Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(windows-sign): add unstable ssl.com windows signing #425

Merged
merged 1 commit into from
Sep 18, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions cargo-dist/src/backend/ci/github.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ use tracing::warn;

use crate::{
backend::{diff_files, templates::TEMPLATE_CI_GITHUB},
config::ProductionMode,
errors::DistResult,
DistGraph, SortedMap, SortedSet, TargetTriple,
};
Expand Down Expand Up @@ -39,6 +40,8 @@ pub struct GithubCiInfo {
pub publish_jobs: Vec<String>,
/// whether to create the release or assume an existing one
pub create_release: bool,
/// \[unstable\] whether to add ssl.com windows binary signing
pub ssldotcom_windows_sign: Option<ProductionMode>,
}

impl GithubCiInfo {
Expand All @@ -55,6 +58,7 @@ impl GithubCiInfo {
.unwrap_or(&self_dist_version);
let fail_fast = dist.fail_fast;
let create_release = dist.create_release;
let ssldotcom_windows_sign = dist.ssldotcom_windows_sign.clone();

// Figure out what builds we need to do
let mut needs_global_build = false;
Expand Down Expand Up @@ -123,6 +127,7 @@ impl GithubCiInfo {
pr_run_mode,
global_task,
create_release,
ssldotcom_windows_sign,
}
}

Expand Down
35 changes: 34 additions & 1 deletion cargo-dist/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,11 @@ pub struct DistMetadata {
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(rename = "create-release")]
pub create_release: Option<bool>,

/// \[unstable\] Whether we should sign windows binaries with ssl.com
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(rename = "ssldotcom-windows-sign")]
pub ssldotcom_windows_sign: Option<ProductionMode>,
}

impl DistMetadata {
Expand Down Expand Up @@ -293,6 +298,7 @@ impl DistMetadata {
create_release: _,
pr_run_mode: _,
allow_dirty: _,
ssldotcom_windows_sign: _,
} = self;
if let Some(include) = include {
for include in include {
Expand Down Expand Up @@ -332,8 +338,9 @@ impl DistMetadata {
publish_jobs,
publish_prereleases,
create_release,
pr_run_mode: _,
pr_run_mode,
allow_dirty,
ssldotcom_windows_sign,
} = self;

// Check for global settings on local packages
Expand Down Expand Up @@ -366,6 +373,12 @@ impl DistMetadata {
if publish_prereleases.is_some() {
warn!("package.metadata.dist.publish-prereleases is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}
if pr_run_mode.is_some() {
warn!("package.metadata.dist.pr-run-mode is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}
if ssldotcom_windows_sign.is_some() {
warn!("package.metadata.dist.ssldotcom-windows-sign is set, but this is only accepted in workspace.metadata (value is being ignored): {}", package_manifest_path);
}

// Merge non-global settings
if installers.is_none() {
Expand Down Expand Up @@ -792,6 +805,26 @@ impl DirtyMode {
}
}

/// For features that can be generated in "test" or "production" mode
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
pub enum ProductionMode {
/// test mode
#[serde(rename = "test")]
Test,
/// production mode
#[serde(rename = "prod")]
Prod,
}

impl std::fmt::Display for ProductionMode {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
ProductionMode::Test => "test".fmt(f),
ProductionMode::Prod => "prod".fmt(f),
}
}
}

pub(crate) fn parse_metadata_table(
manifest_path: &Utf8Path,
metadata_table: Option<&serde_json::Value>,
Expand Down
9 changes: 9 additions & 0 deletions cargo-dist/src/init.rs
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,7 @@ fn get_new_dist_metadata(
create_release: None,
pr_run_mode: None,
allow_dirty: None,
ssldotcom_windows_sign: None,
}
};

Expand Down Expand Up @@ -684,6 +685,7 @@ fn apply_dist_to_metadata(metadata: &mut toml_edit::Item, meta: &DistMetadata) {
create_release,
pr_run_mode,
allow_dirty,
ssldotcom_windows_sign,
} = &meta;

apply_optional_value(
Expand Down Expand Up @@ -861,6 +863,13 @@ fn apply_dist_to_metadata(metadata: &mut toml_edit::Item, meta: &DistMetadata) {
allow_dirty.as_ref(),
);

apply_optional_value(
table,
"ssldotcom-windows-sign",
"",
ssldotcom_windows_sign.as_ref().map(|p| p.to_string()),
);

