COR-1627: streamline windows node signing process

- Moves the signing of the libraries and executables into the build script
- Avoids repacking of cabinet files

Author: drsk

.github/workflows/build-test.yaml

@@ -17,6 +17,12 @@
 # The dependencies between the steps are described in inline comments below
 # along with a few suggestions for improving parallelization.
 
+name: Test Windows signing setup 
+
+on:
+  push:
+    branches: cor_1627_streamline_windows_signing_process/windows
+
 name: Check formatting, build and run tests
 
 on:

.github/workflows/release.yaml

@@ -243,7 +243,8 @@ jobs:
 
   node-windows:
     runs-on: windows-latest  
-    environment: release # This step needs to use the release context to access credentials for code signing.
+    # TODO (drsk) the next line needs to be in again after testing !!!
+    # environment: release # This step needs to use the release context to access credentials for code signing.
     needs: [validate-preconditions]
     if: contains(fromJSON('["rc", "alpha", "node-windows"]'), needs.validate-preconditions.outputs.release_type)
     defaults:
@@ -342,34 +343,7 @@ jobs:
       - name: Install LMDB
         run: stack exec -- pacman -S --noconfirm mingw-w64-x86_64-lmdb
 
-      - name: Build Windows Node
-        run: |
-          ./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }}
-
-      - name: Extract files to prepare for signing 
-        run: |
-          dir service\windows\installer
-          "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer/Node.msi -x Node.cab
-          mkdir Node
-          dir
-          expand -d Node.cab
-          expand -F:* Node.cab ./Node
-          dir Node
-        shell: cmd
-      
-      - name: Rename files to prepare for signing (smctl can only sign files of certain types supported by signtool)
-        # See: https://docs.digicert.com/it/digicert-keylocker/client-tools/signing-tools/files-supported-for-signing.html
-        run: |
-          mv ./Node/ConcordiumConsensusDLL ./Node/ConcordiumConsensusDLL.dll
-          mv ./Node/ConcordiumBaseDLL ./Node/ConcordiumBaseDLL.dll
-          mv ./Node/ConcordiumSmartContractEngineDLL ./Node/ConcordiumSmartContractEngineDLL.dll
-          mv ./Node/Sha2DLL ./Node/Sha2DLL.dll
-          mv ./Node/NodeRunnerService ./Node/NodeRunnerService.exe
-          mv ./Node/NodeCollector ./Node/NodeCollector.exe 
-          mv ./Node/ConcordiumNode ./Node/ConcordiumNode.exe
-
-      - name: Sign files with smctl
-        working-directory: ${{steps.build.outputs.bin_dir}}
+      - name: Build and Sign Windows Node
         env:
           WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
           WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
@@ -379,41 +353,9 @@ jobs:
           SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
           SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
         run: |
-          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumConsensusDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumBaseDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumSmartContractEngineDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/Sha2DLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }}  ${{ env.SM_ARGS }}
-          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeRunnerService.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeCollector.exe  --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumNode.exe  --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
-        shell: cmd
-
-      - name: Rename files back to their original form without extension. 
-        run: |
-          mv ./Node/ConcordiumConsensusDLL.dll ./Node/ConcordiumConsensusDLL
-          mv ./Node/ConcordiumBaseDLL.dll ./Node/ConcordiumBaseDLL
-          mv ./Node/ConcordiumSmartContractEngineDLL.dll ./Node/ConcordiumSmartContractEngineDLL
-          mv ./Node/Sha2DLL.dll ./Node/Sha2DLL
-          mv ./Node/NodeRunnerService.exe ./Node/NodeRunnerService
-          mv ./Node/NodeCollector.exe ./Node/NodeCollector
-          mv ./Node/ConcordiumNode.exe ./Node/ConcordiumNode
-
-      - name: Recreate the cabinet file. 
-        run: |
-          dir Node /b /a-d > cabfiles.txt
-          makecab.exe /D MaxDiskSize=0 /D Cabinet=ON /D Compress=ON /D CabinetName1=Node.cab /D SourceDir=Node /f cabfiles.txt
-        shell: cmd
-
-      - name: Repackage the cabinet file. 
-        run: |
-          del Node.cab
-          move disk1\Node.cab .
-          expand -d Node.cab
-          "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer\Node.msi -k Node.cab
-          "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer\Node.msi -a Node.cab
-        shell: cmd
-  
-      - name: Sign files with smctl
+          ./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }}
+    
+      - name: Sign installer with smctl
         working-directory: ${{steps.build.outputs.bin_dir}}
         env:
           WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}

scripts/distribution/windows/build-all.ps1

@@ -30,4 +30,30 @@ cargo +$rustVersion-x86_64-pc-windows-msvc build --release --locked
 Pop-Location
 if ($LASTEXITCODE -ne 0) { throw "Failed building node runner service" }
 
-service\windows\installer\build.ps1 -toolchain $rustVersion-x86_64-pc-windows-msvc -nodeVersion $nodeVersion
+# Sign files if smctl is available and necessary environment variables are set.
+if ($env:WINDOWS_SM_KEYPAIR_ALIAS -and $env:WINDOWS_PKCS11_CONFIG -and $env:SM_ARGS -and (Get-Command "smctl" -ErrorAction SilentlyContinue)) {
+
+# Move to the location of the script so that relative paths make sense
+Push-Location $PSScriptRoot
+
+$StackInstallRoot = stack path --local-install-root
+
+try {
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input .\$StackInstallRoot\lib\ConcordiumConsensusDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\lib\ConcordiumBaseDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\smart-contracts\lib\ConcordiumSmartContractEngineDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\lib\Sha2DLL.dll --config-file $env:WINDOWS_PKCS11_CONFIG  $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\target\x86_64-pc-windows-msvc\release\NodeRunnerService --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\collector\target\release\NodeCollector  --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-node\target\release\ConcordiumNode  --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+}
+finally{
+    Pop-Location
+}
+
+} else {
+    Write-Output "Not signing: Missing required environment variables or smctl utility missing. WINDOWS_SM_KEYPAIR_ALIAS, WINDOWS_PKCS11_CONFIG, SM_ARGS need to be set."
+}
+
+# Build the installer
+service\windows\installer\build.ps1 -toolchain $rustVersion-x86_64-pc-windows-msvc -nodeVersion $nodeVersion