ -293,6 +298,7 @@ impl DistMetadata {
create_release: _,
pr_run_mode: _,
allow_dirty: _,
ssldotcom_windows_sign: _,
} = self;
if let Some(include) = include {
for include in include {
Expand Down Expand Up @@ -332,8 +338,9 @@ impl DistMetadata {
publish_jobs,
publish_prereleases,
create_release,
pr_run_mode: _,
pr_run_mode,
allow_dirty,
ssldotcom_windows_sign,
} = self;

// Check for global settings on local packages
Expand Down Expand Up @@ -366,6 +373,12 @@ impl DistMetadata {
if publish_prereleases.is_some() {
warn!("package.metadata.dist.publish-prereleases is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}
if pr_run_mode.is_some() {
warn!("package.metadata.dist.pr-run-mode is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}
if ssldotcom_windows_sign.is_some() {
warn!("package.metadata.dist.ssldotcom-windows-sign is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}

// Merge non-global settings
if installers.is_none() {
Expand Down Expand Up @@ -792,6 +805,26 @@ impl DirtyMode {
}
}

/// For features that can be generated in "test" or "production" mode
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
pub enum ProductionMode {
/// test mode
#[serde(rename = "test")]
Test,
/// production mode
#[serde(rename = "prod")]
Prod,
}

impl std::fmt::Display for ProductionMode {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
ProductionMode::Test => "test".fmt(f),
ProductionMode::Prod => "prod".fmt(f),
}
}
}

pub(crate) fn parse_metadata_table(
manifest_path: &Utf8Path,
metadata_table: Option<&serde_json::Value>,
Expand Down
9 changes: 9 additions & 0 deletions cargo-dist/src/init.rs
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,7 @@ fn get_new_dist_metadata(
create_release: None,
pr_run_mode: None,
allow_dirty: None,
ssldotcom_windows_sign: None,
}
};

Expand Down Expand Up @@ -684,6 +685,7 @@ fn apply_dist_to_metadata(metadata: &mut toml_edit::Item, meta: &DistMetadata) {
create_release,
pr_run_mode,
allow_dirty,
ssldotcom_windows_sign,
} = &meta;

apply_optional_value(
Expand Down Expand Up @@ -861,6 +863,13 @@ fn apply_dist_to_metadata(metadata: &mut toml_edit::Item, meta: &DistMetadata) {
allow_dirty.as_ref(),
);

apply_optional_value(
table,
"ssldotcom-windows-sign",
"",
ssldotcom_windows_sign.as_ref().map(|p| p.to_string()),
);

// Finalize the table
table
.decor_mut()
Expand Down
9 changes: 7 additions & 2 deletions cargo-dist/src/tasks.rs
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ use tracing::{info, warn};

use crate::backend::ci::github::GithubCiInfo;
use crate::backend::ci::CiInfo;
use crate::config::DirtyMode;
use crate::config::{DirtyMode, ProductionMode};
use crate::{
backend::{
installer::{
Expand Down Expand Up @@ -154,8 +154,10 @@ pub struct DistGraph {
pub merge_tasks: bool,
/// Whether failing tasks should make us give up on all other tasks
pub fail_fast: bool,
/// Whether to creat a github release or edit an existing draft
/// Whether to create a github release or edit an existing draft
pub create_release: bool,
/// \[unstable\] if Some, sign binaries with ssl.com
pub ssldotcom_windows_sign: Option<ProductionMode>,
/// The desired cargo-dist version for handling this project
pub desired_cargo_dist_version: Option<Version>,
/// The desired rust toolchain for handling this project
Expand Down Expand Up @@ -614,6 +616,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
precise_builds,
merge_tasks,
fail_fast,
ssldotcom_windows_sign,
// Processed elsewhere
//
// FIXME?: this is the last vestige of us actually needing to keep workspace_metadata
Expand Down Expand Up @@ -665,6 +668,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
let merge_tasks = merge_tasks.unwrap_or(false);
let fail_fast = fail_fast.unwrap_or(false);
let create_release = create_release.unwrap_or(true);
let ssldotcom_windows_sign = ssldotcom_windows_sign.clone();
let mut packages_with_mismatched_features = vec![];
// Compute/merge package configs
let mut package_metadata = vec![];
Expand Down Expand Up @@ -720,6 +724,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
fail_fast,
merge_tasks,
create_release,
ssldotcom_windows_sign,
desired_cargo_dist_version,
desired_rust_toolchain,
tools,
Expand Down
64 changes: 63 additions & 1 deletion cargo-dist/templates/ci/github_ci.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -177,20 +177,82 @@ jobs:
path: ${{ steps.cargo-dist.outputs.paths }}
{{%- endif %}}
{{%- if ssldotcom_windows_sign %}}
# Sign Windows artifacts with ssl.com
sign-windows-artifacts:
needs:
- plan
- upload-local-artifacts
{{%- if global_task %}}
- upload-global-artifacts
{{%- endif %}}
runs-on: "ubuntu-20.04"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SIGN_DIR_IN: target/distrib/sign-input
SIGN_DIR_OUT: target/distrib/sign-output
steps:
# Get all the artifacts for the signing tasks to use
- name: Fetch local artifacts
uses: actions/download-artifact@v3
with:
name: artifacts
path: target/distrib/
# Only try to sign files that the tool can handle
- name: Select Signable Artifacts
run: |
mkdir -p "$SIGN_DIR_IN"
mkdir -p "$SIGN_DIR_OUT"
for file in target/distrib/*.{msi,ps1}; do
[[ -e $file ]] && mv "$file" "$SIGN_DIR_IN" && echo "signing $file";
done
# Sign the files
- name: Sign Artifacts with CodeSignTool
uses: ssldotcom/esigner-codesign@develop
with:
command: batch_sign
username: ${{ secrets.SSLDOTCOM_USERNAME }}
password: ${{ secrets.SSLDOTCOM_PASSWORD }}
credential_id: ${{ secrets.SSLDOTCOM_CREDENTIAL_ID }}
totp_secret: ${{ secrets.SSLDOTCOM_TOTP_SECRET }}
dir_path: ${{ env.SIGN_DIR_IN }}
output_path: ${{ env.SIGN_DIR_OUT }}
# Set this to TEST for testing (sandbox) and PROD for production
environment_name: {{%- if ssldotcom_windows_sign == "test" %}} TEST {{%- else %}} PROD {{%- endif %}}
# Regenerate checksum files for things that have been signed
- name: Regenerate Checksums
run: |
pushd "$SIGN_DIR_OUT"
for filename in *; do
echo "checksuming $filename"
sha256sum --binary "$filename" > "$filename.sha256"
done
popd
# Upload the result, overwriting old files
- name: "Upload artifacts"
uses: actions/upload-artifact@v3
with:
name: artifacts
path: ${{ env.SIGN_DIR_OUT }}
{{%- endif %}}
should-publish:
needs:
- plan
- upload-local-artifacts
{{%- if global_task %}}
- upload-global-artifacts
{{%- endif %}}
{{%- if ssldotcom_windows_sign %}}
- sign-windows-artifacts
{{%- endif %}}
if: ${{ needs.plan.outputs.publishing == 'true' }}
runs-on: ubuntu-latest
steps:
- name: print tag
run: echo "ok we're publishing!"
{{%- if 'homebrew' in publish_jobs and tap %}}
publish-homebrew-formula:
Expand Down
70 changes: 70 additions & 0 deletions cargo-dist/tests/integration-tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,76 @@ create-release = false
})
}

#[test]
fn axolotlsay_ssldotcom_windows_sign() -> Result<(), miette::Report> {
let test_name = _function_name!();
AXOLOTLSAY.run_test(|ctx| {
let dist_version = ctx.tools.cargo_dist.version().unwrap();
ctx.patch_cargo_toml(format!(r#"
[workspace.metadata.dist]
cargo-dist-version = "{dist_version}"
installers = ["shell", "powershell", "msi"]
targets = ["x86_64-unknown-linux-gnu", "x86_64-apple-darwin", "x86_64-pc-windows-msvc", "aarch64-apple-darwin"]
ci = ["github"]
ssldotcom-windows-sign = "test"
unix-archive = ".tar.gz"
windows-archive = ".tar.gz"
[package.metadata.wix]
upgrade-guid = "B36177BE-EA4D-44FB-B05C-EDDABDAA95CA"
path-guid = "BFD25009-65A4-4D1E-97F1-0030465D90D6"
"#
))?;

// Run generate to make sure stuff is up to date before running other commands
let ci_result = ctx.cargo_dist_generate(test_name)?;
let ci_snap = ci_result.check_all()?;
// Do usual build+plan checks
let main_result = ctx.cargo_dist_build_and_plan(test_name)?;
let main_snap = main_result.check_all(ctx, ".cargo/bin/")?;
// snapshot all
main_snap.join(ci_snap).snap();
Ok(())
})
}


#[test]
fn axolotlsay_ssldotcom_windows_sign_prod() -> Result<(), miette::Report> {
let test_name = _function_name!();
AXOLOTLSAY.run_test(|ctx| {
let dist_version = ctx.tools.cargo_dist.version().unwrap();
ctx.patch_cargo_toml(format!(r#"
[workspace.metadata.dist]
cargo-dist-version = "{dist_version}"
installers = ["shell", "powershell", "msi"]
targets = ["x86_64-unknown-linux-gnu", "x86_64-apple-darwin", "x86_64-pc-windows-msvc", "aarch64-apple-darwin"]
ci = ["github"]
ssldotcom-windows-sign = "prod"
unix-archive = ".tar.gz"
windows-archive = ".tar.gz"
[package.metadata.wix]
upgrade-guid = "B36177BE-EA4D-44FB-B05C-EDDABDAA95CA"
path-guid = "BFD25009-65A4-4D1E-97F1-0030465D90D6"
"#
))?;

// Run generate to make sure stuff is up to date before running other commands
let ci_result = ctx.cargo_dist_generate(test_name)?;
let ci_snap = ci_result.check_all()?;
// Do usual build+plan checks
let main_result = ctx.cargo_dist_build_and_plan(test_name)?;
let main_snap = main_result.check_all(ctx, ".cargo/bin/")?;
// snapshot all
main_snap.join(ci_snap).snap();
Ok(())
})
}


#[test]
fn akaikatana_basic() -> Result<(), miette::Report> {
let test_name = _function_name!();
Expand Down
Loading

0 comments on commit 6af290a

Please sign in to comment.