WIP: Test SignPath errors

drawpile · Nov 6, 2024 · afc159f · afc159f
1 parent b2221cd
commit afc159f
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 268 deletions.
diff --git a/.github/scripts/edit-pe-metadata.cmake b/.github/scripts/edit-pe-metadata.cmake
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: MIT
-if(NOT PRODUCT_NAME OR NOT PRODUCT_VERSION OR NOT SEARCH_PATHS)
-    message(FATAL_ERROR "PRODUCT_NAME, PRODUCT_VERSION and SEARCH_PATHS are required")
+if(NOT FILE_DESCRIPTION OR NOT FILE_VERSION OR NOT PRODUCT_NAME OR NOT PRODUCT_VERSION OR NOT SEARCH_PATHS)
+    message(FATAL_ERROR "FILE_DESCRIPTION, FILE_VERSION, PRODUCT_NAME, PRODUCT_VERSION and SEARCH_PATHS are required")
 endif()
 
 find_program(RCEDIT_COMMAND rcedit REQUIRED)
@@ -17,6 +17,8 @@ foreach(pe_path IN LISTS pe_paths)
         COMMAND
             ${RCEDIT_COMMAND}
             "${pe_path}"
+            --set-version-string FileDescription "${FILE_DESCRIPTION}"
+            --set-version-string FileVersion "${FILE_VERSION}"
             --set-version-string ProductName "${PRODUCT_NAME}"
             --set-version-string ProductVersion "${PRODUCT_VERSION}"
         COMMAND_ECHO STDOUT

