mirror of
https://github.com/zen-browser/desktop.git
synced 2025-07-07 17:15:30 +02:00
Improved signing strategy for windows by including files inside the installer (https://github.com/zen-browser/desktop/issues/37)
This commit is contained in:
Mr. M
parent
b7d5f6655d
commit
af026cfe66
4 changed files with 34 additions and 40 deletions
|
|
@ -14,7 +14,7 @@ on:
|
|||
description: 'Use sccache'
|
||||
required: false
|
||||
type: boolean
|
||||
default: true
|
||||
default: false
|
||||
|
||||
jobs:
|
||||
twilight-release-schedule:
|
||||
|
|
|
|||
19
.github/workflows/windows-release-build.yml
vendored
19
.github/workflows/windows-release-build.yml
vendored
|
|
@ -277,24 +277,19 @@ jobs:
|
|||
path: ./zen.win64-pgo-stage-1.zip
|
||||
|
||||
- name: Remove unnecessary files from obj
|
||||
if: ${{ !inputs.generate-gpo }}
|
||||
if: ${{ !inputs.generate-gpo && inputs.release-branch == 'stable' }}
|
||||
run: |
|
||||
set -x
|
||||
if test "${{ matrix.arch }}" = "aarch64"; then
|
||||
find engine/obj-aarch64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type d -not -name 'dist' -exec rm -rf {} \;
|
||||
find engine/obj-aarch64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type f -not -name 'dist' -exec rm -f {} \;
|
||||
else
|
||||
find engine/obj-x86_64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type d -not -name 'dist' -exec rm -rf {} \;
|
||||
find engine/obj-x86_64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type f -not -name 'dist' -exec rm -f {} \;
|
||||
fi
|
||||
|
||||
mkdir obj-${{ matrix.arch }}-pc-windows-msvc/
|
||||
cp -r --no-dereference engine/obj-${{ matrix.arch }}-pc-windows-msvc/* obj-${{ matrix.arch }}-pc-windows-msvc/ || true
|
||||
|
||||
- name: Upload dist object
|
||||
if: ${{ !inputs.generate-gpo }}
|
||||
if: ${{ !inputs.generate-gpo && inputs.release-branch == 'stable' }}
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
retention-days: 5
|
||||
retention-days: 2
|
||||
name: windows-x64-obj-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}
|
||||
path: engine/obj-${{ matrix.arch == 'aarch64' && 'aarch64' || 'x86_64' }}-pc-windows-msvc/
|
||||
path: obj-${{ matrix.arch }}-pc-windows-msvc
|
||||
|
||||
- name: Upload artifact (if Twilight branch, binary)
|
||||
if: ${{ inputs.release-branch == 'twilight' && !inputs.generate-gpo }}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ param(
|
|||
$ErrorActionPreference = "Stop"
|
||||
|
||||
echo "Preparing environment"
|
||||
git pull --recurse
|
||||
mkdir windsign-temp -ErrorAction SilentlyContinue
|
||||
|
||||
# Download in parallel
|
||||
|
|
@ -18,18 +19,34 @@ mkdir windsign-temp -ErrorAction SilentlyContinue
|
|||
# echo "Downloaded git objects repo to"
|
||||
#} -Verbose -ArgumentList $PWD -Debug
|
||||
|
||||
Start-Job -Name "DownloadGitl10n" -ScriptBlock {
|
||||
param($PWD)
|
||||
cd $PWD
|
||||
$env:ZEN_L10N_CURR_DIR=[regex]::replace($PWD, "^([A-Z]):", { "/" + $args.value.Substring(0, 1).toLower() }) -replace "\\", "/"
|
||||
C:\mozilla-build\start-shell.bat $PWD\scripts\download-language-packs.sh
|
||||
echo "Fetched l10n and firefox's one"
|
||||
} -Verbose -ArgumentList $PWD -Debug
|
||||
|
||||
gh run download $GithubRunId --name windows-x64-obj-arm64 -D windsign-temp\windows-x64-obj-arm64
|
||||
echo "Downloaded arm64 artifacts"
|
||||
gh run download $GithubRunId --name windows-x64-obj-x86_64 -D windsign-temp\windows-x64-obj-x86_64
|
||||
echo "Downloaded x86_64 artifacts"
|
||||
|
||||
|
||||
#Wait-Job -Name "DownloadGitObjectsRepo"
|
||||
Wait-Job -Name "DownloadGitl10n"
|
||||
|
||||
mkdir engine\obj-x86_64-pc-windows-msvc\ -ErrorAction SilentlyContinue
|
||||
|
||||
surfer -- ci --brand release
|
||||
|
||||
# Collect all .exe and .dll files into a list
|
||||
$files = Get-ChildItem windsign-temp\windows-x64-obj-x86_64\ -Recurse -Include *.exe
