1
0
Fork 1
mirror of https://github.com/zen-browser/desktop.git synced 2025-07-08 00:10:00 +02:00

Improved signing strategy for windows by including files inside the installer (https://github.com/zen-browser/desktop/issues/37)

This commit is contained in:
Mr. M 2025-04-12 22:41:31 +02:00
parent b7d5f6655d
commit af026cfe66
4 changed files with 34 additions and 40 deletions

View file

@ -14,7 +14,7 @@ on:
description: 'Use sccache' description: 'Use sccache'
required: false required: false
type: boolean type: boolean
default: true default: false
jobs: jobs:
twilight-release-schedule: twilight-release-schedule:

View file

@ -277,24 +277,19 @@ jobs:
path: ./zen.win64-pgo-stage-1.zip path: ./zen.win64-pgo-stage-1.zip
- name: Remove unnecessary files from obj - name: Remove unnecessary files from obj
if: ${{ !inputs.generate-gpo }} if: ${{ !inputs.generate-gpo && inputs.release-branch == 'stable' }}
run: | run: |
set -x set -x
if test "${{ matrix.arch }}" = "aarch64"; then mkdir obj-${{ matrix.arch }}-pc-windows-msvc/
find engine/obj-aarch64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type d -not -name 'dist' -exec rm -rf {} \; cp -r --no-dereference engine/obj-${{ matrix.arch }}-pc-windows-msvc/* obj-${{ matrix.arch }}-pc-windows-msvc/ || true
find engine/obj-aarch64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type f -not -name 'dist' -exec rm -f {} \;
else
find engine/obj-x86_64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type d -not -name 'dist' -exec rm -rf {} \;
find engine/obj-x86_64-pc-windows-msvc/ -mindepth 1 -maxdepth 1 -type f -not -name 'dist' -exec rm -f {} \;
fi
- name: Upload dist object - name: Upload dist object
if: ${{ !inputs.generate-gpo }} if: ${{ !inputs.generate-gpo && inputs.release-branch == 'stable' }}
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
with: with:
retention-days: 5 retention-days: 2
name: windows-x64-obj-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }} name: windows-x64-obj-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}
path: engine/obj-${{ matrix.arch == 'aarch64' && 'aarch64' || 'x86_64' }}-pc-windows-msvc/ path: obj-${{ matrix.arch }}-pc-windows-msvc
- name: Upload artifact (if Twilight branch, binary) - name: Upload artifact (if Twilight branch, binary)
if: ${{ inputs.release-branch == 'twilight' && !inputs.generate-gpo }} if: ${{ inputs.release-branch == 'twilight' && !inputs.generate-gpo }}

View file

@ -6,6 +6,7 @@ param(
$ErrorActionPreference = "Stop" $ErrorActionPreference = "Stop"
echo "Preparing environment" echo "Preparing environment"
git pull --recurse
mkdir windsign-temp -ErrorAction SilentlyContinue mkdir windsign-temp -ErrorAction SilentlyContinue
# Download in parallel # Download in parallel
@ -18,18 +19,34 @@ mkdir windsign-temp -ErrorAction SilentlyContinue
# echo "Downloaded git objects repo to" # echo "Downloaded git objects repo to"
#} -Verbose -ArgumentList $PWD -Debug #} -Verbose -ArgumentList $PWD -Debug
Start-Job -Name "DownloadGitl10n" -ScriptBlock {
param($PWD)
cd $PWD
$env:ZEN_L10N_CURR_DIR=[regex]::replace($PWD, "^([A-Z]):", { "/" + $args.value.Substring(0, 1).toLower() }) -replace "\\", "/"
C:\mozilla-build\start-shell.bat $PWD\scripts\download-language-packs.sh
echo "Fetched l10n and firefox's one"
} -Verbose -ArgumentList $PWD -Debug
gh run download $GithubRunId --name windows-x64-obj-arm64 -D windsign-temp\windows-x64-obj-arm64 gh run download $GithubRunId --name windows-x64-obj-arm64 -D windsign-temp\windows-x64-obj-arm64
echo "Downloaded arm64 artifacts" echo "Downloaded arm64 artifacts"
gh run download $GithubRunId --name windows-x64-obj-x86_64 -D windsign-temp\windows-x64-obj-x86_64 gh run download $GithubRunId --name windows-x64-obj-x86_64 -D windsign-temp\windows-x64-obj-x86_64
echo "Downloaded x86_64 artifacts" echo "Downloaded x86_64 artifacts"
Wait-Job -Name "DownloadGitl10n"
#Wait-Job -Name "DownloadGitObjectsRepo"
mkdir engine\obj-x86_64-pc-windows-msvc\ -ErrorAction SilentlyContinue mkdir engine\obj-x86_64-pc-windows-msvc\ -ErrorAction SilentlyContinue
surfer -- ci --brand release surfer -- ci --brand release
# Collect all .exe and .dll files into a list
$files = Get-ChildItem windsign-temp\windows-x64-obj-x86_64\ -Recurse -Include *.exe
$files += Get-ChildItem windsign-temp\windows-x64-obj-x86_64\ -Recurse -Include *.dll
$files = Get-ChildItem windsign-temp\windows-x64-obj-arm64\ -Recurse -Include *.exe
$files += Get-ChildItem windsign-temp\windows-x64-obj-arm64\ -Recurse -Include *.dll
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
function SignAndPackage($name) { function SignAndPackage($name) {
echo "Executing on $name" echo "Executing on $name"
rmdir .\dist -Recurse -ErrorAction SilentlyContinue rmdir .\dist -Recurse -ErrorAction SilentlyContinue
@ -37,13 +54,7 @@ function SignAndPackage($name) {
cp windsign-temp\windows-x64-obj-$name engine\obj-x86_64-pc-windows-msvc\ -Recurse cp windsign-temp\windows-x64-obj-$name engine\obj-x86_64-pc-windows-msvc\ -Recurse
echo "Signing $name" echo "Signing $name"
# Collect all .exe and .dll files into a list
$files = Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.exe
$files += Get-ChildItem engine\obj-x86_64-pc-windows-msvc\ -Recurse -Include *.dll
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
echo "Packaging $name" echo "Packaging $name"
$env:SURFER_SIGNING_MODE="sign"
$env:MAR="..\\build\\winsign\\mar.exe" $env:MAR="..\\build\\winsign\\mar.exe"
if ($name -eq "arm64") { if ($name -eq "arm64") {
$env:SURFER_COMPAT="aarch64" $env:SURFER_COMPAT="aarch64"
@ -61,7 +72,6 @@ function SignAndPackage($name) {
# - update_manifest/* # - update_manifest/*
# - windows.mar # - windows.mar
# - zen.installer.exe # - zen.installer.exe
# - zen.win-x86_64.zip
echo "Creating tar for $name" echo "Creating tar for $name"
rm .\windsign-temp\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue rm .\windsign-temp\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
mkdir windsign-temp\windows-x64-signed-$name mkdir windsign-temp\windows-x64-signed-$name
@ -82,27 +92,9 @@ function SignAndPackage($name) {
mv .\dist\zen.installer.exe windsign-temp\windows-x64-signed-$name\zen.installer.exe mv .\dist\zen.installer.exe windsign-temp\windows-x64-signed-$name\zen.installer.exe
} }
# Move the zip
echo "Moving zip for $name"
if ($name -eq "arm64") {
mv (Get-Item .\dist\*.en-US.win64-aarch64.zip) windsign-temp\windows-x64-signed-$name\zen.win-arm64.zip
} else {
mv (Get-Item .\dist\*.en-US.win64.zip) windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
}
# Extract the zip, sign everything inside, and repackage it
#Expand-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name.zip -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name
#rm windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
#$files = Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.exe
#$files += Get-ChildItem windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -Include *.dll
#signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
#Compress-Archive -Path windsign-temp\windows-x64-signed-$name\zen.win-$name -DestinationPath windsign-temp\windows-x64-signed-$name\zen.win-$name.zip
rmdir windsign-temp\windows-x64-signed-$name\zen.win-$name -Recurse -ErrorAction SilentlyContinue
# Move the manifest # Move the manifest
mv .\dist\update\. windsign-temp\windows-x64-signed-$name\update_manifest mv .\dist\update\. windsign-temp\windows-x64-signed-$name\update_manifest
echo "Invoking tar for $name"
# note: We need to sign it into a parent folder, called windows-x64-signed-$name # note: We need to sign it into a parent folder, called windows-x64-signed-$name
rmdir .\windsign-temp\windows-binaries\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue rmdir .\windsign-temp\windows-binaries\windows-x64-signed-$name -Recurse -ErrorAction SilentlyContinue
mv windsign-temp\windows-x64-signed-$name .\windsign-temp\windows-binaries -Force mv windsign-temp\windows-x64-signed-$name .\windsign-temp\windows-binaries -Force
@ -113,6 +105,9 @@ function SignAndPackage($name) {
SignAndPackage arm64 SignAndPackage arm64
SignAndPackage x86_64 SignAndPackage x86_64
$files = Get-ChildItem .\windsign-temp\windows-binaries -Recurse -Include *.exe
signtool.exe sign /n "$SignIdentity" /t http://time.certum.pl/ /fd sha256 /v $files
echo "All artifacts signed and packaged, ready for release!" echo "All artifacts signed and packaged, ready for release!"
echo "Commiting the changes to the repository" echo "Commiting the changes to the repository"
cd windsign-temp\windows-binaries cd windsign-temp\windows-binaries

View file

@ -1,5 +1,9 @@
set -ex set -ex
if ! [ -z "$ZEN_L10N_CURR_DIR" ]; then
cd $ZEN_L10N_CURR_DIR
fi
CURRENT_DIR=$(pwd) CURRENT_DIR=$(pwd)
git config --global init.defaultBranch main git config --global init.defaultBranch main