From da6bb8cbeb81e0e0116afd9eaaf80d876413754b Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Thu, 9 May 2024 10:21:21 +0200 Subject: [PATCH 1/7] fix typo --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2ae2cf4e..aa3fd643 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -157,7 +157,7 @@ jobs: create-macos-bundle: needs: build - # for not they are exaclty the same + # for now they are exaclty the same strategy: matrix: arch: [amd64, arm64] From 1ebbd6b9d604239d69fe0d607676f1b2cae6627c Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Mon, 13 May 2024 17:42:52 +0200 Subject: [PATCH 2/7] use eToken for signing, create a dedicated step for signing --- .github/workflows/release.yml | 57 ++++++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aa3fd643..8cf090ce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,7 +45,7 @@ jobs: run: shell: bash -# by default disable CGO, it's not needed (except on macos) + # by default disable CGO, it's not needed (except on macos) env: CGO_ENABLED: 0 @@ -371,9 +371,6 @@ jobs: # vars used by installbuilder INSTALLBUILDER_PATH: "/opt/installbuilder-23.11.0/bin/builder" INSTALLER_VARS: "project.outputDirectory=$PWD project.version=${GITHUB_REF##*/} workspace=$PWD realname=Arduino_Create_Agent" - # installbuilder will read this vars automatically (defined in installer.xml): - INSTALLER_CERT_WINDOWS_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }} - INSTALLER_CERT_WINDOWS_PFX: "/tmp/ArduinoCerts2020.pfx" strategy: fail-fast: false # if one os is failing continue nonetheless @@ -424,11 +421,6 @@ jobs: - name: Save InstallBuilder license to file run: echo "${{ secrets.INSTALLER_LICENSE }}" > /tmp/license.xml - - name: Save Win signing certificate to file - run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_PFX }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_PFX}} - if: matrix.os == 'windows-2019' - - # installbuilder reads the env vars with certs paths and use it to sign the installer. - name: Launch Bitrock installbuilder run: ${{ env.INSTALLBUILDER_PATH }} build installer.xml ${{ matrix.installbuilder-name }} --verbose --license /tmp/license.xml --setvars ${{ env.INSTALLER_VARS }} architecture=${{ matrix.arch }} @@ -443,6 +435,49 @@ jobs: path: ArduinoCreateAgent* if-no-files-found: error + # This job will sign the Windows installer + sign-windows: + runs-on: [self-hosted, windows-sign-pc] + needs: package + + defaults: + run: + shell: bash + + env: + INSTALLER_CERT_WINDOWS_CER: "/tmp/cert.cer" + # We are hardcoding the path for signtool because is not present on the windows PATH env var by default. + # Keep in mind that this path could change when upgrading to a new runner version + SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe" + + strategy: + matrix: + arch: [amd64, 386] + + steps: + - name: Download artifact + uses: actions/download-artifact@v3 + with: + name: ArduinoCreateAgent-windows-${{ matrix.arch }} + + - name: Save Win signing certificate to file + run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_CER }}" | base64 --decode > ${{ env.INSTALLER_CERT_WINDOWS_CER}} + + - name: Sign EXE + env: + CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }} + CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }} + # https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken + run: | + "${{ env.SIGNTOOL_PATH }}" sign -d "Arduino Create Agent" -f ${{ env.INSTALLER_CERT_WINDOWS_CER}} -csp "eToken Base Cryptographic Provider" -k "[{{${{ env.CERT_PASSWORD }}}}]=${{ env.CONTAINER_NAME }}" -fd sha256 -tr http://timestamp.digicert.com -td SHA256 -v "ArduinoCreateAgent-${GITHUB_REF##*/}-windows-${{ matrix.arch }}-installer.exe" + + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + if-no-files-found: error + name: ArduinoCreateAgent-windows-${{ matrix.arch }}-signed + path: ArduinoCreateAgent-${GITHUB_REF##*/}-windows-${{ matrix.arch }}-installer.exe + # This job will generate a dmg mac installer, sign/notarize it. generate-sign-dmg: needs: notarize-macos @@ -544,7 +579,7 @@ jobs: create-release: runs-on: ubuntu-20.04 environment: production - needs: [build, package, generate-sign-dmg] + needs: [build, generate-sign-dmg, sign-windows] steps: - name: Checkout @@ -563,7 +598,7 @@ jobs: mv -v ArduinoCreateAgent-linux-amd64/* release/ cat ArduinoCreateAgent-osx-amd64/*.tar | tar -xvf - -i -C release/ rm -v release/._ArduinoCreateAgent*.dmg - mv -v ArduinoCreateAgent-windows*/* release/ + mv -v ArduinoCreateAgent-windows*-signed/* release/ - name: VirusTotal Scan id: virustotal_step From 752aca527384a035e4a653bc6f3060582ee7a125 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Mon, 13 May 2024 17:43:05 +0200 Subject: [PATCH 3/7] update workflow, we have a certificate and no longer a container for win --- .github/workflows/check-certificates.yml | 63 +++++++++++++++--------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/.github/workflows/check-certificates.yml b/.github/workflows/check-certificates.yml index 28e8297c..9f403bd1 100644 --- a/.github/workflows/check-certificates.yml +++ b/.github/workflows/check-certificates.yml @@ -37,9 +37,11 @@ jobs: - identifier: macOS signing certificate # Text used to identify certificate in notifications. certificate-secret: INSTALLER_CERT_MAC_P12 # Name of the secret that contains the certificate. password-secret: INSTALLER_CERT_MAC_PASSWORD # Name of the secret that contains the certificate password. + type: pkcs12 - identifier: Windows signing certificate - certificate-secret: INSTALLER_CERT_WINDOWS_PFX - password-secret: INSTALLER_CERT_WINDOWS_PASSWORD + certificate-secret: INSTALLER_CERT_WINDOWS_CER + # The password for the Windows certificate is not needed, because its not a container, but a single certificate. + type: x509 steps: - name: Set certificate path environment variable @@ -58,7 +60,7 @@ jobs: CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }} run: | ( - openssl pkcs12 \ + openssl ${{ matrix.certificate.type }} \ -in "${{ env.CERTIFICATE_PATH }}" \ -noout -passin env:CERTIFICATE_PASSWORD ) || ( @@ -83,25 +85,42 @@ jobs: CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }} id: get-days-before-expiration run: | - EXPIRATION_DATE="$( - ( - openssl pkcs12 \ - -in "${{ env.CERTIFICATE_PATH }}" \ - -clcerts \ - -nodes \ - -passin env:CERTIFICATE_PASSWORD - ) | ( - openssl x509 \ - -noout \ - -enddate - ) | ( - grep \ - --max-count=1 \ - --only-matching \ - --perl-regexp \ - 'notAfter=(\K.*)' - ) - )" + if [[ ${{ matrix.certificate.type }} == "pkcs12" ]]; then + EXPIRATION_DATE="$( + ( + openssl pkcs12 \ + -in "${{ env.CERTIFICATE_PATH }}" \ + -clcerts \ + -nodes \ + -passin env:CERTIFICATE_PASSWORD + ) | ( + openssl x509 \ + -noout \ + -enddate + ) | ( + grep \ + --max-count=1 \ + --only-matching \ + --perl-regexp \ + 'notAfter=(\K.*)' + ) + )" + elif [[ ${{ matrix.certificate.type }} == "x509" ]]; then + EXPIRATION_DATE="$( + ( + openssl x509 \ + -in "${{ env.CERTIFICATE_PATH }}" \ + -noout \ + -enddate + ) | ( + grep \ + --max-count=1 \ + --only-matching \ + --perl-regexp \ + 'notAfter=(\K.*)' + ) + )" + fi DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))" From 7d2ec28a3d91983687148d4b18a711dddb94528b Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 15 May 2024 16:27:12 +0200 Subject: [PATCH 4/7] env var $GITHUB_REF not expanded in step input causing workflow to fail --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8cf090ce..33fe2b7e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -476,7 +476,7 @@ jobs: with: if-no-files-found: error name: ArduinoCreateAgent-windows-${{ matrix.arch }}-signed - path: ArduinoCreateAgent-${GITHUB_REF##*/}-windows-${{ matrix.arch }}-installer.exe + path: ArduinoCreateAgent-*-windows-${{ matrix.arch }}-installer.exe # This job will generate a dmg mac installer, sign/notarize it. generate-sign-dmg: From 29c73a22e0ace72e43a0c010672d8a4cbf24b256 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 15 May 2024 14:58:40 +0200 Subject: [PATCH 5/7] bump runner, so that we get an updated version of openssl OpenSSL 1.1.1f-1ubuntu2.22 in Ubuntu 20.04 https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2004-Readme.md OpenSSL 3.0.2-0ubuntu1.15 in Ubuntu 22.04 https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md --- .github/workflows/check-certificates.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-certificates.yml b/.github/workflows/check-certificates.yml index 9f403bd1..890f2d09 100644 --- a/.github/workflows/check-certificates.yml +++ b/.github/workflows/check-certificates.yml @@ -26,7 +26,7 @@ jobs: if: > (github.event_name != 'pull_request' && github.repository == 'arduino/arduino-create-agent') || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'arduino/arduino-create-agent') - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 strategy: fail-fast: false From a2d247bf0c0148403caaa50d13a158722c3f0a21 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 15 May 2024 15:08:22 +0200 Subject: [PATCH 6/7] add flag to correctly recognize the algorithm see https://github.com/openssl/openssl/discussions/23089 --- .github/workflows/check-certificates.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-certificates.yml b/.github/workflows/check-certificates.yml index 890f2d09..a4a3e6f3 100644 --- a/.github/workflows/check-certificates.yml +++ b/.github/workflows/check-certificates.yml @@ -62,7 +62,8 @@ jobs: ( openssl ${{ matrix.certificate.type }} \ -in "${{ env.CERTIFICATE_PATH }}" \ - -noout -passin env:CERTIFICATE_PASSWORD + -noout -passin env:CERTIFICATE_PASSWORD \ + -legacy ) || ( echo "::error::Verification of ${{ matrix.certificate.identifier }} failed!!!" exit 1 @@ -92,7 +93,8 @@ jobs: -in "${{ env.CERTIFICATE_PATH }}" \ -clcerts \ -nodes \ - -passin env:CERTIFICATE_PASSWORD + -passin env:CERTIFICATE_PASSWORD \ + -legacy ) | ( openssl x509 \ -noout \ From 03c77c4677869dcf9bc6fc57a454b54a9bfd3c91 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 15 May 2024 15:39:39 +0200 Subject: [PATCH 7/7] remove double quotes, they cause errors with new version of openssl: `Could not read certificate from ` --- .github/workflows/check-certificates.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-certificates.yml b/.github/workflows/check-certificates.yml index a4a3e6f3..694792dc 100644 --- a/.github/workflows/check-certificates.yml +++ b/.github/workflows/check-certificates.yml @@ -90,7 +90,7 @@ jobs: EXPIRATION_DATE="$( ( openssl pkcs12 \ - -in "${{ env.CERTIFICATE_PATH }}" \ + -in ${{ env.CERTIFICATE_PATH }} \ -clcerts \ -nodes \ -passin env:CERTIFICATE_PASSWORD \ @@ -111,7 +111,7 @@ jobs: EXPIRATION_DATE="$( ( openssl x509 \ - -in "${{ env.CERTIFICATE_PATH }}" \ + -in ${{ env.CERTIFICATE_PATH }} \ -noout \ -enddate ) | (