From 03dbd9628c8e5d6434a3fe863b1d78dead79f93f Mon Sep 17 00:00:00 2001 From: tobtoht Date: Wed, 18 Dec 2024 02:19:26 +0100 Subject: [PATCH] Revert "ci: integrate signpath" This reverts commit c0337189565611b0bb8ce2d71fc45a9f07c1984e. Revert until the SignPath GitHub app does not require admin permissions. --- .github/workflows/guix.yml | 55 +------------------------ contrib/guix/libexec/build.sh | 22 ++++++++-- contrib/installers/windows/setup.nsi.in | 2 +- 3 files changed, 22 insertions(+), 57 deletions(-) diff --git a/.github/workflows/guix.yml b/.github/workflows/guix.yml index 7010c4c..8f06f96 100644 --- a/.github/workflows/guix.yml +++ b/.github/workflows/guix.yml @@ -36,9 +36,7 @@ jobs: - target: "x86_64-w64-mingw32.installer" - target: "x86_64-apple-darwin" - target: "arm64-apple-darwin" - outputs: - WIN_INSTALLER_ARTIFACT_ID: ${{ steps.win-installer.outputs.WIN_INSTALLER_ARTIFACT_ID }} - WIN_EXECUTABLE_ARTIFACT_ID: ${{ steps.win-executable.outputs.WIN_EXECUTABLE_ARTIFACT_ID }} + name: ${{ matrix.toolchain.target }} steps: - uses: actions/checkout@v4 @@ -57,7 +55,7 @@ jobs: path: contrib/depends/sources key: sources-${{ hashFiles('contrib/depends/packages/*') }} - name: install dependencies - run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils osslsigncode + run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils - name: fix apparmor run: sudo cp .github/workflows/guix /etc/apparmor.d/guix; sudo /etc/init.d/apparmor reload; sudo aa-enforce guix || echo "failed" - name: purge apparmor @@ -74,18 +72,11 @@ jobs: files: | guix/guix-build-*/build/distsrc-*/build/bin/feather.exe - uses: actions/upload-artifact@v4 - id: upload-artifact with: name: ${{ matrix.toolchain.target }} path: | guix/guix-build-*/output/${{ matrix.toolchain.target }}/* guix/guix-build-*/logs/${{ matrix.toolchain.target }}/* - - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32.installer' }} - id: win-installer - run: echo "WIN_INSTALLER_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT" - - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' }} - id: win-executable - run: echo "WIN_EXECUTABLE_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT" bundle-logs: runs-on: ubuntu-24.04 @@ -109,45 +100,3 @@ jobs: artifacts: "**/*.AppImage,**/*-linux-arm.zip,**/*-linux-arm64.zip,**/*-linux-riscv64.zip,**/*-linux.zip,**/*-mac-arm64.zip,**/*-mac.zip,**/*-win.zip,**/FeatherWalletSetup-*.exe,**/feather-${{github.ref_name}}.tar.gz" draft: true name: v${{github.ref_name}} - - codesigning: - runs-on: ubuntu-24.04 - needs: [build-guix, bundle-logs] - if: startsWith(github.ref, 'refs/tags/') - strategy: - fail-fast: false - matrix: - toolchain: - - target: "x86_64-w64-mingw32" - - target: "x86_64-w64-mingw32.installer" - steps: - - name: install dependencies - run: sudo apt update; sudo apt -y install osslsigncode - - name: "set artifact id" - run: | - if [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32" ]; then - echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}" >> $GITHUB_ENV - echo "ARTIFACT_SLUG=executable" >> $GITHUB_ENV - elif [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32.installer" ]; then - echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_INSTALLER_ARTIFACT_ID }}" >> $GITHUB_ENV - echo "ARTIFACT_SLUG=installer" >> $GITHUB_ENV - fi - - uses: signpath/github-action-submit-signing-request@v1 - name: "request signature" - with: - api-token: '${{ secrets.SIGNPATH_API_KEY }}' - organization-id: 'd3e94749-9c69-44e9-82de-c65cb3832869' - project-slug: 'feather' - signing-policy-slug: 'release-signing' - artifact-configuration-slug: ${{ env.ARTIFACT_SLUG }} - github-artifact-id: ${{ env.ARTIFACT_ID }} - wait-for-completion: true - output-artifact-directory: codesigning/ - - name: "extract signature" - run: osslsigncode extract-signature -in codesigning/guix-build-*/output/${{ matrix.toolchain.target }}/*-unsigned.exe -out codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem - - uses: actions/upload-artifact@v4 - name: "upload signature" - with: - name: ${{ matrix.toolchain.target }}.pem - path: | - codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh index 821f41f..6190d8c 100755 --- a/contrib/guix/libexec/build.sh +++ b/contrib/guix/libexec/build.sh @@ -415,9 +415,25 @@ mkdir -p "$DISTSRC" # for release case "$HOST" in *mingw*) - if [ -z "$OPTIONS" ]; then - mv feather.exe "${OUTDIR}/${DISTNAME}-unsigned.exe" - fi + case "$OPTIONS" in + installer) + find . -print0 \ + | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" + find . \ + | sort \ + | zip -X@ "${OUTDIR}/${DISTNAME}-win-installer.zip" \ + || ( rm -f "${OUTDIR}/${DISTNAME}-win-installer.zip" && exit 1 ) + ;; + "") + mv feather.exe ${DISTNAME}.exe && \ + find . -print0 \ + | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" + find . \ + | sort \ + | zip -X@ "${OUTDIR}/${DISTNAME}-win.zip" \ + || ( rm -f "${OUTDIR}/${DISTNAME}-win.zip" && exit 1 ) + ;; + esac ;; *linux*) if [ "$OPTIONS" != "pack" ]; then diff --git a/contrib/installers/windows/setup.nsi.in b/contrib/installers/windows/setup.nsi.in index 0e0d5eb..323c25f 100644 --- a/contrib/installers/windows/setup.nsi.in +++ b/contrib/installers/windows/setup.nsi.in @@ -1,6 +1,6 @@ Name "Feather Wallet" -OutFile "${CUR_PATH}\contrib\installers\windows\FeatherWalletSetup-@PROJECT_VERSION@-unsigned.exe" +OutFile "${CUR_PATH}\contrib\installers\windows\FeatherWalletSetup-@PROJECT_VERSION@.exe" RequestExecutionLevel highest SetCompressor /SOLID lzma SetDateSave off