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -43,212 +43,6 @@ jobs:
         # There's ways to deduplicate these includes, but any mistake causes
         # utterly confounding errors, so just explicitly specify each target.
         include:
-          - os: ubuntu-20.04
-            cross_os: ''
-            component: ''
-            qt: 5.15.14
-            arch: x86_64
-            sccache_triplet: x86_64-unknown-linux-musl
-            build_flags: -DINITSYS=systemd -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
-            build_type: Release
-            collect_symbols: false
-            signpath: false
-            # This causes the AppImage to be generated, instead of just creating
-            # the portable tree, because there seems to be no way to separate
-            # these steps with linuxdeploy
-            # Even though the svg component is linked explicitly,
-            # linuxdeploy-plugin-qt does not seem to notice and so does not
-            # export the iconengine if it is not told that we really, really
-            # want svg plugins please
-            packager: >-
-              EXTRA_QT_PLUGINS="svg;"
-              VERSION="${{ startsWith(github.ref, 'refs/tags/') && github.ref_name || '$(git describe)' }}"
-              cmake --install build --config Release
-            # The runner has multiple clang versions installed and CMake/Qt gets
-            # confused about which one to pick for some reason, so this also
-            # sets Clang_ROOT during the Qt build
-            qt_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              libatspi2.0-dev libmtdev-dev libts-dev libgtk-3-dev
-              libgl1-mesa-dev libglu1-mesa-dev libxi-dev libdrm-dev
-              libgbm-dev libgl-dev libgles-dev libegl-dev libegl1-mesa-dev
-              libxext-dev libxfixes-dev libxrender-dev libx11-dev
-              libxcb1-dev libx11-xcb-dev libxcb-glx0-dev libxcb-util0-dev
-              libxkbcommon-dev libxkbcommon-x11-dev libxcb-keysyms1-dev
-              libxcb-image0-dev libxcb-shm0-dev libxcb-icccm4-dev
-              libxcb-sync-dev libxcb-xfixes0-dev libxcb-shape0-dev
-              libxcb-randr0-dev libxcb-render0-dev libxcb-render-util0-dev
-              libxcb-util-dev libinput-dev libvulkan-dev
-              libxcb-xinerama0-dev libxcb-xkb-dev libxcb-xinput-dev libclang-12-dev
-              libasound2-dev libpulse-dev libcups2-dev libssl-dev
-              libfontconfig1-dev &&
-              echo "Clang_ROOT=/usr/lib/llvm-12" >> $GITHUB_ENV
-            ffmpeg_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              nasm yasm
-            other_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              libsecret-1-dev
-
-          - os: ubuntu-20.04
-            cross_os: Android
-            component: ''
-            qt: 5.15.14
-            arch: arm64
-            sccache_triplet: x86_64-unknown-linux-musl
-            build_type: Release
-            collect_symbols: false
-            signpath: false
-            packager: cmake --install build --config Release --prefix .
-            cross_qt_args: >-
-              "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
-              "-DANDROID_NDK_ROOT=$ANDROID_NDK_ROOT"
-              "-DANDROID_PLATFORM=$ANDROID_PLATFORM"
-              -DANDROID_ABI=arm64-v8a
-            cross_ffmpeg_args: >-
-              "-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK_TOOLCHAIN_FILE"
-              "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
-              "-DANDROID_NDK_ROOT=$ANDROID_NDK_ROOT"
-              "-DANDROID_PLATFORM=$ANDROID_PLATFORM"
-              -DANDROID_ABI=arm64-v8a
-            cross_other_args: >-
-              "-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK_TOOLCHAIN_FILE"
-              "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
-              "-DANDROID_NDK_ROOT=$ANDROID_NDK_ROOT"
-              "-DANDROID_PLATFORM=$ANDROID_PLATFORM"
-              -DANDROID_ABI=arm64-v8a
-            build_flags: >-
-              "-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK_TOOLCHAIN_FILE"
-              "-DANDROID_PLATFORM=$ANDROID_PLATFORM"
-              "-DANDROID_TARGET_SDK_VERSION=$ANDROID_TARGET_SDK_VERSION"
-              "-DANDROID_SDK_BUILD_TOOLS_REVISION=$ANDROID_BUILD_TOOLS_VERSION"
-              -DANDROID_ABI=arm64-v8a
-              -DCMAKE_FIND_ROOT_PATH_MODE_PACKAGE=on
-              -DCMAKE_FIND_ROOT_PATH_MODE_INCLUDE=BOTH
-              -DCMAKE_FIND_ROOT_PATH_MODE_LIBRARY=BOTH
-              -DCMAKE_FIND_ROOT_PATH_MODE_PROGRAM=BOTH
-            # The runner has multiple clang versions installed and CMake/Qt gets
-            # confused about which one to pick for some reason, so this also
-            # sets Clang_ROOT during the Qt build
-            qt_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              libatspi2.0-dev libmtdev-dev libts-dev libgtk-3-dev
-              libgl1-mesa-dev libglu1-mesa-dev libxi-dev libdrm-dev
-              libgbm-dev libgl-dev libgles-dev libegl-dev libegl1-mesa-dev
-              libxext-dev libxfixes-dev libxrender-dev libx11-dev
-              libxcb1-dev libx11-xcb-dev libxcb-glx0-dev libxcb-util0-dev
-              libxkbcommon-dev libxkbcommon-x11-dev libxcb-keysyms1-dev
-              libxcb-image0-dev libxcb-shm0-dev libxcb-icccm4-dev
-              libxcb-sync-dev libxcb-xfixes0-dev libxcb-shape0-dev
-              libxcb-randr0-dev libxcb-render0-dev libxcb-render-util0-dev
-              libxcb-util-dev libinput-dev libvulkan-dev
-              libxcb-xinerama0-dev libxcb-xkb-dev libxcb-xinput-dev libclang-12-dev
-              libasound2-dev libpulse-dev libcups2-dev libssl-dev
-              libfontconfig1-dev &&
-              echo "Clang_ROOT=/usr/lib/llvm-12" >> $GITHUB_ENV
-            ffmpeg_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              yasm
-            other_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              libsecret-1-dev
-
-          - os: ubuntu-20.04
-            cross_os: Android
-            component: ''
-            qt: 5.15.14
-            arch: arm32
-            sccache_triplet: x86_64-unknown-linux-musl
-            build_type: Release
-            collect_symbols: false
-            signpath: false
-            packager: cmake --install build --config Release --prefix .
-            cross_qt_args: >-
-              "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
-              "-DANDROID_NDK_ROOT=$ANDROID_NDK_ROOT"
-              "-DANDROID_PLATFORM=$ANDROID_PLATFORM"
-              -DANDROID_ABI=armeabi-v7a
-            cross_ffmpeg_args: >-
-              "-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK_TOOLCHAIN_FILE"
-              "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
-              "-DANDROID_NDK_ROOT=$ANDROID_NDK_ROOT"
-              "-DANDROID_PLATFORM=$ANDROID_PLATFORM"
-              -DANDROID_ABI=armeabi-v7a
-            cross_other_args: >-
-              "-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK_TOOLCHAIN_FILE"
-              "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
-              "-DANDROID_NDK_ROOT=$ANDROID_NDK_ROOT"
-              "-DANDROID_PLATFORM=$ANDROID_PLATFORM"
-              -DANDROID_ABI=armeabi-v7a
-            build_flags: >-
-              "-DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK_TOOLCHAIN_FILE"
-              "-DANDROID_PLATFORM=$ANDROID_PLATFORM"
-              "-DANDROID_TARGET_SDK_VERSION=$ANDROID_TARGET_SDK_VERSION"
-              "-DANDROID_SDK_BUILD_TOOLS_REVISION=$ANDROID_BUILD_TOOLS_VERSION"
-              -DANDROID_ABI=armeabi-v7a
-              -DCMAKE_FIND_ROOT_PATH_MODE_PACKAGE=on
-              -DCMAKE_FIND_ROOT_PATH_MODE_INCLUDE=BOTH
-              -DCMAKE_FIND_ROOT_PATH_MODE_LIBRARY=BOTH
-              -DCMAKE_FIND_ROOT_PATH_MODE_PROGRAM=BOTH
-            # The runner has multiple clang versions installed and CMake/Qt gets
-            # confused about which one to pick for some reason, so this also
-            # sets Clang_ROOT during the Qt build
-            qt_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              libatspi2.0-dev libmtdev-dev libts-dev libgtk-3-dev
-              libgl1-mesa-dev libglu1-mesa-dev libxi-dev libdrm-dev
-              libgbm-dev libgl-dev libgles-dev libegl-dev libegl1-mesa-dev
-              libxext-dev libxfixes-dev libxrender-dev libx11-dev
-              libxcb1-dev libx11-xcb-dev libxcb-glx0-dev libxcb-util0-dev
-              libxkbcommon-dev libxkbcommon-x11-dev libxcb-keysyms1-dev
-              libxcb-image0-dev libxcb-shm0-dev libxcb-icccm4-dev
-              libxcb-sync-dev libxcb-xfixes0-dev libxcb-shape0-dev
-              libxcb-randr0-dev libxcb-render0-dev libxcb-render-util0-dev
-              libxcb-util-dev libinput-dev libvulkan-dev
-              libxcb-xinerama0-dev libxcb-xkb-dev libxcb-xinput-dev libclang-12-dev
-              libasound2-dev libpulse-dev libcups2-dev libssl-dev
-              libfontconfig1-dev &&
-              echo "Clang_ROOT=/usr/lib/llvm-12" >> $GITHUB_ENV
-            ffmpeg_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              yasm
-            other_pre_build: >
-              sudo apt-get update &&
-              sudo apt-get install --no-install-recommends
-              libsecret-1-dev
-
-          - os: macos-13
-            cross_os: ''
-            component: ''
-            qt: 6.7.2
-            arch: x86_64
-            build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
-            build_type: Release
-            collect_symbols: false
-            signpath: false
-            sccache_triplet: x86_64-apple-darwin
-            packager: cpack --verbose --config build/CPackConfig.cmake -C Release
-
-          - os: macos-14
-            cross_os: ''
-            component: ''
-            qt: 6.7.2
-            arch: arm64
-            build_flags: -DBUILD_PACKAGE_SUFFIX=arm64 -G Ninja
-            build_type: Release
-            collect_symbols: false
-            signpath: false
-            sccache_triplet: aarch64-apple-darwin
-            packager: cpack --verbose --config build/CPackConfig.cmake -C Release
-
           - os: windows-latest
             cross_os: ''
             component: ''
@@ -274,55 +68,6 @@ jobs:
               cp .github/deps/other/bin/qt*.dll .github/deps/qt/bin &&
               cpack --verbose --config build/CPackConfig.cmake -C RelWithDebInfo
 