// Finalize the table
table
.decor_mut()
Expand Down
9 changes: 7 additions & 2 deletions cargo-dist/src/tasks.rs
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ use tracing::{info, warn};

use crate::backend::ci::github::GithubCiInfo;
use crate::backend::ci::CiInfo;
use crate::config::DirtyMode;
use crate::config::{DirtyMode, ProductionMode};
use crate::{
backend::{
installer::{
Expand Down Expand Up @@ -154,8 +154,10 @@ pub struct DistGraph {
pub merge_tasks: bool,
/// Whether failing tasks should make us give up on all other tasks
pub fail_fast: bool,
/// Whether to creat a github release or edit an existing draft
/// Whether to create a github release or edit an existing draft
pub create_release: bool,
/// \[unstable\] if Some, sign binaries with ssl.com
pub ssldotcom_windows_sign: Option<ProductionMode>,
/// The desired cargo-dist version for handling this project
pub desired_cargo_dist_version: Option<Version>,
/// The desired rust toolchain for handling this project
Expand Down Expand Up @@ -614,6 +616,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
precise_builds,
merge_tasks,
fail_fast,
ssldotcom_windows_sign,
// Processed elsewhere
//
// FIXME?: this is the last vestige of us actually needing to keep workspace_metadata
Expand Down Expand Up @@ -665,6 +668,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
let merge_tasks = merge_tasks.unwrap_or(false);
let fail_fast = fail_fast.unwrap_or(false);
let create_release = create_release.unwrap_or(true);
let ssldotcom_windows_sign = ssldotcom_windows_sign.clone();
let mut packages_with_mismatched_features = vec![];
// Compute/merge package configs
let mut package_metadata = vec![];
Expand Down Expand Up @@ -720,6 +724,7 @@ impl<'pkg_graph> DistGraphBuilder<'pkg_graph> {
fail_fast,
merge_tasks,
create_release,
ssldotcom_windows_sign,
desired_cargo_dist_version,
desired_rust_toolchain,
tools,
Expand Down
64 changes: 63 additions & 1 deletion cargo-dist/templates/ci/github_ci.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -177,20 +177,82 @@ jobs:
path: ${{ steps.cargo-dist.outputs.paths }}
{{%- endif %}}

{{%- if ssldotcom_windows_sign %}}

# Sign Windows artifacts with ssl.com
sign-windows-artifacts:
needs:
- plan
- upload-local-artifacts
{{%- if global_task %}}
- upload-global-artifacts
{{%- endif %}}
runs-on: "ubuntu-20.04"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice we can run it on not-Windows.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah it's pure java, running it on windows is actually harder (they ship the whole jvm x3)

env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SIGN_DIR_IN: target/distrib/sign-input
SIGN_DIR_OUT: target/distrib/sign-output
steps:
# Get all the artifacts for the signing tasks to use
- name: Fetch local artifacts
uses: actions/download-artifact@v3
with:
name: artifacts
path: target/distrib/
# Only try to sign files that the tool can handle
- name: Select Signable Artifacts
run: |
mkdir -p "$SIGN_DIR_IN"
mkdir -p "$SIGN_DIR_OUT"
for file in target/distrib/*.{msi,ps1}; do
[[ -e $file ]] && mv "$file" "$SIGN_DIR_IN" && echo "signing $file";
done
# Sign the files
- name: Sign Artifacts with CodeSignTool
uses: ssldotcom/esigner-codesign@develop
with:
command: batch_sign
username: ${{ secrets.SSLDOTCOM_USERNAME }}
password: ${{ secrets.SSLDOTCOM_PASSWORD }}
credential_id: ${{ secrets.SSLDOTCOM_CREDENTIAL_ID }}
totp_secret: ${{ secrets.SSLDOTCOM_TOTP_SECRET }}
dir_path: ${{ env.SIGN_DIR_IN }}
output_path: ${{ env.SIGN_DIR_OUT }}
# Set this to TEST for testing (sandbox) and PROD for production
environment_name: {{%- if ssldotcom_windows_sign == "test" %}} TEST {{%- else %}} PROD {{%- endif %}}
# Regenerate checksum files for things that have been signed
- name: Regenerate Checksums
run: |
pushd "$SIGN_DIR_OUT"
for filename in *; do
echo "checksuming $filename"
sha256sum --binary "$filename" > "$filename.sha256"
done
popd
# Upload the result, overwriting old files
- name: "Upload artifacts"
uses: actions/upload-artifact@v3
with:
name: artifacts
path: ${{ env.SIGN_DIR_OUT }}
{{%- endif %}}

should-publish:
needs:
- plan
- upload-local-artifacts
{{%- if global_task %}}
- upload-global-artifacts
{{%- endif %}}
{{%- if ssldotcom_windows_sign %}}
- sign-windows-artifacts
{{%- endif %}}
if: ${{ needs.plan.outputs.publishing == 'true' }}
runs-on: ubuntu-latest
steps:
- name: print tag
run: echo "ok we're publishing!"


{{%- if 'homebrew' in publish_jobs and tap %}}

publish-homebrew-formula:
Expand Down
68 changes: 68 additions & 0 deletions cargo-dist/tests/integration-tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,74 @@ create-release = false
})
}

#[test]
fn axolotlsay_ssldotcom_windows_sign() -> Result<(), miette::Report> {
let test_name = _function_name!();
AXOLOTLSAY.run_test(|ctx| {
let dist_version = ctx.tools.cargo_dist.version().unwrap();
ctx.patch_cargo_toml(format!(r#"
[workspace.metadata.dist]
cargo-dist-version = "{dist_version}"
installers = ["shell", "powershell", "msi"]
targets = ["x86_64-unknown-linux-gnu", "x86_64-apple-darwin", "x86_64-pc-windows-msvc", "aarch64-apple-darwin"]
ci = ["github"]
ssldotcom-windows-sign = "test"
unix-archive = ".tar.gz"
windows-archive = ".tar.gz"

[package.metadata.wix]
upgrade-guid = "B36177BE-EA4D-44FB-B05C-EDDABDAA95CA"
path-guid = "BFD25009-65A4-4D1E-97F1-0030465D90D6"

"#
))?;

// Run generate to make sure stuff is up to date before running other commands
let ci_result = ctx.cargo_dist_generate(test_name)?;
let ci_snap = ci_result.check_all()?;
// Do usual build+plan checks
let main_result = ctx.cargo_dist_build_and_plan(test_name)?;
let main_snap = main_result.check_all(ctx, ".cargo/bin/")?;
// snapshot all
main_snap.join(ci_snap).snap();
Ok(())
})
}

#[test]
fn axolotlsay_ssldotcom_windows_sign_prod() -> Result<(), miette::Report> {
let test_name = _function_name!();
AXOLOTLSAY.run_test(|ctx| {
let dist_version = ctx.tools.cargo_dist.version().unwrap();
ctx.patch_cargo_toml(format!(r#"
[workspace.metadata.dist]
cargo-dist-version = "{dist_version}"
installers = ["shell", "powershell", "msi"]
targets = ["x86_64-unknown-linux-gnu", "x86_64-apple-darwin", "x86_64-pc-windows-msvc", "aarch64-apple-darwin"]
ci = ["github"]
ssldotcom-windows-sign = "prod"
unix-archive = ".tar.gz"
windows-archive = ".tar.gz"

[package.metadata.wix]
upgrade-guid = "B36177BE-EA4D-44FB-B05C-EDDABDAA95CA"
path-guid = "BFD25009-65A4-4D1E-97F1-0030465D90D6"

"#
))?;

// Run generate to make sure stuff is up to date before running other commands
let ci_result = ctx.cargo_dist_generate(test_name)?;
let ci_snap = ci_result.check_all()?;
// Do usual build+plan checks
let main_result = ctx.cargo_dist_build_and_plan(test_name)?;
let main_snap = main_result.check_all(ctx, ".cargo/bin/")?;
// snapshot all
main_snap.join(ci_snap).snap();
Ok(())
})
}

#[test]
fn akaikatana_basic() -> Result<(), miette::Report> {
let test_name = _function_name!();
Expand Down
Loading
Loading