Skip to content

Commit 9a1ea26

Browse files
rekhoffbfops
andauthored
Adds code signing to tagged windows builds (#4473)
**Note**: This change requires the addition of new entries in the secrets to work properly. These should be added prior to this merging. # Description of Changes * Add a tag-only Windows signing job that runs on a self-hosted signing runner. * This is an alternative/separate code-path just for the signing job. See **Alternatives Considered** for details. * Skip the unsigned Windows matrix build on tags so signed artifacts are the only Windows release outputs. * Sign `spacetimedb-update.exe`, `spacetimedb-cli.exe`, and `spacetimedb-standalone.exe` before packaging, then upload the signed artifacts as usual. # Alternatives Considered **Inline signing in the existing Windows packaging step**. This was rejected because it would require all Windows builds (including non-tag builds) to run on the signing-capable runner or to install/signing tooling on GitHub-hosted runners. The chosen approach isolates signing to tag releases, avoids exposing credentials in standard builds, and keeps routine CI behavior unchanged. # API and ABI breaking changes None # Expected complexity level and risk 2 – low risk. CI-only change that adds a new signing job and preserves existing artifact layout. # Testing - [X] None (Not running, workflow change only) --------- Signed-off-by: Ryan <r.ekhoff@clockworklabs.io> Co-authored-by: Zeke Foppa <196249+bfops@users.noreply.github.com>
1 parent 0b30b16 commit 9a1ea26

1 file changed

Lines changed: 89 additions & 0 deletions

File tree

.github/workflows/package.yml

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,12 @@ on:
77
branches:
88
- master
99
- release/*
10+
permissions:
11+
contents: read
1012

1113
jobs:
1214
build-cli:
15+
if: ${{ !(startsWith(github.ref, 'refs/tags/') && matrix.target == 'x86_64-pc-windows-msvc') }}
1316
strategy:
1417
fail-fast: false
1518
matrix:
@@ -85,3 +88,89 @@ jobs:
8588
source_dir: build
8689
endpoint: https://nyc3.digitaloceanspaces.com
8790
destination_dir: ${{ steps.extract_branch.outputs.branch }}
91+
92+
build-cli-windows-signed:
93+
if: ${{ startsWith(github.ref, 'refs/tags/') }}
94+
name: Build and sign CLI for x86_64 Windows
95+
runs-on: [self-hosted, windows, signing]
96+
environment: codesign
97+
concurrency:
98+
group: codesign-${{ github.ref }}
99+
cancel-in-progress: false
100+
101+
steps:
102+
- name: Checkout
103+
uses: actions/checkout@v3
104+
105+
- name: Install Rust
106+
uses: dsherret/rust-toolchain-file@v1
107+
108+
- name: Install rust target
109+
run: rustup target add x86_64-pc-windows-msvc
110+
111+
- name: Compile
112+
run: |
113+
cargo build --release --target x86_64-pc-windows-msvc -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
114+
115+
- name: Write certificate file
116+
shell: powershell
117+
env:
118+
DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }}
119+
run: |
120+
[IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))
121+
122+
- name: Sign binaries
123+
shell: powershell
124+
env:
125+
DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
126+
run: |
127+
$ErrorActionPreference = 'Stop'
128+
$targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
129+
$certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.crt'
130+
131+
$signtool = Get-Command signtool.exe -ErrorAction Stop
132+
133+
$files = @(
134+
(Join-Path $targetDir 'spacetimedb-update.exe'),
135+
(Join-Path $targetDir 'spacetimedb-cli.exe'),
136+
(Join-Path $targetDir 'spacetimedb-standalone.exe')
137+
)
138+
139+
foreach ($file in $files) {
140+
& $signtool.Path sign /csp "DigiCert Signing Manager KSP" /kc $env:DIGICERT_KEYPAIR_ALIAS /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
141+
& $signtool.Path verify /v /pa $file
142+
}
143+
144+
- name: Package (windows)
145+
shell: powershell
146+
run: |
147+
$ErrorActionPreference = 'Stop'
148+
New-Item -ItemType Directory -Force -Path build | Out-Null
149+
$releaseDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
150+
151+
Copy-Item (Join-Path $releaseDir 'spacetimedb-update.exe') (Join-Path $env:GITHUB_WORKSPACE 'build\spacetimedb-update-x86_64-pc-windows-msvc.exe')
152+
Compress-Archive -Force -Path @(
153+
(Join-Path $releaseDir 'spacetimedb-cli.exe'),
154+
(Join-Path $releaseDir 'spacetimedb-standalone.exe')
155+
) -DestinationPath (Join-Path $env:GITHUB_WORKSPACE 'build\spacetime-x86_64-pc-windows-msvc.zip')
156+
157+
- name: Extract branch name
158+
shell: powershell
159+
run: |
160+
$ErrorActionPreference = 'Stop'
161+
$branch = $env:GITHUB_HEAD_REF
162+
if ([string]::IsNullOrEmpty($branch)) {
163+
$branch = $env:GITHUB_REF -replace '^refs/heads/', ''
164+
}
165+
"branch=$branch" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
166+
id: extract_branch
167+
168+
- name: Upload to DO Spaces
169+
uses: shallwefootball/s3-upload-action@master
170+
with:
171+
aws_key_id: ${{ secrets.AWS_KEY_ID }}
172+
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
173+
aws_bucket: ${{ vars.AWS_BUCKET }}
174+
source_dir: build
175+
endpoint: https://nyc3.digitaloceanspaces.com
176+
destination_dir: ${{ steps.extract_branch.outputs.branch }}

0 commit comments

Comments
 (0)