-          - os: windows-latest
-            cross_os: ''
-            component: 'Tools'
-            qt: 5.15.14
-            arch: x86_64
-            sccache_triplet: x86_64-pc-windows-msvc
-            build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
-            build_type: RelWithDebInfo
-            collect_symbols: false
-            signpath: false
-            qt_pre_build: >
-              choco install gperf jom winflexbison3 &&
-              New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe &&
-              New-Item -Path C:\ProgramData\Chocolatey\bin\bison.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_bison.exe
-            ffmpeg_pre_build: >
-              choco install yasm
-            # Copying files is a disgusting hack because windeployqt does not
-            # search PATH to find DLLs and it gets confused by QtKeychain having
-            # a Qt prefix and thinks it is part of Qt and tries to process it
-            # and fails if it is not in the Qt bin directory with the rest of
-            # them
-            packager: >
-              cp .github/deps/other/bin/qt*.dll .github/deps/qt/bin &&
-              cpack --verbose --config build/CPackConfig.cmake -C RelWithDebInfo
-
-          - os: windows-latest
-            qt: 5.15.14
-            arch: x86
-            sccache_triplet: x86_64-pc-windows-msvc
-            build_flags: -DCARGO_TRIPLE=i686-pc-windows-msvc -DBUILD_PACKAGE_SUFFIX=x86 -G Ninja
-            build_type: RelWithDebInfo
-            collect_symbols: false
-            signpath: true
-            qt_pre_build: >
-              choco install gperf jom winflexbison3 &&
-              New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe &&
-              New-Item -Path C:\ProgramData\Chocolatey\bin\bison.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_bison.exe
-            ffmpeg_pre_build: >
-              choco install yasm
-            # Copying files is a disgusting hack because windeployqt does not
-            # search PATH to find DLLs and it gets confused by QtKeychain having
-            # a Qt prefix and thinks it is part of Qt and tries to process it
-            # and fails if it is not in the Qt bin directory with the rest of
-            # them
-            packager: >
-              cp .github/deps/other/bin/qt*.dll .github/deps/qt/bin &&
-              cpack --verbose --config build/CPackConfig.cmake -C RelWithDebInfo
-
-
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -486,30 +231,32 @@ jobs:
           }
         env:
           WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
-        if: runner.os == 'Windows' && matrix.packager && (!startsWith(github.ref, 'refs/tags/') || !matrix.signpath)
+        if: runner.os == 'Windows' && matrix.packager && !matrix.signpath
 
       - name: Figure out Windows product version from build version
         run: >
           cmake
-          "-DBUILD_VERSION=${{ github.ref_name }}"
+          "-DBUILD_VERSION=2.2.2-beta.4"
           "-DOUTPUT_PATH=$env:GITHUB_ENV"
           "-DSEARCH_PATHS=${{ matrix.cross_os && format('{0};', steps.cross-deps.outputs.path) }}${{ steps.deps.outputs.path }}"
           -P ".github/scripts/build-to-product-version.cmake"
-        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
 
       - name: Install rcedit to set PE metadata on Windows
         run: |
           choco install rcedit
-        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
 
       - name: Set PE metadata of dependencies on Windows
         run: >
           cmake
+          "-DFILE_DESCRIPTION=Drawpile client"
           "-DPRODUCT_NAME=Drawpile client"
+          "-DFILE_VERSION=$env:WINDOWS_PRODUCT_VERSION"
           "-DPRODUCT_VERSION=$env:WINDOWS_PRODUCT_VERSION"
           "-DSEARCH_PATHS=${{ matrix.cross_os && format('{0};', steps.cross-deps.outputs.path) }}${{ steps.deps.outputs.path }}"
           -P ".github/scripts/edit-pe-metadata.cmake"
-        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
 
       - name: Generate project
         run: >
@@ -569,11 +316,13 @@ jobs:
       - name: Set PE metadata built files on Windows
         run: >
           cmake
+          "-DFILE_DESCRIPTION=Drawpile client"
           "-DPRODUCT_NAME=Drawpile client"
+          "-DFILE_VERSION=$env:WINDOWS_PRODUCT_VERSION"
           "-DPRODUCT_VERSION=$env:WINDOWS_PRODUCT_VERSION"
           "-DSEARCH_PATHS=build"
           -P ".github/scripts/edit-pe-metadata.cmake"
-        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
 
       - name: Run C++ tests
         run: ctest -C ${{ matrix.build_type }} --output-on-failure
@@ -595,13 +344,13 @@ jobs:
           path: |
             Drawpile-*.msi
             Drawpile-*.zip
-        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
 
       - name: Delete unsigned artifacts
         id: signpath-delete-unsigned
         shell: bash
         run: rm -vf Drawpile-*.msi Drawpile-*.zip
-        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
 
       - name: Submit artifacts to SignPath to sign
         uses: signpath/github-action-submit-signing-request@v1
@@ -610,7 +359,7 @@ jobs:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
           project-slug: 'Drawpile'
-          signing-policy-slug: 'release-signing'
+          signing-policy-slug: 'test-signing'
           artifact-configuration-slug: 'client'
           github-artifact-id: '${{ steps.signpath-upload.outputs.artifact-id }}'
           wait-for-completion: true
@@ -619,7 +368,7 @@ jobs:
             version: "${{ github.ref_name }}"
             productname: "Drawpile client"
             productversion: "${{ env.WINDOWS_PRODUCT_VERSION }}"
-        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
 
       - name: Delete unsigned artifacts uploaded for SignPath after signing
         uses: actions/github-script@v7
@@ -631,7 +380,7 @@ jobs:
               repo: context.repo.repo,
               artifact_id: ${{ steps.signpath-upload.outputs.artifact-id }}
             });
-        if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
 
       - name: Bundle PDBs
         run: >