Skip to content

Commit

Permalink
feat(windows-sign): add unstable ssl.com windows signing
Browse files Browse the repository at this point in the history
  • Loading branch information
Gankra committed Sep 13, 2023
1 parent 44daca8 commit bc165c3
Show file tree
Hide file tree
Showing 7 changed files with 1,808 additions and 3 deletions.
4 changes: 4 additions & 0 deletions cargo-dist/src/backend/ci/github.rs
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ pub struct GithubCiInfo {
pub publish_jobs: Vec<String>,
/// whether to create the release or assume an existing one
pub create_release: bool,
/// \[unstable\] whether to add ssl.com windows binary signing
pub sslcom_windows_sign: bool,
}

impl GithubCiInfo {
Expand All @@ -55,6 +57,7 @@ impl GithubCiInfo {
.unwrap_or(&self_dist_version);
let fail_fast = dist.fail_fast;
let create_release = dist.create_release;
let sslcom_windows_sign = dist.sslcom_windows_sign;

// Figure out what builds we need to do
let mut needs_global_build = false;
Expand Down Expand Up @@ -123,6 +126,7 @@ impl GithubCiInfo {
pr_run_mode,
global_task,
create_release,
sslcom_windows_sign,
}
}

Expand Down
15 changes: 14 additions & 1 deletion cargo-dist/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,11 @@ pub struct DistMetadata {
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(rename = "create-release")]
pub create_release: Option<bool>,

/// \[unstable\] Whether we should sign windows binaries with ssl.com
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(rename = "sslcom-windows-sign")]
pub sslcom_windows_sign: Option<bool>,
}

impl DistMetadata {
Expand Down Expand Up @@ -293,6 +298,7 @@ impl DistMetadata {
create_release: _,
pr_run_mode: _,
allow_dirty: _,
sslcom_windows_sign: _,
} = self;
if let Some(include) = include {
for include in include {
Expand Down Expand Up @@ -332,8 +338,9 @@ impl DistMetadata {
publish_jobs,
publish_prereleases,
create_release,
pr_run_mode: _,
pr_run_mode,
allow_dirty,
sslcom_windows_sign,
} = self;

// Check for global settings on local packages
Expand Down Expand Up @@ -366,6 +373,12 @@ impl DistMetadata {
if publish_prereleases.is_some() {
warn!("package.metadata.dist.publish-prereleases is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}
if pr_run_mode.is_some() {
warn!("package.metadata.dist.pr-run-mode is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}
if sslcom_windows_sign.is_some() {
warn!("package.metadata.dist.sslcom-windows-sign is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}

// Merge non-global settings
if installers.is_none() {
Expand Down
4 changes: 4 additions & 0 deletions cargo-dist/src/init.rs
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,7 @@ fn get_new_dist_metadata(
create_release: None,
pr_run_mode: None,
allow_dirty: None,
sslcom_windows_sign: None,
}
};

Expand Down Expand Up @@ -684,6 +685,7 @@ fn apply_dist_to_metadata(metadata: &mut toml_edit::Item, meta: &DistMetadata) {
create_release,
pr_run_mode,
allow_dirty,
sslcom_windows_sign,
} = &meta;

apply_optional_value(
Expand Down Expand Up @@ -861,6 +863,8 @@ fn apply_dist_to_metadata(metadata: &mut toml_edit::Item, meta: &DistMetadata) {
allow_dirty.as_ref(),
);

apply_optional_value(table, "sslcom-windows-sign", "", *sslcom_windows_sign);

// Finalize the table
table
.decor_mut()
Expand Down
7 changes: 6 additions & 1 deletion cargo-dist/src/tasks.rs
Original file line number Diff line number Diff line change
Expand Up @@ -154,8 +154,10 @@ pub struct DistGraph {
pub merge_tasks: bool,
/// Whether failing tasks should make us give up on all other tasks
pub fail_fast: bool,
/// Whether to creat a github release or edit an existing draft
/// Whether to create a github release or edit an existing draft
pub create_release: bool,
/// \[unstable\] whether to sign binaries with ssl.com
pub sslcom_windows_sign: bool,
/// The desired cargo-dist version for handling this project
pub desired_cargo_dist_version: Option<Version>,
/// The desired rust toolchain for handling this project
Expand Down Expand Up @@ -614,6 +616,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
precise_builds,
merge_tasks,
fail_fast,
sslcom_windows_sign,
// Processed elsewhere
//
// FIXME?: this is the last vestige of us actually needing to keep workspace_metadata
Expand Down Expand Up @@ -665,6 +668,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
let merge_tasks = merge_tasks.unwrap_or(false);
let fail_fast = fail_fast.unwrap_or(false);
let create_release = create_release.unwrap_or(true);
let sslcom_windows_sign = sslcom_windows_sign.unwrap_or(false);
let mut packages_with_mismatched_features = vec![];
// Compute/merge package configs
let mut package_metadata = vec![];
Expand Down Expand Up @@ -720,6 +724,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
fail_fast,
merge_tasks,
create_release,
sslcom_windows_sign,
desired_cargo_dist_version,
desired_rust_toolchain,
tools,
Expand Down
64 changes: 63 additions & 1 deletion cargo-dist/templates/ci/github_ci.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -177,20 +177,82 @@ jobs:
path: ${{ steps.cargo-dist.outputs.paths }}
{{%- endif %}}
{{%- if sslcom_windows_sign %}}
# Sign Windows artifacts with ssl.com
sign-windows-artifacts:
needs:
- plan
- upload-local-artifacts
{{%- if global_task %}}
- upload-global-artifacts
{{%- endif %}}
runs-on: "ubuntu-20.04"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SIGN_DIR_IN: target/distrib/sign-input
SIGN_DIR_OUT: target/distrib/sign-output
steps:
# Get all the artifacts for the signing tasks to use
- name: Fetch local artifacts
uses: actions/download-artifact@v3
with:
name: artifacts
path: target/distrib/
# Only try to sign files that the tool can handle
- name: Select Signable Artifacts
run: |
mkdir -p "$SIGN_DIR_IN"
mkdir -p "$SIGN_DIR_OUT"
for file in target/distrib/*.{msi,ps1}; do
[[ -e $file ]] && mv "$file" "$SIGN_DIR_IN" && echo "signing $file";
done
# Sign the files
- name: Sign Artifacts with CodeSignTool
uses: sslcom/esigner-codesign@develop
with:
command: batch_sign
username: ${{ secrets.SSL_CODESIGN_USER }}
password: ${{ secrets.SSL_CODESIGN_PASSWORD }}
credential_id: ${{ secrets.SSL_CODESIGN_ID }}
totp_secret: ${{ secrets.SSL_CODESIGN_SECRET_CODE }}
dir_path: ${{ env.SIGN_DIR_IN }}
output_path: ${{ env.SIGN_DIR_OUT }}
# Set this to TEST for testing (sandbox) and PROD for production
environment_name: TEST
# Regenerate checksum files for things that have been signed
- name: Regenerate Checksums
run: |
pushd "$SIGN_DIR_OUT"
for filename in *; do
echo "checksuming $filename"
sha256sum --binary "$filename" > "$filename.sha256"
done
popd
# Upload the result, overwriting old files
- name: "Upload artifacts"
uses: actions/upload-artifact@v3
with:
name: artifacts
path: ${{ env.SIGN_DIR_OUT }}
{{%- endif %}}
should-publish:
needs:
- plan
- upload-local-artifacts
{{%- if global_task %}}
- upload-global-artifacts
{{%- endif %}}
{{%- if sslcom_windows_sign %}}
- sign-windows-artifacts
{{%- endif %}}
if: ${{ needs.plan.outputs.publishing == 'true' }}
runs-on: ubuntu-latest
steps:
- name: print tag
run: echo "ok we're publishing!"
{{%- if 'homebrew' in publish_jobs and tap %}}
publish-homebrew-formula:
Expand Down
32 changes: 32 additions & 0 deletions cargo-dist/tests/integration-tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,38 @@ create-release = false
})
}

#[test]
fn axolotlsay_sslcom_windows_sign() -> Result<(), miette::Report> {
let test_name = _function_name!();
AXOLOTLSAY.run_test(|ctx| {
let dist_version = ctx.tools.cargo_dist.version().unwrap();
ctx.patch_cargo_toml(format!(r#"
[workspace.metadata.dist]
cargo-dist-version = "{dist_version}"
installers = ["shell", "powershell", "msi"]
targets = ["x86_64-unknown-linux-gnu", "x86_64-apple-darwin", "x86_64-pc-windows-msvc", "aarch64-apple-darwin"]
ci = ["github"]
sslcom-windows-sign = true
[package.metadata.wix]
upgrade-guid = "B36177BE-EA4D-44FB-B05C-EDDABDAA95CA"
path-guid = "BFD25009-65A4-4D1E-97F1-0030465D90D6"
"#
))?;

// Run generate to make sure stuff is up to date before running other commands
let ci_result = ctx.cargo_dist_generate(test_name)?;
let ci_snap = ci_result.check_all()?;
// Do usual build+plan checks
let main_result = ctx.cargo_dist_build_and_plan(test_name)?;
let main_snap = main_result.check_all(ctx, ".cargo/bin/")?;
// snapshot all
main_snap.join(ci_snap).snap();
Ok(())
})
}

#[test]
fn akaikatana_basic() -> Result<(), miette::Report> {
let test_name = _function_name!();
Expand Down
Loading

0 comments on commit bc165c3

Please sign in to comment.