From 12885af89031997455863085cffb57dd2e4a4d3e Mon Sep 17 00:00:00 2001 From: askmeaboutloom Date: Thu, 17 Oct 2024 22:02:04 +0200 Subject: [PATCH] Add SignPath signing to the Actions workflow For Windows, provided by SignPath.io and with a certificate from the SignPath Foundation. Only Windows client builds for stable and beta releases are signed this way. The continuous development release, server and command-line tools are not, since we really don't need it for those. A link to the code signing policy is automatically prepended to the relevant release notes in the GitHub releases pages, but at the time of writing the link still 404s because it's not yet merged and deployed to the website. --- .github/workflows/main.yml | 60 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b68d75f2a4..ccac821cc4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -52,6 +52,7 @@ jobs: build_flags: -DINITSYS=systemd -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja build_type: Release collect_symbols: false + signpath: false # This causes the AppImage to be generated, instead of just creating # the portable tree, because there seems to be no way to separate # these steps with linuxdeploy @@ -100,6 +101,7 @@ jobs: sccache_triplet: x86_64-unknown-linux-musl build_type: Release collect_symbols: false + signpath: false packager: cmake --install build --config Release --prefix . cross_qt_args: >- "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" @@ -165,6 +167,7 @@ jobs: sccache_triplet: x86_64-unknown-linux-musl build_type: Release collect_symbols: false + signpath: false packager: cmake --install build --config Release --prefix . cross_qt_args: >- "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" @@ -230,6 +233,7 @@ jobs: build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja build_type: Release collect_symbols: false + signpath: false sccache_triplet: x86_64-apple-darwin packager: cpack --verbose --config build/CPackConfig.cmake -C Release @@ -241,6 +245,7 @@ jobs: build_flags: -DBUILD_PACKAGE_SUFFIX=arm64 -G Ninja build_type: Release collect_symbols: false + signpath: false sccache_triplet: aarch64-apple-darwin packager: cpack --verbose --config build/CPackConfig.cmake -C Release @@ -253,6 +258,7 @@ jobs: build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja build_type: RelWithDebInfo collect_symbols: true + signpath: true qt_pre_build: > choco install gperf jom winflexbison3 && New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe && @@ -277,6 +283,7 @@ jobs: build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja build_type: RelWithDebInfo collect_symbols: false + signpath: false qt_pre_build: > choco install gperf jom winflexbison3 && New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe && @@ -299,6 +306,7 @@ jobs: build_flags: -DCARGO_TRIPLE=i686-pc-windows-msvc -DBUILD_PACKAGE_SUFFIX=x86 -G Ninja build_type: RelWithDebInfo collect_symbols: false + signpath: true qt_pre_build: > choco install gperf jom winflexbison3 && New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe && @@ -478,7 +486,7 @@ jobs: } env: WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }} - if: runner.os == 'Windows' + if: runner.os == 'Windows' && matrix.packager && (!startsWith(github.ref, 'refs/tags/') || !matrix.signpath) - name: Generate project run: > @@ -547,6 +555,51 @@ jobs: WINDOWS_PFX_TIMESTAMP_URL: 'http://timestamp.digicert.com' if: matrix.packager + - name: Upload artifacts for SignPath to sign + uses: actions/upload-artifact@v4 + id: signpath-upload + with: + name: SignPath${{ matrix.component && format('-{0}', matrix.component) }}-${{ matrix.cross_os || runner.os }}-${{ matrix.arch }}-Qt${{ matrix.qt }} + path: | + Drawpile-*.msi + Drawpile-*.zip + if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath + + - name: Delete unsigned artifacts + id: signpath-delete-unsigned + shell: bash + run: rm -vf Drawpile-*.msi Drawpile-*.zip + if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath + + - name: Submit artifacts to SignPath to sign + uses: signpath/github-action-submit-signing-request@v1 + id: signpath-sign + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}' + project-slug: 'Drawpile' + signing-policy-slug: 'release-signing' + artifact-configuration-slug: 'client' + github-artifact-id: '${{ steps.signpath-upload.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: '.' + parameters: | + Version: "${{ github.ref_name }}" + Release_Tag: "${{ github.ref_name }}" + if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath + + - name: Delete unsigned executable uploaded for SignPath after signing + uses: actions/github-script@v7 + id: signpath-exe-delete + with: + script: | + github.rest.actions.deleteArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: ${{ steps.signpath-upload.outputs.artifact-id }} + }); + if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath + - name: Bundle PDBs run: > cmake "-DEXE_SEARCH_PATHS=build" @@ -613,7 +666,10 @@ jobs: - name: Collect release notes if: startsWith(github.ref, 'refs/tags/') - run: awk -v RS='' '/^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} Version ${{ github.ref_name }}/,/^[[:digit:]]/' checkout/ChangeLog | tail '+2' > release-description + run: | + echo '**Code signing policy:** ' > release-description + echo >> release-description + awk -v RS='' '/^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} Version ${{ github.ref_name }}/,/^[[:digit:]]/' checkout/ChangeLog | tail '+2' >> release-description - name: Write continuous release description if: "!startsWith(github.ref, 'refs/tags/')"