new windows signing (#9786)

CHANGELOG_BEGIN CHANGELOG_END
2024-11-12 13:05:08 +03:00 · 2021-05-25 16:23:17 +02:00 · 2021-05-25 16:23:17 +02:00 · 646c956457
commit 646c956457
parent cae429237e
4 changed files with 33 additions and 85 deletions
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@ -43,54 +43,6 @@ jobs:
      fi
    displayName: check perf changes

- job: test_windows_signing
-  dependsOn: [ "check_for_release", "Windows" ]
-  condition: and(succeeded(),
-                 eq(variables['Build.SourceBranchName'], 'main'))
-  pool:
-    name: 'windows-pool'
-    demands: assignment -equals windows-signing
-  steps:
-  - checkout: none
-  - bash: |
-      mkdir -p '$(Build.StagingDirectory)'/test-signing
-  - task: DownloadPipelineArtifact@0
-    inputs:
-      artifactName: test-signing
-      targetPath: $(Build.StagingDirectory)/test-signing
-  - bash: |
-      ls -l '$(Build.StagingDirectory)'\\test-signing\\installer.exe
-      "/C/Program Files/dotnet/dotnet.exe" tool install --global AzureSignTool
-      ls -l /C/Users/u/.dotnet/tools/azuresigntool
-      /C/Users/u/.dotnet/tools/azuresigntool sign \
-        --azure-key-vault-url "$AZURE_KEY_VAULT_URL" \
-        --azure-key-vault-client-id "$AZURE_CLIENT_ID" \
-        --azure-key-vault-client-secret "$AZURE_CLIENT_SECRET" \
-        --azure-key-vault-certificate "$AZURE_KEY_VAULT_CERTIFICATE" \
-        --description "Daml SDK installer" \
-        --description-url "https://daml.com" \
-        --timestamp-rfc3161 "http://timestamp.digicert.com" \
-        --file-digest sha384 \
-        --verbose \
-        '$(Build.StagingDirectory)'\\test-signing\\installer.exe
-      echo $?
-      ls -l '$(Build.StagingDirectory)'\\test-signing\\installer.exe
-      echo check
-      signtool verify /pa '$(Build.StagingDirectory)'\\test-signing\\installer.exe
-      echo $?
-      echo done check
-      exit 0
-    env:
-      AZURE_KEY_VAULT_URL: $(AZURE_KEY_VAULT_URL)
-      AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
-      AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
-      AZURE_TENANT_ID: $(AZURE_TENANT_ID)
-      AZURE_KEY_VAULT_CERTIFICATE: $(AZURE_KEY_VAULT_CERTIFICATE)
-  - task: PublishPipelineArtifact@0
-    inputs:
-      targetPath: $(Build.StagingDirectory)/test-signing/installer.exe
-      artifactName: test-signing-signed
-
 - job: release
  dependsOn: [ "check_for_release", "Linux", "Linux_scala_2_12", "macOS", "Windows" ]
  condition: and(succeeded(),
--- a/ci/build-windows.yml
+++ b/ci/build-windows.yml
@ -43,27 +43,22 @@ steps:
    parameters:
      var_name: bash-lib

-  # TODO: remove once new signing is working (see #9758)
-  - bash: |
-      OUTPUT_DIR='$(Build.StagingDirectory)'/test-signing
-      mkdir -p $OUTPUT_DIR
-      cp "bazel-bin/release/windows-installer/daml-sdk-installer-ce.exe" "$OUTPUT_DIR/installer.exe"
-  - task: PublishPipelineArtifact@0
-    inputs:
-      targetPath: $(Build.StagingDirectory)/test-signing
-      artifactName: test-signing
-
  - bash: |
      set -euo pipefail
      mkdir -p '$(Build.StagingDirectory)'/release
      ./ci/copy-windows-release-artifacts.sh ${{parameters.release_tag}} '$(Build.StagingDirectory)'/release
    name: publish
    env:
-      SIGNING_KEY: $(microsoft-code-signing)
+      AZURE_KEY_VAULT_URL: $(AZURE_KEY_VAULT_URL)
+      AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
+      AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
+      AZURE_TENANT_ID: $(AZURE_TENANT_ID)
+      AZURE_KEY_VAULT_CERTIFICATE: $(AZURE_KEY_VAULT_CERTIFICATE)
      DAML_SDK_RELEASE_VERSION: ${{parameters.release_tag}}
    condition: and(succeeded(),
                   eq(${{parameters.is_release}}, 'true'),
                   eq(variables['Build.SourceBranchName'], 'main'))
+
  - task: PublishPipelineArtifact@0
    condition: and(succeeded(),
                   eq(${{parameters.is_release}}, 'true'),
--- a/ci/copy-windows-release-artifacts.sh
+++ b/ci/copy-windows-release-artifacts.sh
@ -8,22 +8,30 @@ OUTPUT_DIR=$2

 mkdir -p $OUTPUT_DIR/github
 mkdir -p $OUTPUT_DIR/artifactory
-INSTALLER=daml-sdk-$RELEASE_TAG-windows.exe
-EE_INSTALLER=daml-sdk-$RELEASE_TAG-windows-ee.exe
-mv "bazel-bin/release/windows-installer/daml-sdk-installer-ce.exe" "$OUTPUT_DIR/github/$INSTALLER"
-mv "bazel-bin/release/windows-installer/daml-sdk-installer-ee.exe" "$OUTPUT_DIR/artifactory/$EE_INSTALLER"
-chmod +wx "$OUTPUT_DIR/github/$INSTALLER"
-chmod +wx "$OUTPUT_DIR/artifactory/$EE_INSTALLER"
-cleanup () {
-    rm -f signing_key.pfx
-}
-trap cleanup EXIT
-echo "$SIGNING_KEY" | base64 -d > signing_key.pfx
-for path in "$OUTPUT_DIR/github/$INSTALLER" "$OUTPUT_DIR/artifactory/$EE_INSTALLER"; do
-    MSYS_NO_PATHCONV=1 signtool.exe sign '/f' signing_key.pfx '/fd' sha256 '/tr' "http://timestamp.digicert.com" '/v' "$path"
-done
-rm signing_key.pfx
-trap - EXIT
+INSTALLER="$OUTPUT_DIR/github/daml-sdk-$RELEASE_TAG-windows.exe"
+EE_INSTALLER="$OUTPUT_DIR/artifactory/daml-sdk-$RELEASE_TAG-windows-ee.exe"
+mv "bazel-bin/release/windows-installer/daml-sdk-installer-ce.exe" "$INSTALLER"
+mv "bazel-bin/release/windows-installer/daml-sdk-installer-ee.exe" "$EE_INSTALLER"
+chmod +wx "$INSTALLER"
+chmod +wx "$EE_INSTALLER"
+
+if ! [ -f /C/Users/u/.dotnet/tools/azuresigntool.exe ]; then
+    "/C/Program Files/dotnet/dotnet.exe" tool install --global AzureSignTool
+fi
+
+/C/Users/u/.dotnet/tools/azuresigntool.exe sign \
+  --azure-key-vault-url "$AZURE_KEY_VAULT_URL" \
+  --azure-key-vault-client-id "$AZURE_CLIENT_ID" \
+  --azure-key-vault-client-secret "$AZURE_CLIENT_SECRET" \
+  --azure-key-vault-certificate "$AZURE_KEY_VAULT_CERTIFICATE" \
+  --description "Daml SDK installer" \
+  --description-url "https://daml.com" \
+  --timestamp-rfc3161 "http://timestamp.digicert.com" \
+  --file-digest sha384 \
+  --verbose \
+  "$INSTALLER" \
+  "$EE_INSTALLER"
+
 TARBALL=daml-sdk-$RELEASE_TAG-windows.tar.gz
 EE_TARBALL=daml-sdk-$RELEASE_TAG-windows-ee.tar.gz
 cp bazel-bin/release/sdk-release-tarball-ce.tar.gz "$OUTPUT_DIR/github/$TARBALL"
--- a/infra/vsts_agent_windows.tf
+++ b/infra/vsts_agent_windows.tf
@ -13,16 +13,7 @@ locals {
      suffix     = "",
      size       = 6,
      assignment = "default",
-      install    = "",
    },
-    {
-      suffix     = "-sign"
-      size       = 1,
-      assignment = "windows-signing",
-      install    = <<INSTALL
-& choco install dotnetcore-2.1-sdk --no-progress --yes 2>&1 | %%{ "$_" }
-INSTALL
-    }
  ]
 }

@ -146,7 +137,9 @@ winrm set winrm/config/service/auth '@{Basic="true"}'
 net stop winrm
 sc.exe config winrm start=auto
 net start winrm
-${local.w[count.index].install}
+
+& choco install dotnetcore-2.1-sdk --no-progress --yes 2>&1 | %%{ "$_" }
+
 echo "== Installing the VSTS agent"

 New-Item -ItemType Directory -Path 'C:\agent'