From 126d2c336ba51fa00a42aad5c667e19c581c36ee Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Mon, 6 Mar 2023 08:56:49 +0000 Subject: [PATCH] Assert release & nightly builds are signed, notarised & accessible before deployment (#559) --- .github/workflows/build_macos.yaml | 8 ++++++++ .github/workflows/build_windows.yaml | 11 +++++++++-- .github/workflows/reprepro.yaml | 19 +++++++++++++++++++ 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index 351d5ef..31ddf4b 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -88,6 +88,14 @@ jobs: CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }} CSC_LINK: ${{ secrets.APPLE_CSC_LINK }} + - name: Check app was signed & notarised successfully + if: inputs.sign != '' + run: | + hdiutil attach dist/*.dmg + codesign -dv --verbose=4 /Volumes/Element*/*.app + spctl -a -vvv -t install /Volumes/Element*/*.app + hdiutil detach /Volumes/Element* + - name: "[Unsigned] Build App" if: inputs.sign == '' run: | diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index 6b6cd3c..4afbf93 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -31,6 +31,8 @@ jobs: build: runs-on: windows-latest environment: ${{ inputs.sign && 'packages.element.io' || '' }} + env: + SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe" steps: - uses: kanga333/variable-mapper@master id: config @@ -154,8 +156,13 @@ jobs: run: | yarn ts-node scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} ${{ steps.esigner.outputs.config-args }} yarn build --publish never -w --config electron-builder.json ${{ steps.config.outputs.build-args }} - env: - SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe" + + - name: Check app was signed successfully + if: inputs.sign != '' + # XXX: UPDATE THIS BEFORE WHEN GOING LIVE + continue-on-error: true + run: | + . "$env:SIGNTOOL_PATH" verify /pa (get-item ./dist/squirrel-windows*/*.exe) - name: Prepare artifacts for deployment if: inputs.deploy-mode diff --git a/.github/workflows/reprepro.yaml b/.github/workflows/reprepro.yaml index a2bd67a..a929c54 100644 --- a/.github/workflows/reprepro.yaml +++ b/.github/workflows/reprepro.yaml @@ -59,6 +59,25 @@ jobs: reprepro -b debian includedeb "$target" ./dist/*.deb done + - name: Check repository works + run: | + # Download signing keyring + sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg + # Point apt at local apt repo + echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] http://localhost:8000/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list + + # Start http server and fetch from it via apt + python3 -m http.server 8000 & + sudo apt-get update --allow-insecure-repositories + killall python3 + + # Validate the package in the repo quacks like the one we expect + info=$(dpkg --info ../dist/*.deb) + package=$(echo "$info" | grep "Package:" | sed -n 's/ Package: //p') + version=$(echo "$info" | grep "Version:" | sed -n 's/ Version: //p') + apt-cache show "$package" | grep "Version: $version" + working-directory: ./packages.element.io + - name: Deploy debian repo run: | aws s3 cp --recursive packages.element.io/debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto