Add code signing for Windows executables. (#18222)

* Add code signing for Windows executables. * Fix typos and add failure notification. * Use full version for trusted signing action. Because MS isn’t publishing it with proper semver tags. * Avoid reinstalling dependencies that are already installed. * Fix CMake 3.30 compatibility. * Don’t let BUILD_DIR propagate to cmake. * Fix JSON-C build warning. * Fix handling of externally specified build directories. While regular Windows paths do actually work under MSYS2, they seem to confuse CMake, so we need to convert to a standard MSYS2 path if `BUILD_DIR` is set to a Windows path. * Fix typo. * Fix build directory handling.
2025-04-26 13:54:48 +00:00 · 2024-08-08 07:24:54 -04:00 · 2024-08-08 07:24:54 -04:00 · a3ea51ed15
commit a3ea51ed15
parent 6089849cf6
7 changed files with 105 additions and 36 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -1082,11 +1082,47 @@ jobs:
      - name: Build Netdata
        id: build
        if: needs.file-check.outputs.run == 'true'
        env:
          BUILD_DIR: ${{ github.workspace }}\build
        run: ./packaging/windows/build.ps1
      - name: Sign Agent Code
        id: sign-agent
        if: needs.file-check.outputs.run == 'true' && github.event_name != 'pull_request'
        uses: azure/trusted-signing-action@v0.4.0
        with:
          azure-tennant-id: ${{ secrets.CODE_SIGNING_TENNANT_ID }}
          azure-client-id: ${{ secrets.CODE_SIGNING_CLIENT_ID }}
          azure-client-secret: ${{ secrets.CODE_SIGNING_CLIENT_SECRET }}
          endpoint: "https://eus.codesigning.azure.net/"
          trusted-signing-account-name: Netdata
          certificate-profile-name: Netdata
          files-folder: ${{ github.workspace }}\build
          files-folder-filter: exe,dll
          files-recurse: true
          file-digest: SHA256
          timestamp-rfc3161: "http://timestamp.acs.microsoft.com"
          timestamp-digest: SHA256
      - name: Package Netdata
        id: package
        if: needs.file-check.outputs.run == 'true'
        env:
          BUILD_DIR: ${{ github.workspace }}\build
        run: ./packaging/windows/package.ps1
      - name: Sign Installer
        id: sign-installer
        if: needs.file-check.outputs.run == 'true' && github.event_name != 'pull_request'
        uses: azure/trusted-signing-action@v0.4.0
        with:
          azure-tennant-id: ${{ secrets.CODE_SIGNING_TENNANT_ID }}
          azure-client-id: ${{ secrets.CODE_SIGNING_CLIENT_ID }}
          azure-client-secret: ${{ secrets.CODE_SIGNING_CLIENT_SECRET }}
          endpoint: "https://eus.codesigning.azure.net/"
          trusted-signing-account-name: Netdata
          certificate-profile-name: Netdata
          files: ${{ github.workspace }}\packaging\windows\netdata-installer.exe
          file-digest: SHA256
          timestamp-rfc3161: "http://timestamp.acs.microsoft.com"
          timestamp-digest: SHA256
      - name: Upload Installer
        id: upload
        uses: actions/upload-artifact@v4
@ -1094,6 +1130,32 @@ jobs:
          name: windows-x86_64-installer
          path: packaging\windows\netdata-installer.exe
          retention-days: 30
      - name: Failure Notification
        uses: rtCamp/action-slack-notify@v2
        env:
          SLACK_COLOR: 'danger'
          SLACK_FOOTER: ''
          SLACK_ICON_EMOJI: ':github-actions:'
          SLACK_TITLE: 'Windows build failed:'
          SLACK_USERNAME: 'GitHub Actions'
          SLACK_MESSAGE: |-
              ${{ github.repository }}: Updater checks for ${{ matrix.distro }} failed.
              Checkout: ${{ steps.checkout.outcome }}
              Set Up Dependencies: ${{ steps.deps.outcome }}
              Build Netdata: ${{ steps.build.outcome }}
              Sign Agent Code: ${{ steps.sign-agent.outcome }}
              Package Netdata: ${{ steps.package.outcome }}
              Sign Installer: ${{ steps.sign-installer.outcome }}
              Upload Installer: ${{ steps.upload.outcome }}
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
        if: >-
          ${{
            failure()
            && startsWith(github.ref, 'refs/heads/master')
            && github.event_name != 'pull_request'
            && github.repository == 'netdata/netdata'
            && needs.file-check.outputs.run == 'true'
          }}
  updater-check: # Test the generated dist archive using the updater code.
    name: Test Generated Distfile and Updater Code
--- a/packaging/cmake/Modules/NetdataFetchContentExtra.cmake
+++ b/packaging/cmake/Modules/NetdataFetchContentExtra.cmake
@ -38,8 +38,17 @@ endmacro()
 #
 # This needs to be explicitly included for any sub-project that needs
 # to be built for the target system.
 #
 # This also needs to _NOT_ have any generator expressions, as they are not
 # supported for the required usage of this variable in CMake 3.30 or newer.
 set(NETDATA_PROPAGATE_TOOLCHAIN_ARGS
    "-DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
-     -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
+     -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}")
-     $<$<BOOL:${CMAKE_C_COMPILER_TARGET}>:-DCMAKE_C_COMPILER_TARGET=${CMAKE_C_COMPILER_TARGET}
+
-     $<$<BOOL:${CMAKE_CXX_COMPILER_TARGET}>:-DCMAKE_CXX_COMPILER_TARGET=${CMAKE_CXX_COMPILER_TARGET}")
+if(DEFINED CMAKE_C_COMPILER_TARGET)
  set(NETDATA_PROPAGATE_TOOLCHAIN_ARGS "${NETDATA_PROPAGATE_TOOLCHAIN_ARGS} -DCMAKE_C_COMPILER_TARGET=${CMAKE_C_COMPILER_TARGET}")
 endif()
 if(DEFINED CMAKE_CXX_COMPILER_TARGET)
  set(NETDATA_PROPAGATE_TOOLCHAIN_ARGS "${NETDATA_PROPAGATE_TOOLCHAIN_ARGS} -DCMAKE_CXX_COMPILER_TARGET=${CMAKE_CXX_COMPILER_TARGET}")
 endif()
--- a/packaging/cmake/Modules/NetdataJSONC.cmake
+++ b/packaging/cmake/Modules/NetdataJSONC.cmake
@ -75,7 +75,7 @@ macro(netdata_detect_jsonc)
        endif()
        if(NOT JSONC_FOUND)
-                set(ENABLE_BUNDLED_JSONC True PARENT_SCOPE)
+                set(ENABLE_BUNDLED_JSONC True)
                netdata_bundle_jsonc()
                set(NETDATA_JSONC_LDFLAGS json-c)
                set(NETDATA_JSONC_INCLUDE_DIRS ${PROJECT_BINARY_DIR}/include)
--- a/packaging/windows/compile-on-windows.sh
+++ b/packaging/windows/compile-on-windows.sh
@ -1,21 +1,10 @@
 #!/bin/bash
-repo_root="$(dirname "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null && pwd -P)")")"
+REPO_ROOT="$(dirname "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null && pwd -P)")")"
 CMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE:-RelWithDebInfo}"
-if [ -n "${BUILD_DIR}" ]; then
+# shellcheck source=./win-build-dir.sh
-    build="${BUILD_DIR}"
+. "${REPO_ROOT}/packaging/windows/win-build-dir.sh"
 elif [ -n "${OSTYPE}" ]; then
    if [ -n "${MSYSTEM}" ]; then
        build="${repo_root}/build-${OSTYPE}-${MSYSTEM}"
    else
        build="${repo_root}/build-${OSTYPE}"
    fi
 elif [ "$USER" = "vk" ]; then
    build="${repo_root}/build"
 else
    build="${repo_root}/build"
 fi
 set -exu -o pipefail
@ -42,7 +31,7 @@ fi
 ${GITHUB_ACTIONS+echo "::group::Configuring"}
 # shellcheck disable=SC2086
 CFLAGS="${BUILD_CFLAGS}" /usr/bin/cmake \
-    -S "${repo_root}" \
+    -S "${REPO_ROOT}" \
    -B "${build}" \
    -G "${generator}" \
    -DCMAKE_INSTALL_PREFIX="/opt/netdata" \
--- a/packaging/windows/msys2-dependencies.sh
+++ b/packaging/windows/msys2-dependencies.sh
@ -11,7 +11,7 @@ pacman -Syuu --noconfirm
 ${GITHUB_ACTIONS+echo "::endgroup::"}
 ${GITHUB_ACTIONS+echo "::group::Installing dependencies"}
-pacman -S --noconfirm \
+pacman -S --noconfirm --needed \
    base-devel \
    cmake \
    git \
--- a/packaging/windows/package-windows.sh
+++ b/packaging/windows/package-windows.sh
@ -1,20 +1,9 @@
 #!/bin/bash
-repo_root="$(dirname "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null && pwd -P)")")"
+REPO_ROOT="$(dirname "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null && pwd -P)")")"
-if [ -n "${BUILD_DIR}" ]; then
+# shellcheck source=./win-build-dir.sh
-    build="${BUILD_DIR}"
+. "${REPO_ROOT}/packaging/windows/win-build-dir.sh"
 elif [ -n "${OSTYPE}" ]; then
    if [ -n "${MSYSTEM}" ]; then
        build="${repo_root}/build-${OSTYPE}-${MSYSTEM}"
    else
        build="${repo_root}/build-${OSTYPE}"
    fi
 elif [ "$USER" = "vk" ]; then
    build="${repo_root}/build"
 else
    build="${repo_root}/build"
 fi
 set -exu -o pipefail
@ -24,7 +13,7 @@ ${GITHUB_ACTIONS+echo "::endgroup::"}
 if [ ! -f "/msys2-installer.exe" ]; then
    ${GITHUB_ACTIONS+echo "::group::Fetching MSYS2 installer"}
-    "${repo_root}/packaging/windows/fetch-msys2-installer.py" /msys2-installer.exe
+    "${REPO_ROOT}/packaging/windows/fetch-msys2-installer.py" /msys2-installer.exe
    ${GITHUB_ACTIONS+echo "::endgroup::"}
 fi
@ -33,5 +22,5 @@ NDVERSION=$"$(grep 'CMAKE_PROJECT_VERSION:STATIC' "${build}/CMakeCache.txt"| cut
 NDMAJORVERSION=$"$(grep 'CMAKE_PROJECT_VERSION_MAJOR:STATIC' "${build}/CMakeCache.txt"| cut -d= -f2)"
 NDMINORVERSION=$"$(grep 'CMAKE_PROJECT_VERSION_MINOR:STATIC' "${build}/CMakeCache.txt"| cut -d= -f2)"
-/mingw64/bin/makensis.exe -DCURRVERSION="${NDVERSION}" -DMAJORVERSION="${NDMAJORVERSION}" -DMINORVERSION="${NDMINORVERSION}" "${repo_root}/packaging/windows/installer.nsi"
+/mingw64/bin/makensis.exe -DCURRVERSION="${NDVERSION}" -DMAJORVERSION="${NDMAJORVERSION}" -DMINORVERSION="${NDMINORVERSION}" "${REPO_ROOT}/packaging/windows/installer.nsi"
 ${GITHUB_ACTIONS+echo "::endgroup::"}
--- a/packaging/windows/win-build-dir.sh
+++ b/packaging/windows/win-build-dir.sh
@ -0,0 +1,20 @@
 #!/bin/bash
 if [ -n "${BUILD_DIR}" ]; then
    if (echo "${BUILD_DIR}" | grep -q -E "^[A-Z]:\\\\"); then
        build="$(echo "${BUILD_DIR}" | sed -e 's/\\/\//g' -e 's/^\([A-Z]\):\//\/\1\//' -)"
    else
        build="${BUILD_DIR}"
    fi
 elif [ -n "${OSTYPE}" ]; then
    if [ -n "${MSYSTEM}" ]; then
        build="${REPO_ROOT}/build-${OSTYPE}-${MSYSTEM}"
    else
        build="${REPO_ROOT}/build-${OSTYPE}"
    fi
 elif [ "$USER" = "vk" ]; then
    build="${REPO_ROOT}/build"
 else
    # shellcheck disable=SC2034
    build="${REPO_ROOT}/build"
 fi