|
||||
$files += Get-ChildItem windsign-temp\windows-x64-obj-x86_64\ -Recurse -Include *.dll
|
||||
|
||||
$files = Get-ChildItem windsign-temp\windows-x64-obj-arm64\ -Recurse -Include *.exe
|
||||
$files += Get-ChildItem windsign-temp\windows-x64-obj-arm64\ -Recurse -Include *.dll
|
||||
|
||||
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
|
||||
|
||||
function SignAndPackage($name) {
|
||||
echo "Executing on $name"
|
||||
rmdir .\dist -Recurse -ErrorAction SilentlyContinue
|
||||
|
|
@ -37,13 +54,7 @@ function SignAndPackage($name) {
|
|||
cp windsign-temp\windows-x64-obj-$name engine\obj-x86_64-pc-windows-msvc\ -Recurse
|
||||
echo "Signing $name"
|
||||
|
||||
# Collect all .exe and .dll files into a list
|
||||
$files = Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.exe
|
||||
$files += Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.dll
|
||||
|
||||
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
|
||||
echo "Packaging $name"
|
||||
$env:SURFER_SIGNING_MODE="sign"
|
||||
$env:MAR="..\\build\\winsign\\mar.exe"
|
||||
if ($name -eq "arm64") {
|
||||
$env:SURFER_COMPAT="aarch64"
|
||||
|
|
@ -61,7 +72,6 @@ function SignAndPackage($name) {
|
|||
# - update_manifest/*
|
||||
# - windows.mar
|
||||
# - zen.installer.exe
|
||||
# - zen.win-x86_64.zip
|
||||
echo "Creating tar for $name"
|
||||
rm .\windsign-temp\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
|
||||
mkdir windsign-temp\windows-x64-signed-$name
|
||||
|
|
@ -82,27 +92,9 @@ function SignAndPackage($name) {
|
|||
mv .\dist\zen.installer.exe windsign-temp\windows-x64-signed-$name\zen.installer.exe
|
||||
}
|
||||
|
||||
# Move the zip
|
||||
echo "Moving zip for $name"
|
||||
if ($name -eq "arm64") {
|
||||
mv (Get-Item .\dist\*.en-US.win64-aarch64.zip) windsign-temp\windows-x64-signed-$name\zen.win-arm64.zip
|
||||
} else {
|
||||
mv (Get-Item .\dist\*.en-US.win64.zip) windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
|
||||
}
|
||||
|
||||
# Extract the zip, sign everything inside, and repackage it
|
||||
#Expand-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name.zip -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name
|
||||
#rm windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
|
||||
#$files = Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.exe
|
||||
#$files += Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.dll
|
||||
#signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
|
||||
#Compress-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
|
||||
rmdir windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -ErrorAction SilentlyContinue
|
||||
|
||||
# Move the manifest
|
||||
mv .\dist\update\. windsign-temp\windows-x64-signed-$name\update_manifest
|
||||
|
||||
echo "Invoking tar for $name"
|
||||
# note: We need to sign it into a parent folder, called windows-x64-signed-$name
|
||||
rmdir .\windsign-temp\windows-binaries\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
|
||||
mv windsign-temp\windows-x64-signed-$name .\windsign-temp\windows-binaries -Force
|
||||
|
|
@ -113,6 +105,9 @@ function SignAndPackage($name) {
|
|||
SignAndPackage arm64
|
||||
SignAndPackage x86_64
|
||||
|
||||
$files = Get-ChildItem .\windsign-temp\windows-binaries -Recurse -Include *.exe
|
||||
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
|
||||
|
||||
echo "All artifacts signed and packaged, ready for release!"
|
||||
echo "Commiting the changes to the repository"
|
||||
cd windsign-temp\windows-binaries
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
set -ex
|
||||
|
||||
if ! [ -z "$ZEN_L10N_CURR_DIR" ]; then
|
||||
cd $ZEN_L10N_CURR_DIR
|
||||
fi
|
||||
|
||||
CURRENT_DIR=$(pwd)
|
||||
|
||||
git config --global init.defaultBranch main
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue