mirror of
https://github.com/zen-browser/desktop.git
synced 2025-07-07 21:49:58 +02:00
Improved signing strategy for windows by including files inside the installer (https://github.com/zen-browser/desktop/issues/37)
This commit is contained in:
parent
b7d5f6655d
commit
af026cfe66
4 changed files with 34 additions and 40 deletions
|
@ -14,7 +14,7 @@ on:
|
||||||
description: 'Use sccache'
|
description: 'Use sccache'
|
||||||
required: false
|
required: false
|
||||||
type: boolean
|
type: boolean
|
||||||
default: true
|
default: false
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
twilight-release-schedule:
|
twilight-release-schedule:
|
||||||
|
|
19
.github/workflows/windows-release-build.yml
vendored
19
.github/workflows/windows-release-build.yml
vendored
|
@ -277,24 +277,19 @@ jobs:
|
||||||
path: ./zen.win64-pgo-stage-1.zip
|
path: ./zen.win64-pgo-stage-1.zip
|
||||||
|
|
||||||
- name: Remove unnecessary files from obj
|
- name: Remove unnecessary files from obj
|
||||||
if: ${{ !inputs.generate-gpo }}
|
if: ${{ !inputs.generate-gpo && inputs.release-branch == 'stable' }}
|
||||||
run: |
|
run: |
|
||||||
set -x
|
set -x
|
||||||
if test "${{ matrix.arch }}" = "aarch64"; then
|
mkdir obj-${{ matrix.arch }}-pc-windows-msvc/
|
||||||
find engine/obj-aarch64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type d -not -name 'dist' -exec rm -rf {} \;
|
cp -r --no-dereference engine/obj-${{ matrix.arch }}-pc-windows-msvc/* obj-${{ matrix.arch }}-pc-windows-msvc/ || true
|
||||||
find engine/obj-aarch64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type f -not -name 'dist' -exec rm -f {} \;
|
|
||||||
else
|
|
||||||
find engine/obj-x86_64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type d -not -name 'dist' -exec rm -rf {} \;
|
|
||||||
find engine/obj-x86_64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type f -not -name 'dist' -exec rm -f {} \;
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Upload dist object
|
- name: Upload dist object
|
||||||
if: ${{ !inputs.generate-gpo }}
|
if: ${{ !inputs.generate-gpo && inputs.release-branch == 'stable' }}
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
retention-days: 5
|
retention-days: 2
|
||||||
name: windows-x64-obj-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}
|
name: windows-x64-obj-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}
|
||||||
path: engine/obj-${{ matrix.arch == 'aarch64' && 'aarch64' || 'x86_64' }}-pc-windows-msvc/
|
path: obj-${{ matrix.arch }}-pc-windows-msvc
|
||||||
|
|
||||||
- name: Upload artifact (if Twilight branch, binary)
|
- name: Upload artifact (if Twilight branch, binary)
|
||||||
if: ${{ inputs.release-branch == 'twilight' && !inputs.generate-gpo }}
|
if: ${{ inputs.release-branch == 'twilight' && !inputs.generate-gpo }}
|
||||||
|
|
|
@ -6,6 +6,7 @@ param(
|
||||||
$ErrorActionPreference = "Stop"
|
$ErrorActionPreference = "Stop"
|
||||||
|
|
||||||
echo "Preparing environment"
|
echo "Preparing environment"
|
||||||
|
git pull --recurse
|
||||||
mkdir windsign-temp -ErrorAction SilentlyContinue
|
mkdir windsign-temp -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
# Download in parallel
|
# Download in parallel
|
||||||
|
@ -18,18 +19,34 @@ mkdir windsign-temp -ErrorAction SilentlyContinue
|
||||||
# echo "Downloaded git objects repo to"
|
# echo "Downloaded git objects repo to"
|
||||||
#} -Verbose -ArgumentList $PWD -Debug
|
