From 2507a2049b87adfc49f75e43c069ce203a2b30fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Wawrzyniec=20Urba=C5=84czyk?= Date: Tue, 23 Aug 2022 00:49:23 +0200 Subject: [PATCH] Code Signing on Windows (#3654) This PR reenables code signing on Windows. Each Windows package built on CI should be now signed. Additionally, some refactorings were done around electron-builder config, so it is easier to use outside the build script and offers more configuration options. --- .github/workflows/gui.yml | 2 + Cargo.lock | 6 +- .../lib/client/electron-builder-config.ts | 92 +++++++++++++++---- app/ide-desktop/lib/client/package.json | 2 +- 4 files changed, 82 insertions(+), 20 deletions(-) diff --git a/.github/workflows/gui.yml b/.github/workflows/gui.yml index ff97c267fb47..3518af57105a 100644 --- a/.github/workflows/gui.yml +++ b/.github/workflows/gui.yml @@ -602,6 +602,8 @@ jobs: - run: "./run ide build --wasm-source current-ci-run --backend-source current-ci-run" env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + WIN_CSC_KEY_PASSWORD: "${{ secrets.MICROSOFT_CODE_SIGNING_CERT_PASSWORD }}" + WIN_CSC_LINK: "${{ secrets.MICROSOFT_CODE_SIGNING_CERT }}" - name: List files if failed (Windows) run: Get-ChildItem -Force -Recurse if: "failure() && runner.os == 'Windows'" diff --git a/Cargo.lock b/Cargo.lock index be6b8fa19183..88c380776476 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1751,7 +1751,7 @@ dependencies = [ [[package]] name = "enso-build" version = "0.1.0" -source = "git+https://github.com/enso-org/ci-build?branch=develop#1a30f55064c607eb2b86436155414db286c05ade" +source = "git+https://github.com/enso-org/ci-build?branch=develop#2b998bd5021c387ad50e99f087b7605ddecfbcc0" dependencies = [ "anyhow", "async-compression", @@ -1825,7 +1825,7 @@ dependencies = [ [[package]] name = "enso-build-cli" version = "0.1.0" -source = "git+https://github.com/enso-org/ci-build?branch=develop#1a30f55064c607eb2b86436155414db286c05ade" +source = "git+https://github.com/enso-org/ci-build?branch=develop#2b998bd5021c387ad50e99f087b7605ddecfbcc0" dependencies = [ "anyhow", "byte-unit", @@ -3736,7 +3736,7 @@ dependencies = [ [[package]] name = "ide-ci" version = "0.1.0" -source = "git+https://github.com/enso-org/ci-build?branch=develop#1a30f55064c607eb2b86436155414db286c05ade" +source = "git+https://github.com/enso-org/ci-build?branch=develop#2b998bd5021c387ad50e99f087b7605ddecfbcc0" dependencies = [ "anyhow", "async-compression", diff --git a/app/ide-desktop/lib/client/electron-builder-config.ts b/app/ide-desktop/lib/client/electron-builder-config.ts index 699a8a843d00..5bbab819a8ab 100644 --- a/app/ide-desktop/lib/client/electron-builder-config.ts +++ b/app/ide-desktop/lib/client/electron-builder-config.ts @@ -1,15 +1,64 @@ +/** + * This module defines a TS script that is responsible for invoking the Electron Builder process to + * bundle the entire IDE distribution. + * + * There are two areas to this: + * - Parsing CLI options as per our needs. + * - The default configuration of the build process. + * + * @module + */ + import path from 'node:path' import fs from 'node:fs/promises' -import { Configuration } from 'electron-builder' +import { CliOptions, Configuration, LinuxTargetSpecificOptions, Platform } from 'electron-builder' +import builder from 'electron-builder' import { require_env } from '../../utils.js' import { project_manager_bundle } from './paths.js' import build from '../../build.json' assert { type: 'json' } +import yargs from 'yargs' +import { MacOsTargetName } from 'app-builder-lib/out/options/macOptions' -const dist = require_env('ENSO_BUILD_IDE') -const gui = require_env('ENSO_BUILD_GUI') -const icons = require_env('ENSO_BUILD_ICONS') -const project_manager = require_env('ENSO_BUILD_PROJECT_MANAGER') +const args = await yargs(process.argv.slice(2)) + .env('ENSO_BUILD') + .option({ + ideDist: { + // Alias here (and subsequent occurrences) are for the environment variable name. + alias: 'ide', + type: 'string', + description: 'Output directory for IDE', + demandOption: true, + }, + guiDist: { + alias: 'gui', + type: 'string', + description: 'Output directory with GUI', + demandOption: true, + }, + iconsDist: { + alias: 'icons', + type: 'string', + description: 'Output directory with icons', + demandOption: true, + }, + projectManagerDist: { + alias: 'project-manager', + type: 'string', + description: 'Output directory with project manager', + demandOption: true, + }, + platform: { + type: 'string', + description: 'Platform that Electron Builder should target', + default: Platform.current().toString(), + coerce: (p: string) => Platform.fromString(p), + }, + targetOverride: { + type: 'string', + description: 'Overwrite the platform-default target', + }, + }).argv const config: Configuration = { appId: 'org.enso', @@ -21,8 +70,8 @@ const config: Configuration = { artifactName: 'enso-${os}-${version}.${ext}', mac: { // We do not use compression as the build time is huge and file size saving is almost zero. - target: ['dmg'], - icon: `${icons}/icon.icns`, + target: (args.targetOverride as MacOsTargetName) ?? 'dmg', + icon: `${args.iconsDist}/icon.icns`, category: 'public.app-category.developer-tools', darkModeSupport: true, type: 'distribution', @@ -39,23 +88,23 @@ const config: Configuration = { }, win: { // We do not use compression as the build time is huge and file size saving is almost zero. - target: ['nsis'], - icon: `${icons}/icon.ico`, + target: args.targetOverride ?? 'nsis', + icon: `${args.iconsDist}/icon.ico`, }, linux: { // We do not use compression as the build time is huge and file size saving is almost zero. - target: ['AppImage'], - icon: `${icons}/png`, + target: args.targetOverride ?? 'AppImage', + icon: `${args.iconsDist}/png`, category: 'Development', }, files: [ '!**/node_modules/**/*', - { from: `${gui}/`, to: '.' }, - { from: `${dist}/client`, to: '.' }, + { from: `${args.guiDist}/`, to: '.' }, + { from: `${args.ideDist}/client`, to: '.' }, ], extraResources: [ { - from: `${project_manager}/`, + from: `${args.projectManagerDist}/`, to: project_manager_bundle, filter: ['!**.tar.gz', '!**.zip'], }, @@ -68,7 +117,7 @@ const config: Configuration = { }, ], directories: { - output: `${dist}`, + output: `${args.ideDist}`, }, nsis: { // Disables "block map" generation during electron building. Block maps @@ -101,6 +150,8 @@ const config: Configuration = { // TODO [mwu]: Temporarily disabled, signing should be revised. // In particular, engine should handle signing of its artifacts. // afterPack: 'tasks/prepareToSign.js', + + publish: null, } // `electron-builder` checks for presence of `node_modules` directory. If it is not present, it will @@ -110,4 +161,13 @@ const config: Configuration = { // Without this workaround, `electron-builder` will end up erasing its own dependencies and failing // because of that. await fs.mkdir('node_modules', { recursive: true }) -await fs.writeFile('electron-builder-config.json', JSON.stringify(config, null, 2)) + +const cli_opts: CliOptions = { + config: config, + targets: args.platform.createTarget(), +} + +console.log('Building with configuration:', cli_opts) + +const result = await builder.build(cli_opts) +console.log('Electron Builder is done. Result:', result) diff --git a/app/ide-desktop/lib/client/package.json b/app/ide-desktop/lib/client/package.json index 8b15eade6041..4bc6f0ef1a4b 100644 --- a/app/ide-desktop/lib/client/package.json +++ b/app/ide-desktop/lib/client/package.json @@ -36,6 +36,6 @@ "scripts": { "start": "electron ../../../../dist/content -- ", "build": "ts-node bundle.ts", - "dist": "ts-node electron-builder-config.ts && electron-builder --publish never --config electron-builder-config.json" + "dist": "ts-node electron-builder-config.ts" } }