Skip to content

Commit 3201a34

Browse files
author
drsk
committed
COR-1627: streamline windows node signing process
- Moves the signing of the libraries and executables into the build script - Avoids repacking of cabinet files
1 parent 54025da commit 3201a34

File tree

3 files changed

+51
-65
lines changed

3 files changed

+51
-65
lines changed

.github/workflows/build-test.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,24 @@
1717
# The dependencies between the steps are described in inline comments below
1818
# along with a few suggestions for improving parallelization.
1919

20+
name: Test Windows signing setup
21+
22+
on:
23+
push:
24+
branches: cor_1627_streamline_windows_signing_process/windows
25+
paths:
26+
- '.github/workflows/build-test.yaml'
27+
- '.github/workflows/release.yaml'
28+
- '**/Cargo.toml'
29+
- '**/Cargo.lock'
30+
- '**.rs'
31+
- '**.yaml'
32+
- '**.hs'
33+
- 'concordium-base'
34+
- 'concordium-consensus/smart-contracts'
35+
- 'concordium-consensus/haskell-lmdb'
36+
- 'concordium-node/rustfmt.toml'
37+
2038
name: Check formatting, build and run tests
2139

2240
on:

.github/workflows/release.yaml

Lines changed: 6 additions & 64 deletions
Original file line numberDiff line numberDiff line change
@@ -243,7 +243,8 @@ jobs:
243243

244244
node-windows:
245245
runs-on: windows-latest
246-
environment: release # This step needs to use the release context to access credentials for code signing.
246+
# TODO (drsk) the next line needs to be in again after testing !!!
247+
# environment: release # This step needs to use the release context to access credentials for code signing.
247248
needs: [validate-preconditions]
248249
if: contains(fromJSON('["rc", "alpha", "node-windows"]'), needs.validate-preconditions.outputs.release_type)
249250
defaults:
@@ -342,34 +343,7 @@ jobs:
342343
- name: Install LMDB
343344
run: stack exec -- pacman -S --noconfirm mingw-w64-x86_64-lmdb
344345

345-
- name: Build Windows Node
346-
run: |
347-
./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }}
348-
349-
- name: Extract files to prepare for signing
350-
run: |
351-
dir service\windows\installer
352-
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer/Node.msi -x Node.cab
353-
mkdir Node
354-
dir
355-
expand -d Node.cab
356-
expand -F:* Node.cab ./Node
357-
dir Node
358-
shell: cmd
359-
360-
- name: Rename files to prepare for signing (smctl can only sign files of certain types supported by signtool)
361-
# See: https://docs.digicert.com/it/digicert-keylocker/client-tools/signing-tools/files-supported-for-signing.html
362-
run: |
363-
mv ./Node/ConcordiumConsensusDLL ./Node/ConcordiumConsensusDLL.dll
364-
mv ./Node/ConcordiumBaseDLL ./Node/ConcordiumBaseDLL.dll
365-
mv ./Node/ConcordiumSmartContractEngineDLL ./Node/ConcordiumSmartContractEngineDLL.dll
366-
mv ./Node/Sha2DLL ./Node/Sha2DLL.dll
367-
mv ./Node/NodeRunnerService ./Node/NodeRunnerService.exe
368-
mv ./Node/NodeCollector ./Node/NodeCollector.exe
369-
mv ./Node/ConcordiumNode ./Node/ConcordiumNode.exe
370-
371-
- name: Sign files with smctl
372-
working-directory: ${{steps.build.outputs.bin_dir}}
346+
- name: Build and Sign Windows Node
373347
env:
374348
WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
375349
WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
@@ -379,41 +353,9 @@ jobs:
379353
SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
380354
SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
381355
run: |
382-
smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumConsensusDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
383-
smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumBaseDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
384-
smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumSmartContractEngineDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
385-
smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/Sha2DLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
386-
smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeRunnerService.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
387-
smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeCollector.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
388-
smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumNode.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
389-
shell: cmd
390-
391-
- name: Rename files back to their original form without extension.
392-
run: |
393-
mv ./Node/ConcordiumConsensusDLL.dll ./Node/ConcordiumConsensusDLL
394-
mv ./Node/ConcordiumBaseDLL.dll ./Node/ConcordiumBaseDLL
395-
mv ./Node/ConcordiumSmartContractEngineDLL.dll ./Node/ConcordiumSmartContractEngineDLL
396-
mv ./Node/Sha2DLL.dll ./Node/Sha2DLL
397-
mv ./Node/NodeRunnerService.exe ./Node/NodeRunnerService
398-
mv ./Node/NodeCollector.exe ./Node/NodeCollector
399-
mv ./Node/ConcordiumNode.exe ./Node/ConcordiumNode
400-
401-
- name: Recreate the cabinet file.
402-
run: |
403-
dir Node /b /a-d > cabfiles.txt
404-
makecab.exe /D MaxDiskSize=0 /D Cabinet=ON /D Compress=ON /D CabinetName1=Node.cab /D SourceDir=Node /f cabfiles.txt
405-
shell: cmd
406-
407-
- name: Repackage the cabinet file.
408-
run: |
409-
del Node.cab
410-
move disk1\Node.cab .
411-
expand -d Node.cab
412-
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer\Node.msi -k Node.cab
413-
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer\Node.msi -a Node.cab
414-
shell: cmd
415-
416-
- name: Sign files with smctl
356+
./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }}
357+
358+
- name: Sign installer with smctl
417359
working-directory: ${{steps.build.outputs.bin_dir}}
418360
env:
419361
WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}

scripts/distribution/windows/build-all.ps1

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,4 +30,30 @@ cargo +$rustVersion-x86_64-pc-windows-msvc build --release --locked
3030
Pop-Location
3131
if ($LASTEXITCODE -ne 0) { throw "Failed building node runner service" }
3232

33-
service\windows\installer\build.ps1 -toolchain $rustVersion-x86_64-pc-windows-msvc -nodeVersion $nodeVersion
33+
# Sign files if smctl is available and necessary environment variables are set.
34+
if ($env:WINDOWS_SM_KEYPAIR_ALIAS -and $env:WINDOWS_PKCS11_CONFIG -and $env:SM_ARGS -and (Get-Command "smctl" -ErrorAction SilentlyContinue)) {
35+
36+
# Move to the location of the script so that relative paths make sense
37+
Push-Location $PSScriptRoot
38+
39+
$StackInstallRoot = stack path --local-install-root
40+
41+
try {
42+
smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input .\$StackInstallRoot\lib\ConcordiumConsensusDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
43+
smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\lib\ConcordiumBaseDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
44+
smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\smart-contracts\lib\ConcordiumSmartContractEngineDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
45+
smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\lib\Sha2DLL.dll --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
46+
smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\target\x86_64-pc-windows-msvc\release\NodeRunnerService --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
47+
smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\collector\target\release\NodeCollector --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
48+
smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-node\target\release\ConcordiumNode --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
49+
}
50+
finally{
51+
Pop-Location
52+
}
53+
54+
} else {
55+
Write-Output "Not signing: Missing required environment variables or smctl utility missing. WINDOWS_SM_KEYPAIR_ALIAS, WINDOWS_PKCS11_CONFIG, SM_ARGS need to be set."
56+
}
57+
58+
# Build the installer
59+
service\windows\installer\build.ps1 -toolchain $rustVersion-x86_64-pc-windows-msvc -nodeVersion $nodeVersion

0 commit comments

Comments
 (0)