Assert release & nightly builds are signed, notarised & accessible before deployment (#559)

2025-01-18 23:44:59 +01:00 · 2023-03-06 08:56:49 +00:00 · 2023-03-06 08:56:49 +00:00 · 126d2c336b
commit 126d2c336b
parent 383793640d
3 changed files with 36 additions and 2 deletions
--- a/.github/workflows/build_macos.yaml
+++ b/.github/workflows/build_macos.yaml
@ -88,6 +88,14 @@ jobs:
                  CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
                  CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}

+            - name: Check app was signed & notarised successfully
+              if: inputs.sign != ''
+              run: |
+                  hdiutil attach dist/*.dmg
+                  codesign -dv --verbose=4 /Volumes/Element*/*.app
+                  spctl -a -vvv -t install /Volumes/Element*/*.app
+                  hdiutil detach /Volumes/Element*
+
            - name: "[Unsigned] Build App"
              if: inputs.sign == ''
              run: |
--- a/.github/workflows/build_windows.yaml
+++ b/.github/workflows/build_windows.yaml
@ -31,6 +31,8 @@ jobs:
    build:
        runs-on: windows-latest
        environment: ${{ inputs.sign && 'packages.element.io' || '' }}
+        env:
+            SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe"
        steps:
            - uses: kanga333/variable-mapper@master
              id: config
@ -154,8 +156,13 @@ jobs:
              run: |
                  yarn ts-node scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} ${{ steps.esigner.outputs.config-args }}
                  yarn build --publish never -w --config electron-builder.json ${{ steps.config.outputs.build-args }}
-              env:
-                  SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe"
+
+            - name: Check app was signed successfully
+              if: inputs.sign != ''
+              # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
+              continue-on-error: true
+              run: |
+                  . "$env:SIGNTOOL_PATH" verify /pa (get-item ./dist/squirrel-windows*/*.exe)

            - name: Prepare artifacts for deployment
              if: inputs.deploy-mode
--- a/.github/workflows/reprepro.yaml
+++ b/.github/workflows/reprepro.yaml
@ -59,6 +59,25 @@ jobs:
                      reprepro -b debian includedeb "$target" ./dist/*.deb
                  done

+            - name: Check repository works
+              run: |
+                  # Download signing keyring
+                  sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg
+                  # Point apt at local apt repo
+                  echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] http://localhost:8000/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list
+
+                  # Start http server and fetch from it via apt
+                  python3 -m http.server 8000 &
+                  sudo apt-get update --allow-insecure-repositories
+                  killall python3
+
+                  # Validate the package in the repo quacks like the one we expect
+                  info=$(dpkg --info ../dist/*.deb)
+                  package=$(echo "$info" | grep "Package:" | sed -n 's/ Package: //p')
+                  version=$(echo "$info" | grep "Version:" | sed -n 's/ Version: //p')
+                  apt-cache show "$package" | grep "Version: $version"
+              working-directory: ./packages.element.io
+
            - name: Deploy debian repo
              run: |
                  aws s3 cp --recursive packages.element.io/debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto