Skip to content

Commit

Permalink
Updated deployment workflow that includes EV Code signing on windows (#…
Browse files Browse the repository at this point in the history 
…88)

* Some rough improvements to codesign logic

* Update codesign logic to be promptless + update deploy flow for new env & win-signing

* Only codesign on windows

* Disable cargo make and rust cache on custom runner

* Update some parts of the deploy actions workflow

* Explicitly specify nightly version we have in the rust-toolchain

* Update parameters to rust-cache action

* Update fixed rust version to nightly build that is roughly equivalent to current stable

* Use Rust v1.75 equivalent nightly as project isn't ready for newer versions

* Simplify deployment scripts

* lol whoops

---------

Co-authored-by: Jeroen <[email protected]>
  • Loading branch information
@simon-wh @PastaJ36
simon-wh and PastaJ36 authored Oct 29, 2024
1 parent 1c202bf commit c40f611
Show file tree
Hide file tree
Showing 6 changed files with 73 additions and 44 deletions.
45 changes: 30 additions & 15 deletions .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,16 @@ jobs:
target: aarch64-apple-darwin
- os: ubuntu-latest
target: x86_64-unknown-linux-gnu
# - os: windows-2019
# target: x86_64-pc-windows-msvc
- os: win-signing
target: x86_64-pc-windows-msvc

runs-on: ${{ matrix.os }}

env:
TARGET: ${{ matrix.target }}

steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v4
with:
submodules: true
- name: Setup Build Environment
Expand All @@ -34,32 +34,47 @@ jobs:
sudo apt update
sudo apt install libudev-dev libhidapi-dev
- name: Setup rust toolchain
uses: actions-rs/toolchain@v1
uses: dtolnay/rust-toolchain@stable
with:
override: true
default: true
target: ${{ matrix.target }}
toolchain: nightly-2023-11-10
targets: ${{ matrix.target }}
- uses: davidB/rust-cargo-make@v1
- uses: Swatinem/rust-cache@v1
# This doesn't work on custom win runner, so we just skip it as it's installed already anyway
if: ${{ ! startsWith(matrix.os, 'win-sign') }}
with:
sharedKey: ${{ matrix.target }}
version: 0.37.23
- uses: Swatinem/rust-cache@v2
# Caching not needed on custom runner
if: ${{ ! startsWith(matrix.os, 'win-sign') }}
with:
shared-key: ${{ matrix.target }}
- name: Run deploy script
shell: bash
# Signing key env is required for signing dll's on windows
env:
TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}}
CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}}
CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}}
READER: ${{secrets.WIN_EV_CSC_READER}}
PASS: ${{secrets.WIN_EV_CSC_PASS}}
CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}}
run: sh ci/before_deploy.sh
- name: Build Windows Installer
shell: bash
env:
WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
WIN_CSC_DESC: ${{ secrets.WIN_CSC_DESC }}
WIN_CSC_SUBJECTNAME: ${{ secrets.WIN_CSC_SUBJECTNAME }}
if: runner.os == 'Windows'
env:
TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}}
CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}}
CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}}
READER: ${{secrets.WIN_EV_CSC_READER}}
PASS: ${{secrets.WIN_EV_CSC_PASS}}
CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}}
run: cargo make --cwd wooting-analog-sdk sign-win-installer -- --target $TARGET
- name: Build debian package
if: startsWith(matrix.os, 'ubuntu')
run: cargo make --cwd wooting-analog-sdk build-deb -- --target $TARGET
- name: Upload artifacts to release
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@v2
with:
draft: true
files: |
Expand Down
31 changes: 20 additions & 11 deletions ci/before_deploy.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
set -ex

main() {
local src=$(pwd)
local src=$(pwd)
stage=
lib_ext=
lib_prefix=
Expand Down Expand Up @@ -37,11 +37,20 @@ main() {

test -f Cargo.lock || cargo generate-lockfile

# Currently the --out-dir flag is 'unstable' so unfortunately need to switch to nightly for the build to work properly
# Currently the --out-dir flag is 'unstable' so unfortunately need to switch to nightly for the build to work properly
# Don't need to use this currently as the rust-toolchain file specifies the rust version to use
# rustup default nightly
cargo make build-target-release

ROOT_DIR=${GITHUB_WORKSPACE:-.}
ARTIFACT_FOLDER=$ROOT_DIR/target/release-artifacts


# Codesign dlls before packaging up. This should only be running on Windows
if [ $RUNNER_OS = "Windows" ]; then

powershell $ROOT_DIR/ci/codesign.ps1 $ARTIFACT_FOLDER/wooting_analog_sdk.dll $ARTIFACT_FOLDER/wooting_analog_plugin.dll $ARTIFACT_FOLDER/wooting_analog_wrapper.dll $ARTIFACT_FOLDER/wooting-analog-sdk-updater.exe $ARTIFACT_FOLDER/wooting_analog_test_plugin.dll $ARTIFACT_FOLDER/wooting-analog-virtual-control.exe
fi

mkdir $stage/plugins
mkdir $stage/plugins/lib
Expand All @@ -53,8 +62,8 @@ main() {
mkdir $stage/wrapper/sdk

# Copy Plugin items
cp target/release-artifacts/${lib_prefix}wooting_analog_common.$lib_ext $stage/plugins/lib
cp target/release-artifacts/${lib_prefix}wooting_analog_plugin_dev.$lib_ext $stage/plugins/lib
cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_common.$lib_ext $stage/plugins/lib
cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_plugin_dev.$lib_ext $stage/plugins/lib

## Copy c headers
cp includes/plugin.h $stage/plugins/includes/
Expand All @@ -66,18 +75,18 @@ main() {


# Copy wrapper items
cp target/release-artifacts/${lib_prefix}wooting_analog_wrapper.$shared_lib_ext $stage/wrapper/
cp target/release-artifacts/${lib_prefix}wooting_analog_wrapper.$lib_ext $stage/wrapper/lib/
cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_wrapper.$shared_lib_ext $stage/wrapper/
cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_wrapper.$lib_ext $stage/wrapper/lib/

if [ $RUNNER_OS = Windows ]; then
cp target/release-artifacts/${lib_prefix}wooting_analog_wrapper.$shared_lib_ext.$lib_ext $stage/wrapper/
cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_wrapper.$shared_lib_ext.$lib_ext $stage/wrapper/
fi

cp target/release-artifacts/${lib_prefix}wooting_analog_sdk.$shared_lib_ext $stage/wrapper/sdk/
cp target/release-artifacts/${lib_prefix}wooting_analog_test_plugin.$shared_lib_ext $stage/wrapper/sdk/
cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_sdk.$shared_lib_ext $stage/wrapper/sdk/
cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_test_plugin.$shared_lib_ext $stage/wrapper/sdk/
# Include Wooting Plugin & Virtual Keyboard app
cp target/release-artifacts/${lib_prefix}wooting_analog_plugin.$shared_lib_ext $stage/wrapper/sdk/
cp target/release-artifacts/wooting-analog-virtual-control$exe_ext $stage/wrapper/sdk/
cp $ARTIFACT_FOLDER/${lib_prefix}wooting_analog_plugin.$shared_lib_ext $stage/wrapper/sdk/
cp $ARTIFACT_FOLDER/wooting-analog-virtual-control$exe_ext $stage/wrapper/sdk/

## Copy c headers
cp includes/wooting-analog-wrapper.h $stage/wrapper/includes/
Expand Down
20 changes: 15 additions & 5 deletions ci/codesign.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,18 @@
# Thanks https://github.com/electron-userland/electron-builder/issues/3629#issuecomment-473238513
Set-PSDebug -Trace 1
# Set-PSDebug -Trace 1
$ErrorActionPreference = "Stop"
# dir cert:/LocalMachine

dir cert:/LocalMachine
# $WINDOWS_SDK_VER = '10.0.17763.0'
$WINDOWS_SDK_VER = '10.0.22000.0'

$Password = ConvertTo-SecureString -String $Env:WIN_CSC_KEY_PASSWORD -AsPlainText -Force
Import-PfxCertificate -FilePath cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password
Start-Process -NoNewWindow -Wait 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe' -ArgumentList "sign -v -sm -s My -n `"$Env:WIN_CSC_SUBJECTNAME`" -d `"$Env:WIN_CSC_DESC`" `"$Env:WIN_INSTALLER_PATH`""
# Remember what the Path was before so we can clean it up after exiting
$PREV_PATH = $env:PATH

$env:PATH += ";C:/Program Files (x86)/Windows Kits/10/bin/$WINDOWS_SDK_VER/x64/"

# Passing in $args allows the caller to specify multiple files to be signed at once
signtool.exe sign /fd sha256 /td sha256 /tr ${Env:TIMESTAMP}?td=sha256 /f $Env:CERT_FILE /csp "$Env:CRYPT_PROVIDER" /kc "[${Env:READER}{{${Env:PASS}}}]=${Env:CONTAINER}" $args
signtool.exe verify /pa $args

$env:PATH = $PREV_PATH
12 changes: 2 additions & 10 deletions ci/codesign.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,9 @@
if [ $RUNNER_OS = Windows ]; then
set -e

export PATH="C:\Program Files (x86)\Windows Kits\10\bin\x64":$PATH
# TODO: Dynamic installer filename
#export BINARY_FILE="target/wix/wooting_analog_sdk-0.1.0-x86_64.msi"

# choco install -y windows-sdk-10.0

curl -v -L "$WIN_CSC_LINK" --output cert.pfx

powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine
powershell Get-ExecutionPolicy -List

powershell $GITHUB_WORKSPACE/ci/codesign.ps1
'C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe' verify -pa "$WIN_INSTALLER_PATH"
fi
powershell $GITHUB_WORKSPACE/ci/codesign.ps1 $WIN_INSTALLER_PATH
fi
2 changes: 1 addition & 1 deletion rust-toolchain
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
nightly-2023-08-01
nightly-2023-11-10
7 changes: 5 additions & 2 deletions wooting-analog-sdk/Makefile.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,14 @@ command = "cargo"
args = ["wix" , "-p", "wooting-analog-sdk", "--nocapture", "--output", "${WIN_INSTALLER_PATH}"]

[tasks.sign-win-installer]
condition = {env_true = ["CARGO_MAKE_CI"]}
env = {CODESIGN_SCRIPT_PATH="${CARGO_MAKE_WORKSPACE_WORKING_DIRECTORY}/ci/codesign.ps1"}
# condition = {env_true = ["CARGO_MAKE_CI"]}
dependencies = ["win-installer"]
script_runner = "bash"
# bash ../ci/codesign.sh
script = [
'''
bash ../ci/codesign.sh
powershell $CODESIGN_SCRIPT_PATH $WIN_INSTALLER_PATH
'''
]

Expand Down

0 comments on commit c40f611

Please sign in to comment.