From a08f6ea24245461e912f2be5676009dcbea05634 Mon Sep 17 00:00:00 2001 From: Moritz Kiefer Date: Thu, 10 Jun 2021 20:51:02 +0200 Subject: [PATCH] Backport Windows signing changes from #9786 (#9960) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Our release failed to find the SIGNING_KEY variable which is very much expected unfortunately. The backport is not quite identical: 1. It only changes ci/copy-windows-release-artifacts.sh. The way our release process works we use CI config from main but source from the release branch so this is expected. 2. We don’t have EE support on this branch so I dropped that. I did my best to not have any typoes but obviously this is hard to see so please review carefully. changelog_begin changelog_end --- ci/copy-windows-release-artifacts.sh | 33 +++++++++++++++++----------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/ci/copy-windows-release-artifacts.sh b/ci/copy-windows-release-artifacts.sh index d76885a34667..940951c807cf 100755 --- a/ci/copy-windows-release-artifacts.sh +++ b/ci/copy-windows-release-artifacts.sh @@ -8,18 +8,25 @@ OUTPUT_DIR=$2 mkdir -p $OUTPUT_DIR/github mkdir -p $OUTPUT_DIR/artifactory -INSTALLER=daml-sdk-$RELEASE_TAG-windows.exe -mv "bazel-bin/release/windows-installer/daml-sdk-installer.exe" "$OUTPUT_DIR/github/$INSTALLER" -chmod +wx "$OUTPUT_DIR/github/$INSTALLER" -cleanup () { - rm -f signing_key.pfx -} -trap cleanup EXIT -echo "$SIGNING_KEY" | base64 -d > signing_key.pfx -for path in "$OUTPUT_DIR/github/$INSTALLER"; do - MSYS_NO_PATHCONV=1 signtool.exe sign '/f' signing_key.pfx '/fd' sha256 '/tr' "http://timestamp.digicert.com" '/v' "$path" -done -rm signing_key.pfx -trap - EXIT +INSTALLER="$OUTPUT_DIR/github/daml-sdk-$RELEASE_TAG-windows.exe" +mv "bazel-bin/release/windows-installer/daml-sdk-installer.exe" "$INSTALLER" +chmod +wx "$INSTALLER" + +if ! [ -f /C/Users/u/.dotnet/tools/azuresigntool.exe ]; then + "/C/Program Files/dotnet/dotnet.exe" tool install --global AzureSignTool +fi + +/C/Users/u/.dotnet/tools/azuresigntool.exe sign \ + --azure-key-vault-url "$AZURE_KEY_VAULT_URL" \ + --azure-key-vault-client-id "$AZURE_CLIENT_ID" \ + --azure-key-vault-client-secret "$AZURE_CLIENT_SECRET" \ + --azure-key-vault-certificate "$AZURE_KEY_VAULT_CERTIFICATE" \ + --description "Daml SDK installer" \ + --description-url "https://daml.com" \ + --timestamp-rfc3161 "http://timestamp.digicert.com" \ + --file-digest sha384 \ + --verbose \ + "$INSTALLER" + TARBALL=daml-sdk-$RELEASE_TAG-windows.tar.gz cp bazel-bin/release/sdk-release-tarball.tar.gz "$OUTPUT_DIR/github/$TARBALL"