#} -Verbose -ArgumentList $PWD -Debug
|
||||||
|
|
||||||
|
Start-Job -Name "DownloadGitl10n" -ScriptBlock {
|
||||||
|
param($PWD)
|
||||||
|
cd $PWD
|
||||||
|
$env:ZEN_L10N_CURR_DIR=[regex]::replace($PWD, "^([A-Z]):", { "/" + $args.value.Substring(0, 1).toLower() }) -replace "\\", "/"
|
||||||
|
C:\mozilla-build\start-shell.bat $PWD\scripts\download-language-packs.sh
|
||||||
|
echo "Fetched l10n and firefox's one"
|
||||||
|
} -Verbose -ArgumentList $PWD -Debug
|
||||||
|
|
||||||
gh run download $GithubRunId --name windows-x64-obj-arm64 -D windsign-temp\windows-x64-obj-arm64
|
gh run download $GithubRunId --name windows-x64-obj-arm64 -D windsign-temp\windows-x64-obj-arm64
|
||||||
echo "Downloaded arm64 artifacts"
|
echo "Downloaded arm64 artifacts"
|
||||||
gh run download $GithubRunId --name windows-x64-obj-x86_64 -D windsign-temp\windows-x64-obj-x86_64
|
gh run download $GithubRunId --name windows-x64-obj-x86_64 -D windsign-temp\windows-x64-obj-x86_64
|
||||||
echo "Downloaded x86_64 artifacts"
|
echo "Downloaded x86_64 artifacts"
|
||||||
|
|
||||||
|
Wait-Job -Name "DownloadGitl10n"
|
||||||
#Wait-Job -Name "DownloadGitObjectsRepo"
|
|
||||||
|
|
||||||
mkdir engine\obj-x86_64-pc-windows-msvc\ -ErrorAction SilentlyContinue
|
mkdir engine\obj-x86_64-pc-windows-msvc\ -ErrorAction SilentlyContinue
|
||||||
|
|
||||||
surfer -- ci --brand release
|
surfer -- ci --brand release
|
||||||
|
|
||||||
|
# Collect all .exe and .dll files into a list
|
||||||
|
$files = Get-ChildItem windsign-temp\windows-x64-obj-x86_64\ -Recurse -Include *.exe
|
||||||
|
$files += Get-ChildItem windsign-temp\windows-x64-obj-x86_64\ -Recurse -Include *.dll
|
||||||
|
|
||||||
|
$files = Get-ChildItem windsign-temp\windows-x64-obj-arm64\ -Recurse -Include *.exe
|
||||||
|
$files += Get-ChildItem windsign-temp\windows-x64-obj-arm64\ -Recurse -Include *.dll
|
||||||
|
|
||||||
|
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
|
||||||
|
|
||||||
function SignAndPackage($name) {
|
function SignAndPackage($name) {
|
||||||
echo "Executing on $name"
|
echo "Executing on $name"
|
||||||
rmdir .\dist -Recurse -ErrorAction SilentlyContinue
|
rmdir .\dist -Recurse -ErrorAction SilentlyContinue
|
||||||
|
@ -37,13 +54,7 @@ function SignAndPackage($name) {
|
||||||
cp windsign-temp\windows-x64-obj-$name engine\obj-x86_64-pc-windows-msvc\ -Recurse
|
cp windsign-temp\windows-x64-obj-$name engine\obj-x86_64-pc-windows-msvc\ -Recurse
|
||||||
echo "Signing $name"
|
echo "Signing $name"
|
||||||
|
|
||||||
# Collect all .exe and .dll files into a list
|
|
||||||
$files = Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.exe
|
|
||||||
$files += Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.dll
|
|
||||||
|
|
||||||
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
|
|
||||||
echo "Packaging $name"
|
echo "Packaging $name"
|
||||||
$env:SURFER_SIGNING_MODE="sign"
|
|
||||||
$env:MAR="..\\build\\winsign\\mar.exe"
|
$env:MAR="..\\build\\winsign\\mar.exe"
|
||||||
if ($name -eq "arm64") {
|
if ($name -eq "arm64") {
|
||||||
$env:SURFER_COMPAT="aarch64"
|
$env:SURFER_COMPAT="aarch64"
|
||||||
|
@ -61,7 +72,6 @@ function SignAndPackage($name) {
|
||||||
# - update_manifest/*
|
# - update_manifest/*
|
||||||
# - windows.mar
|
# - windows.mar
|
||||||
# - zen.installer.exe
|
# - zen.installer.exe
|
||||||
# - zen.win-x86_64.zip
|
|
||||||
echo "Creating tar for $name"
|
echo "Creating tar for $name"
|
||||||
rm .\windsign-temp\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
|
rm .\windsign-temp\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
|
||||||
mkdir windsign-temp\windows-x64-signed-$name
|
mkdir windsign-temp\windows-x64-signed-$name
|
||||||
|
@ -82,27 +92,9 @@ function SignAndPackage($name) {
|
||||||
mv .\dist\zen.installer.exe windsign-temp\windows-x64-signed-$name\zen.installer.exe
|
mv .\dist\zen.installer.exe windsign-temp\windows-x64-signed-$name\zen.installer.exe
|
||||||
}
|
}
|
||||||
|
|
||||||
# Move the zip
|
|
||||||
echo "Moving zip for $name"
|
|
||||||
if ($name -eq "arm64") {
|
|
||||||
mv (Get-Item .\dist\*.en-US.win64-aarch64.zip) windsign-temp\windows-x64-signed-$name\zen.win-arm64.zip
|
|
||||||
} else {
|
|
||||||
mv (Get-Item .\dist\*.en-US.win64.zip) windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
|
|
||||||
}
|
|
||||||
|
|
||||||
# Extract the zip, sign everything inside, and repackage it
|
|
||||||
#Expand-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name.zip -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name
|
|
||||||
#rm windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
|
|
||||||
#$files = Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.exe
|
|
||||||
#$files += Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.dll
|
|
||||||
#signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
|
|
||||||
#Compress-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
|
|
||||||
rmdir windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -ErrorAction SilentlyContinue
|
|
||||||
|
|
||||||
# Move the manifest
|
# Move the manifest
|
||||||
mv .\dist\update\. windsign-temp\windows-x64-signed-$name\update_manifest
|
mv .\dist\update\. windsign-temp\windows-x64-signed-$name\update_manifest
|
||||||
|
|
||||||
echo "Invoking tar for $name"
|
|
||||||
# note: We need to sign it into a parent folder, called windows-x64-signed-$name
|
# note: We need to sign it into a parent folder, called windows-x64-signed-$name
|
||||||
rmdir .\windsign-temp\windows-binaries\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
|
rmdir .\windsign-temp\windows-binaries\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
|
||||||
mv windsign-temp\windows-x64-signed-$name .\windsign-temp\windows-binaries -Force
|
mv windsign-temp\windows-x64-signed-$name .\windsign-temp\windows-binaries -Force
|
||||||
|
@ -113,6 +105,9 @@ function SignAndPackage($name) {
|
||||||
SignAndPackage arm64
|
SignAndPackage arm64
|
||||||
SignAndPackage x86_64
|
SignAndPackage x86_64
|
||||||
|
|
||||||
|
$files = Get-ChildItem .\windsign-temp\windows-binaries -Recurse -Include *.exe
|
||||||
|
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
|
||||||
|
|
||||||
echo "All artifacts signed and packaged, ready for release!"
|
echo "All artifacts signed and packaged, ready for release!"
|
||||||
echo "Commiting the changes to the repository"
|
echo "Commiting the changes to the repository"
|
||||||
cd windsign-temp\windows-binaries
|
cd windsign-temp\windows-binaries
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
|
if ! [ -z "$ZEN_L10N_CURR_DIR" ]; then
|
||||||
|
cd $ZEN_L10N_CURR_DIR
|
||||||
|
fi
|
||||||
|
|
||||||
CURRENT_DIR=$(pwd)
|
CURRENT_DIR=$(pwd)
|
||||||
|
|
||||||
git config --global init.defaultBranch main
|
git config --global init.defaultBranch main
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue