1
0
Fork 1
mirror of https://github.com/zen-browser/desktop.git synced 2025-07-07 17:15:30 +02:00

Improved signing strategy for windows by including files inside the installer (https://github.com/zen-browser/desktop/issues/37)

This commit is contained in:
Mr. M 2025-04-12 22:41:31 +02:00
parent b7d5f6655d
commit af026cfe66
4 changed files with 34 additions and 40 deletions

View file

@ -14,7 +14,7 @@ on:
description: 'Use sccache'
required: false
type: boolean
default: true
default: false
jobs:
twilight-release-schedule:

View file

@ -277,24 +277,19 @@ jobs:
path: ./zen.win64-pgo-stage-1.zip
- name: Remove unnecessary files from obj
if: ${{ !inputs.generate-gpo }}
if: ${{ !inputs.generate-gpo && inputs.release-branch == 'stable' }}
run: |
set -x
if test "${{ matrix.arch }}" = "aarch64"; then
find engine/obj-aarch64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type d -not -name 'dist' -exec rm -rf {} \;
find engine/obj-aarch64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type f -not -name 'dist' -exec rm -f {} \;
else
find engine/obj-x86_64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type d -not -name 'dist' -exec rm -rf {} \;
find engine/obj-x86_64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type f -not -name 'dist' -exec rm -f {} \;
fi
mkdir obj-${{ matrix.arch }}-pc-windows-msvc/
cp -r --no-dereference engine/obj-${{ matrix.arch }}-pc-windows-msvc/* obj-${{ matrix.arch }}-pc-windows-msvc/ || true
- name: Upload dist object
if: ${{ !inputs.generate-gpo }}
if: ${{ !inputs.generate-gpo && inputs.release-branch == 'stable' }}
uses: actions/upload-artifact@v4
with:
retention-days: 5
retention-days: 2
name: windows-x64-obj-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}
path: engine/obj-${{ matrix.arch == 'aarch64' && 'aarch64' || 'x86_64' }}-pc-windows-msvc/
path: obj-${{ matrix.arch }}-pc-windows-msvc
- name: Upload artifact (if Twilight branch, binary)
if: ${{ inputs.release-branch == 'twilight' && !inputs.generate-gpo }}

View file

@ -6,6 +6,7 @@ param(
$ErrorActionPreference = "Stop"
echo "Preparing environment"
git pull --recurse
mkdir windsign-temp -ErrorAction SilentlyContinue
# Download in parallel
@ -18,18 +19,34 @@ mkdir windsign-temp -ErrorAction SilentlyContinue
# echo "Downloaded git objects repo to"
#} -Verbose -ArgumentList $PWD -Debug
Start-Job -Name "DownloadGitl10n" -ScriptBlock {
param($PWD)
cd $PWD
$env:ZEN_L10N_CURR_DIR=[regex]::replace($PWD, "^([A-Z]):", { "/" + $args.value.Substring(0, 1).toLower() }) -replace "\\", "/"
C:\mozilla-build\start-shell.bat $PWD\scripts\download-language-packs.sh
echo "Fetched l10n and firefox's one"
} -Verbose -ArgumentList $PWD -Debug
gh run download $GithubRunId --name windows-x64-obj-arm64 -D windsign-temp\windows-x64-obj-arm64
echo "Downloaded arm64 artifacts"
gh run download $GithubRunId --name windows-x64-obj-x86_64 -D windsign-temp\windows-x64-obj-x86_64
echo "Downloaded x86_64 artifacts"
#Wait-Job -Name "DownloadGitObjectsRepo"
Wait-Job -Name "DownloadGitl10n"
mkdir engine\obj-x86_64-pc-windows-msvc\ -ErrorAction SilentlyContinue
surfer -- ci --brand release
# Collect all .exe and .dll files into a list
$files = Get-ChildItem windsign-temp\windows-x64-obj-x86_64\ -Recurse -Include *.exe
$files += Get-ChildItem windsign-temp\windows-x64-obj-x86_64\ -Recurse -Include *.dll
$files = Get-ChildItem windsign-temp\windows-x64-obj-arm64\ -Recurse -Include *.exe
$files += Get-ChildItem windsign-temp\windows-x64-obj-arm64\ -Recurse -Include *.dll
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
function SignAndPackage($name) {
echo "Executing on $name"
rmdir .\dist -Recurse -ErrorAction SilentlyContinue
@ -37,13 +54,7 @@ function SignAndPackage($name) {
cp windsign-temp\windows-x64-obj-$name engine\obj-x86_64-pc-windows-msvc\ -Recurse
echo "Signing $name"
# Collect all .exe and .dll files into a list
$files = Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.exe
$files += Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.dll
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
echo "Packaging $name"
$env:SURFER_SIGNING_MODE="sign"
$env:MAR="..\\build\\winsign\\mar.exe"
if ($name -eq "arm64") {
$env:SURFER_COMPAT="aarch64"
@ -61,7 +72,6 @@ function SignAndPackage($name) {
# - update_manifest/*
# - windows.mar
# - zen.installer.exe
# - zen.win-x86_64.zip
echo "Creating tar for $name"
rm .\windsign-temp\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
mkdir windsign-temp\windows-x64-signed-$name
@ -82,27 +92,9 @@ function SignAndPackage($name) {
mv .\dist\zen.installer.exe windsign-temp\windows-x64-signed-$name\zen.installer.exe
}
# Move the zip
echo "Moving zip for $name"
if ($name -eq "arm64") {
mv (Get-Item .\dist\*.en-US.win64-aarch64.zip) windsign-temp\windows-x64-signed-$name\zen.win-arm64.zip
} else {
mv (Get-Item .\dist\*.en-US.win64.zip) windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
}
# Extract the zip, sign everything inside, and repackage it
#Expand-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name.zip -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name
#rm windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
#$files = Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.exe
#$files += Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.dll
#signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
#Compress-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
rmdir windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -ErrorAction SilentlyContinue
# Move the manifest
mv .\dist\update\. windsign-temp\windows-x64-signed-$name\update_manifest
echo "Invoking tar for $name"
# note: We need to sign it into a parent folder, called windows-x64-signed-$name
rmdir .\windsign-temp\windows-binaries\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
mv windsign-temp\windows-x64-signed-$name .\windsign-temp\windows-binaries -Force
@ -113,6 +105,9 @@ function SignAndPackage($name) {
SignAndPackage arm64
SignAndPackage x86_64
$files = Get-ChildItem .\windsign-temp\windows-binaries -Recurse -Include *.exe
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
echo "All artifacts signed and packaged, ready for release!"
echo "Commiting the changes to the repository"
cd windsign-temp\windows-binaries

View file

@ -1,5 +1,9 @@
set -ex
if ! [ -z "$ZEN_L10N_CURR_DIR" ]; then
cd $ZEN_L10N_CURR_DIR
fi
CURRENT_DIR=$(pwd)
git config --global init.defaultBranch main