From 8f464b9450c841ae73f5215d16dd0612a9eae1d0 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 19 Feb 2025 14:34:43 +0000 Subject: [PATCH] Improve CI test signing & assert expected files (#2137) --- .github/SSLcom-sandbox.crt | 35 +++++++++++++++++++++++++++ .github/workflows/build_and_test.yaml | 6 ----- .github/workflows/build_linux.yaml | 7 ++++++ .github/workflows/build_macos.yaml | 5 ++++ .github/workflows/build_windows.yaml | 23 +++++++++++++++--- 5 files changed, 67 insertions(+), 9 deletions(-) create mode 100644 .github/SSLcom-sandbox.crt diff --git a/.github/SSLcom-sandbox.crt b/.github/SSLcom-sandbox.crt new file mode 100644 index 00000000..84a7d867 --- /dev/null +++ b/.github/SSLcom-sandbox.crt @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGBzCCA++gAwIBAgIIaI6ivggL++4wDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNV +BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE +CgwPU1NMIENvcnBvcmF0aW9uMUUwQwYDVQQDDDxTU0wuY29tIEVWIFJvb3QgQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyIC0gRGV2ZWxvcG1lbnQwHhcNMTgw +MTE2MTIxNjM2WhcNNDMwMTE1MTIxNjM2WjCBkDELMAkGA1UEBhMCVVMxDjAMBgNV +BAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9y +YXRpb24xRTBDBgNVBAMMPFNTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1 +dGhvcml0eSBSU0EgUjIgLSBEZXZlbG9wbWVudDCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAK/qcD65JCkueKp0+KXG2kAw8euDHuraLR3lJoUFz4ilGK1M +t+RjSuY6dHQw8ku7TnW9ejWoSFjCBSDx7tP/fzOwOxmBW6+F1NDuV/IaUtn3G2lk +CZglVk9z3n1HuWDN10xNiLoo5nzeIlvNAoDbXDGhI4Y6Z0qouAIS607JpJMWHOqZ +OUiiOuM11gI5Kz9GtVttXCjRmwlkU8WiJVIUuVedQAQt2FChrzNQewGFFi0uIau/ +wFRclx6hd4JRIImC6VMJd9lcitWsqMcM94pD3fX2ozNgWX+MVlmcDYFSN9Sv8tG4 +yCj4ONS8HZGzbxeyQXJhEJSi2FnBi0j6MD/d4DNFj0hCg9wz3fgVLDGCO0pNMO0Y +oXdrzfoj1/zEv0Ibgh7zKG2JHkPfapn3ExFI5d6xi66u5tPVI8cvLxqrgybRPs7Z +y1dQA7ew3LyTPAHoGtbTMvewtx1TkTtRxxhRRm0l58owqSVbSYrixFtosNobCERo +uiknaQqoY1ZDsdKsaqFoZDbntNRYhN3Ea4OPWVqDUU5ZPz9MTIRAi3MIq854yyQo +BjX9nv+kYa+Esr19pxUW0z7BWFhbXsMVpt0QMVyhwgzXvEreaZHFwHHaGb9d5x5P +VBDhsigMmtzBk9NlbCsy+uGXWHgZA/DVefueEq0sv38VoU30uYa5Tj0FLm09AgMB +AAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUI9PCucv3G9fRoTDu +ZQ4Hw6g4PkIwHQYDVR0OBBYEFCPTwrnL9xvX0aEw7mUOB8OoOD5CMA4GA1UdDwEB +/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAk43CCrC0Zbvi7YUsSePKi+KzvyQ9 +mjKa5NBU/A5/sLeZS3R+wqCX7l5euYVDsUuNgNVD/QL9jNIonuHBrvKaxkmqxE1r +IcDEaUdjy2lQ0uqD7UDoS3ctrjGkPpUahrTdr3gaKcQBtUhn9v4Y2OBm6J1hDVwI +CIKcxIzRv6AUpApOtk+++m5tzDU48t8+GzrVl1hkspSYcumA+zuHllbPDL1ADdo5 +kK/bBQtZrGqzPqKzeqaB1A5Wm0Igwf++7nyzdKNdjxtv907D9vg8EB4Swavuv/Ne +5/jbpI32pz0NIzzSl5ARAHuFhILsO/cEAlloDoTHzibHqFDIeU9/59HMUsJYMOtD +Ii0/LmQ6dBE4TeukCCLJwtkFYZ2eBgDjF/LHBB+z/UBs4milRgwx+Pe5UDUEjtGe +G/XMVnTSKZTy9jMaXJD5EmfP+Cfh8EEgFgjg4AmLUbEo9gXzPxyXSLgd8JGSsjg8 +EV/Ri4Mmmt4XUwlSVvEOezxxDGd17gwbottCIC+rqPHonHkGmKpLMH80Bk0uOOCs +ui1oVwSifMyIcudgCcOfRLUf/f2j2NW7N7E7Vw/Zqfn+pqp/EG0KCqOM2vfJAc0s +u3rSrOJZGtB6txgtmTjoadxApWf4U/FCi3uArt6gS5MJqZjuiRNXs/K3SlSAqLGl +5UiG52ew+VdBHzE= +-----END CERTIFICATE----- diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 0cea1bd2..6eef1ca9 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -121,12 +121,6 @@ jobs: # We need sudo on Linux as it is installed in /opt/ RUN_AS: ${{ runner.os == 'Linux' && 'sudo' || '' }} - - name: Workaround macOS GHA permission issues - if: runner.os == 'macOS' - run: | - sqlite3 $HOME/Library/Application\ Support/com.apple.TCC/TCC.db "INSERT OR IGNORE INTO access VALUES ('kTCCServiceMicrophone','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159,NULL,NULL,'UNUSED',1687786159);" - sqlite3 $HOME/Library/Application\ Support/com.apple.TCC/TCC.db "INSERT OR IGNORE INTO access VALUES ('kTCCServiceMicrophone','/opt/off/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159,NULL,NULL,'UNUSED',1687786159);" - - name: Run tests uses: coactions/setup-xvfb@6b00cf1889f4e1d5a48635647013c0508128ee1a timeout-minutes: 5 diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index 1c3dd797..45ca5379 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -180,3 +180,10 @@ jobs: dist !dist/*-unpacked/** retention-days: 1 + + - name: Assert all required files are present + run: | + test -f ./dist/element-desktop*$ARCH.deb + test -f ./dist/element-desktop*.tar.gz + env: + ARCH: ${{ inputs.arch }} diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index 44fa4a1d..33858498 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -139,3 +139,8 @@ jobs: dist !dist/mac-universal/** retention-days: 1 + + - name: Assert all required files are present + run: | + test -f ./dist/Element*.dmg + test -f ./dist/Element*-mac.zip diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index b48760d6..c6df0ed1 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -172,10 +172,19 @@ jobs: # Only set for Nightly builds ED_NIGHTLY: ${{ inputs.version }} - - name: Check app was signed successfully - if: inputs.sign + - name: Trust eSigner sandbox cert + if: inputs.sign == '' run: | - . "$env:SIGNTOOL_PATH" verify /pa (get-item ./dist/squirrel-windows*/*.exe) + Set-StrictMode -Version 'Latest' + Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath .github/SSLcom-sandbox.crt + + - name: Check app was signed successfully + run: | + Set-StrictMode -Version 'Latest' + Get-ChildItem ` + -Recurse dist ` + -Include *.exe, *.msi ` + | ForEach-Object -Process {. $env:SIGNTOOL_PATH verify /pa $_.FullName; if(!$?) { throw }} - name: Upload Artifacts uses: actions/upload-artifact@v4 @@ -184,3 +193,11 @@ jobs: path: | dist retention-days: 1 + + - name: Assert all required files are present + run: | + Test-Path './dist/win-*unpacked/Element*.exe' + Test-Path './dist/squirrel-windows*/Element Setup*.exe' + Test-Path './dist/squirrel-windows*/element-desktop-*-full.nupkg' + Test-Path './dist/squirrel-windows*/RELEASES' + Test-Path './dist/Element*.msi'