Compare commits
27 Commits
nested_dir
...
pierremtb/
| Author | SHA1 | Date | |
|---|---|---|---|
| c1894edaed | |||
| 8c28f34238 | |||
| d2340628a8 | |||
| a1f5cdd690 | |||
| d1d8d0a82c | |||
| f76b328136 | |||
| a13548da17 | |||
| 65f4b0f239 | |||
| dbcc0bd3b4 | |||
| 472b3618ac | |||
| 43e89e8bae | |||
| 94a9e01301 | |||
| 3980a1caf8 | |||
| d4f23f8469 | |||
| 9143c6f08a | |||
| 1d4456c458 | |||
| c6fbb4fc63 | |||
| b7c8d6c185 | |||
| f23aa5e642 | |||
| 8bb26c9b89 | |||
| 0d7aebdee9 | |||
| ad333c2055 | |||
| 3559df0c5e | |||
| e2dda07829 | |||
| ea585cb5d6 | |||
| 8af9af2aa7 | |||
| f0ba35c0b2 |
58
.github/workflows/build-apps.yml
vendored
58
.github/workflows/build-apps.yml
vendored
@ -5,12 +5,14 @@ on:
|
|||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
- pierremtb/issue6256-Updater-on-Nightly-on-Windows-failed
|
||||||
tags:
|
tags:
|
||||||
- 'v[0-9]+.[0-9]+.[0-9]+'
|
- 'v[0-9]+.[0-9]+.[0-9]+'
|
||||||
- 'nightly-v[0-9]+.[0-9]+.[0-9]+'
|
- 'nightly-v[0-9]+.[0-9]+.[0-9]+'
|
||||||
|
|
||||||
env:
|
env:
|
||||||
IS_RELEASE: ${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'v') }}
|
# IS_RELEASE: ${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'v') }}
|
||||||
|
IS_RELEASE: true
|
||||||
IS_NIGHTLY: ${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'nightly-v') }}
|
IS_NIGHTLY: ${{ github.ref_type == 'tag' && startsWith(github.ref_name, 'nightly-v') }}
|
||||||
|
|
||||||
concurrency:
|
concurrency:
|
||||||
@ -29,7 +31,8 @@ jobs:
|
|||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: '.nvmrc'
|
node-version-file: '.nvmrc'
|
||||||
cache: 'yarn'
|
# Forget cache for now
|
||||||
|
# cache: 'yarn'
|
||||||
|
|
||||||
- run: yarn install
|
- run: yarn install
|
||||||
|
|
||||||
@ -43,7 +46,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Download Wasm Cache
|
- name: Download Wasm Cache
|
||||||
id: download-wasm
|
id: download-wasm
|
||||||
if: ${{ github.event_name == 'pull_request' && steps.filter.outputs.rust == 'false' }}
|
# if: ${{ github.event_name == 'pull_request' && steps.filter.outputs.rust == 'false' }}
|
||||||
uses: dawidd6/action-download-artifact@v7
|
uses: dawidd6/action-download-artifact@v7
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
with:
|
with:
|
||||||
@ -59,7 +62,8 @@ jobs:
|
|||||||
set -euox pipefail
|
set -euox pipefail
|
||||||
# Build wasm if this is a push to main or tag, there are Rust changes, or
|
# Build wasm if this is a push to main or tag, there are Rust changes, or
|
||||||
# downloading from the wasm cache failed.
|
# downloading from the wasm cache failed.
|
||||||
if [[ ${{github.event_name}} == 'push' || ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then
|
# if [[ ${{github.event_name}} == 'push' || ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then
|
||||||
|
if [[ ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then
|
||||||
echo "should-build-wasm=true" >> $GITHUB_OUTPUT
|
echo "should-build-wasm=true" >> $GITHUB_OUTPUT
|
||||||
else
|
else
|
||||||
echo "should-build-wasm=false" >> $GITHUB_OUTPUT
|
echo "should-build-wasm=false" >> $GITHUB_OUTPUT
|
||||||
@ -99,11 +103,11 @@ jobs:
|
|||||||
yarn files:set-version
|
yarn files:set-version
|
||||||
yarn files:flip-to-nightly
|
yarn files:flip-to-nightly
|
||||||
|
|
||||||
- name: Set release version
|
# - name: Set release version
|
||||||
if: ${{ env.IS_RELEASE == 'true' }}
|
# if: ${{ env.IS_RELEASE == 'true' }}
|
||||||
run: |
|
# run: |
|
||||||
export VERSION=${GITHUB_REF_NAME#v}
|
# export VERSION=${GITHUB_REF_NAME#v}
|
||||||
yarn files:set-version
|
# yarn files:set-version
|
||||||
|
|
||||||
- uses: actions/upload-artifact@v4
|
- uses: actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
@ -172,7 +176,8 @@ jobs:
|
|||||||
uses: actions/setup-node@v4
|
uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version-file: '.nvmrc'
|
node-version-file: '.nvmrc'
|
||||||
cache: 'yarn' # Set this to npm, yarn or pnpm.
|
# Forget cache for now
|
||||||
|
# cache: 'yarn' # Set this to npm, yarn or pnpm.
|
||||||
|
|
||||||
- name: yarn install
|
- name: yarn install
|
||||||
# Windows is picky sometimes and fails on fetch. Step takes about ~30s
|
# Windows is picky sometimes and fails on fetch. Step takes about ~30s
|
||||||
@ -183,32 +188,41 @@ jobs:
|
|||||||
max_attempts: 3
|
max_attempts: 3
|
||||||
command: yarn install
|
command: yarn install
|
||||||
|
|
||||||
|
# Next steps are from Digicert docs at
|
||||||
|
# https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations/scripts/github/scripts-for-signing-using-ksp-library-on-github.html#ksp-signing-using-github-action-488726
|
||||||
- name: Prepare certificate and variables (Windows only)
|
- name: Prepare certificate and variables (Windows only)
|
||||||
if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }}
|
if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }}
|
||||||
run: |
|
run: |
|
||||||
echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
|
CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
|
||||||
cat /d/Certificate_pkcs12.p12
|
echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > $CERTIFICATE_PATH
|
||||||
echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
|
echo "SM_CLIENT_CERT_FILE=$CERTIFICATE_PATH" >> "$GITHUB_ENV"
|
||||||
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
|
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
|
||||||
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
|
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
|
||||||
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
|
|
||||||
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
|
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
|
||||||
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
|
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
|
||||||
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
|
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
|
||||||
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
|
echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
||||||
- name: Setup certicate with SSM KSP (Windows only)
|
- name: Setup certicate with SSM KSP (Windows only)
|
||||||
if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }}
|
if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }}
|
||||||
run: |
|
run: |
|
||||||
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
|
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
|
||||||
msiexec /i smtools-windows-x64.msi /quiet /qn
|
msiexec /i Keylockertools-windows-x64.msi /quiet /qn
|
||||||
smksp_registrar.exe list
|
smksp_registrar.exe list
|
||||||
smctl.exe keypair ls
|
smctl.exe keypair ls
|
||||||
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
|
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
|
||||||
smksp_cert_sync.exe
|
smksp_cert_sync.exe
|
||||||
|
smctl windows certsync
|
||||||
shell: cmd
|
shell: cmd
|
||||||
|
|
||||||
|
# This is what electron-builder seems to want
|
||||||
|
- name: List certs
|
||||||
|
if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }}
|
||||||
|
shell: pwsh
|
||||||
|
run: |
|
||||||
|
Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint
|
||||||
|
|
||||||
- name: Build the app (debug)
|
- name: Build the app (debug)
|
||||||
if: ${{ env.IS_RELEASE == 'false' && env.IS_NIGHTLY == 'false' }}
|
if: ${{ env.IS_RELEASE == 'false' && env.IS_NIGHTLY == 'false' }}
|
||||||
# electron-builder doesn't have a concept of release vs debug,
|
# electron-builder doesn't have a concept of release vs debug,
|
||||||
@ -222,11 +236,11 @@ jobs:
|
|||||||
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
|
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
|
||||||
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
|
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
|
||||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||||
CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
|
# CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
|
||||||
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
|
# CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
|
||||||
CSC_KEYCHAIN: ${{ secrets.APPLE_SIGNING_IDENTITY }}
|
# CSC_KEYCHAIN: ${{ secrets.APPLE_SIGNING_IDENTITY }}
|
||||||
WINDOWS_CERTIFICATE_THUMBPRINT: ${{ secrets.WINDOWS_CERTIFICATE_THUMBPRINT }}
|
# WINDOWS_CERTIFICATE_THUMBPRINT: ${{ secrets.WINDOWS_CERTIFICATE_THUMBPRINT }}
|
||||||
DEBUG: "electron-notarize*"
|
DEBUG: electron-builder
|
||||||
# TODO: Fix electron-notarize flakes. The logs above should help gather more data on failures
|
# TODO: Fix electron-notarize flakes. The logs above should help gather more data on failures
|
||||||
uses: nick-fields/retry@v3.0.2
|
uses: nick-fields/retry@v3.0.2
|
||||||
with:
|
with:
|
||||||
|
|||||||
56
.github/workflows/pierre-test-windows-code-sign.yml
vendored
Normal file
56
.github/workflows/pierre-test-windows-code-sign.yml
vendored
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
name: pierre-test-windows-code-sign
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- pierremtb/issue6256-Updater-on-Nightly-on-Windows-failed
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build-apps:
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
include:
|
||||||
|
- os: windows-2022
|
||||||
|
platform: win
|
||||||
|
runs-on: ${{ matrix.os }}
|
||||||
|
steps:
|
||||||
|
|
||||||
|
# From https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations/scripts/github/scripts-for-signing-using-ksp-library-on-github.html#ksp-signing-using-github-action-488726
|
||||||
|
- name: Setup Certificate
|
||||||
|
run: |
|
||||||
|
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
|
||||||
|
cat /d/Certificate_pkcs12.p12
|
||||||
|
shell: bash
|
||||||
|
|
||||||
|
- name: Set variables
|
||||||
|
id: variables
|
||||||
|
run: |
|
||||||
|
echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
|
||||||
|
echo "KEYPAIR_NAME=gt-standard-keypair" >> $GITHUB_OUTPUT
|
||||||
|
echo "CERTIFICATE_NAME=gt-certificate" >> $GITHUB_OUTPUT
|
||||||
|
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
|
||||||
|
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
|
||||||
|
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
|
||||||
|
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
|
||||||
|
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
|
||||||
|
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
|
||||||
|
echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
|
||||||
|
shell: bash
|
||||||
|
|
||||||
|
- name: Setup SSM KSP on windows latest
|
||||||
|
run: |
|
||||||
|
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
|
||||||
|
msiexec /i Keylockertools-windows-x64.msi /quiet /qn
|
||||||
|
smksp_registrar.exe list
|
||||||
|
smctl.exe keypair ls
|
||||||
|
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
|
||||||
|
smksp_cert_sync.exe
|
||||||
|
smctl windows certsync
|
||||||
|
shell: cmd
|
||||||
|
|
||||||
|
# This is what electron-builder seems to want
|
||||||
|
- name: List certs
|
||||||
|
shell: pwsh
|
||||||
|
run: |
|
||||||
|
Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint
|
||||||
@ -33,10 +33,12 @@ win:
|
|||||||
- x64
|
- x64
|
||||||
- arm64
|
- arm64
|
||||||
signtoolOptions:
|
signtoolOptions:
|
||||||
sign: "./scripts/sign-win.js"
|
certificateSha1: F4C9A52FF7BC26EE5E054946F6B11DEEA94C748D
|
||||||
signingHashAlgorithms:
|
signingHashAlgorithms:
|
||||||
- sha256
|
- sha256
|
||||||
publisherName: "KittyCAD Inc" # needs to be exactly like on Digicert
|
publisherName: "KittyCAD Inc"
|
||||||
|
certificateSubjectName: "KittyCAD Inc"
|
||||||
|
rfc3161TimeStampServer: http://timestamp.digicert.com
|
||||||
icon: "assets/icon.ico"
|
icon: "assets/icon.ico"
|
||||||
fileAssociations:
|
fileAssociations:
|
||||||
- ext: kcl
|
- ext: kcl
|
||||||
|
|||||||
@ -23,13 +23,11 @@ exports.default = async (configuration) => {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
execSync(
|
const result = execSync(
|
||||||
`smctl sign --fingerprint="${process.env.WINDOWS_CERTIFICATE_THUMBPRINT
|
`smctl sign --fingerprint="${process.env.WINDOWS_CERTIFICATE_THUMBPRINT
|
||||||
}" --input "${String(configuration.path)}"`,
|
}" --input "${String(configuration.path)}"`,
|
||||||
{
|
).toString()
|
||||||
stdio: 'inherit',
|
console.log('execSync result', result)
|
||||||
}
|
|
||||||
)
|
|
||||||
console.log('Signing using signWin.js script: successful')
|
console.log('Signing using signWin.js script: successful')
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
throw new Error('Signing using signWin.js script: failed:', error)
|
throw new Error('Signing using signWin.js script: failed:', error)
|
||||||
|
|||||||
Reference in New Issue
Block a user