Skip to content

Commit afe4595

Browse files
retiututretiutut
authored
Merge pull request #1186 from OpenBCI/1185-add-ev-certificate-signing-for-windows-builds
Add EV certificate signing for Windows builds
2 parents 0afebcf + 90e2541 commit afe4595

19 files changed

Lines changed: 289 additions & 896 deletions

.github/workflows/linux_build_deploy.yml

Lines changed: 22 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ env:
1717
jobs:
1818
build:
1919
name: Build for Linux
20-
runs-on: ubuntu-20.04
20+
runs-on: ubuntu-latest
2121

2222
steps:
2323
- name: Checkout
@@ -27,56 +27,52 @@ jobs:
2727
uses: actions/setup-python@v4
2828
with:
2929
python-version: '3.9'
30-
cache: 'pip' # caching pip dependencies
30+
cache: 'pip'
3131

3232
- name: Install Python Dependencies
33-
run: pip install -r release_script/requirements.txt
33+
run: pip install -r release/requirements.txt
3434

35-
- name: Download and Unzip Processing
35+
- name: Install Processing
3636
run: |
37-
mkdir -p $GITHUB_WORKSPACE/temp
38-
cd $GITHUB_WORKSPACE/temp
37+
mkdir -p $GITHUB_WORKSPACE/processing
38+
cd $GITHUB_WORKSPACE/processing
3939
curl -O -L --insecure https://github.com/processing/processing4/releases/download/processing-1292-4.2/processing-4.2-linux-x64.tgz
4040
tar -xzvf processing-4.2-linux-x64.tgz
4141
ls
4242
4343
- name: Add Processing to PATH
44-
run: |
45-
sudo su -c "ln -s $GITHUB_WORKSPACE/temp/processing-4.2/processing-java /usr/local/bin/processing-java"
44+
run: sudo su -c "ln -s $GITHUB_WORKSPACE/processing/processing-4.2/processing-java /usr/local/bin/processing-java"
4645

47-
- name: Test processing-java command
48-
run: |
49-
processing-java --help
46+
- name: Print PATH
47+
run: echo "$PATH"
48+
49+
- name: Test processing-java Command
50+
run: processing-java --help
5051

51-
- name: Copy libraries to Processing
52+
- name: Copy Libraries to Processing
5253
run: |
5354
mkdir -p $HOME/sketchbook/libraries/
5455
cp -a $GITHUB_WORKSPACE/OpenBCI_GUI/libraries/. $HOME/sketchbook/libraries/
5556
56-
- name: Run Unit Tests
57-
run: |
58-
echo "Unit tests cannot be run on Linux without attached display."
59-
echo "https://github.com/processing/processing/wiki/Running-without-a-Display"
57+
# Unit tests cannot be run on Linux without attached display.
6058

61-
- name: Build GUI
62-
run: |
63-
touch temp/timestamp.txt
64-
touch temp/versionstring.txt
65-
python $GITHUB_WORKSPACE/release_script/make-release.py --no-prompts
66-
GUI_COMMIT_TIME=`cat temp/timestamp.txt`
67-
GUI_VERSION_STRING=`cat temp/versionstring.txt`
59+
- name: Build
60+
run: python $GITHUB_WORKSPACE/release/build.py
61+
62+
- name: Package
63+
run: python $GITHUB_WORKSPACE/release/package.py
6864

69-
- name: Configure AWS credentials from Production account
65+
- name: Configure AWS credentials
7066
uses: aws-actions/configure-aws-credentials@v2
7167
with:
7268
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
7369
aws-region: ${{ env.AWS_REGION }}
7470

75-
- name: Get branch names
71+
- name: Get Branch Names
7672
id: branch-name
7773
uses: tj-actions/branch-names@v7
7874

79-
- name: Store DMG on AWS
75+
- name: Store Build on AWS
8076
run: |
8177
cd $GITHUB_WORKSPACE
8278
ls

.github/workflows/mac_build_deploy.yml

Lines changed: 42 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -27,82 +27,88 @@ jobs:
2727
uses: actions/setup-python@v4
2828
with:
2929
python-version: '3.9'
30-
cache: 'pip' # caching pip dependencies
30+
cache: 'pip'
3131

3232
- name: Install Python Dependencies
33-
run: pip install -r release_script/requirements.txt
33+
run: pip install -r release/requirements.txt
3434

35-
- name: Download and Unzip Processing
35+
- name: Install Processing
3636
run: |
3737
curl -O -L --insecure https://github.com/processing/processing4/releases/download/processing-1292-4.2/processing-4.2-macos-x64.zip
3838
unzip processing-4.2-macos-x64.zip
3939
ls
40-
41-
- name: Move Processing.app to Applications
42-
run: |
4340
mv Processing.app /Applications/Processing.app
4441
45-
- name: Add Processing to PATH
42+
- name: Configure PATH
4643
run: |
47-
echo "$GITHUB_WORKSPACE/release_script/mac_only/" >> $GITHUB_PATH
48-
chmod +x $GITHUB_WORKSPACE/release_script/mac_only/processing-java
44+
echo "$GITHUB_WORKSPACE/release/mac/" >> $GITHUB_PATH
45+
chmod +x $GITHUB_WORKSPACE/release/mac/processing-java
4946
50-
- name: Check GITHUB PATH
51-
run: echo $GITHUB_PATH
47+
- name: Print PATH
48+
run: echo "$PATH"
5249

5350
- name: Test processing-java command
54-
run: |
55-
processing-java --help
51+
run: processing-java --help
5652

57-
- name: Copy libraries to Processing
53+
- name: Copy Libraries to Processing
5854
run: |
5955
mkdir -p $HOME/Documents/Processing/libraries/
6056
cp -a $GITHUB_WORKSPACE/OpenBCI_GUI/libraries/. $HOME/Documents/Processing/libraries/
6157
6258
- name: Run Unit Tests
63-
run: |
64-
ls
65-
python $GITHUB_WORKSPACE/GuiUnitTests/run-unittests.py
66-
67-
- name: Save Encrypted Certificate to File
68-
run: |
69-
echo $MAC_CERTIFICATE_ENCRYPTED | base64 --decode > $GITHUB_WORKSPACE/release_script/mac_only/Certificates_2023.p12.enc
70-
env:
71-
MAC_CERTIFICATE_ENCRYPTED: ${{ secrets.MAC_CERTIFICATE_ENCRYPTED }}
59+
run: python $GITHUB_WORKSPACE/GuiUnitTests/run-unittests.py
7260

7361
- name: Decrypt Certificate
7462
run: |
7563
openssl version
76-
openssl enc -aes-256-cbc -a -d -pbkdf2 -in $GITHUB_WORKSPACE/release_script/mac_only/Certificates_2023.p12.enc -out $GITHUB_WORKSPACE/release_script/mac_only/Certificates.p12 -k "$OPENSSL_CERT_K"
64+
echo $MAC_CERTIFICATE_ENCRYPTED | base64 --decode > $GITHUB_WORKSPACE/release/mac/encrypted-certificate.p12.enc
65+
openssl enc -aes-256-cbc -a -d -pbkdf2 \
66+
-in $GITHUB_WORKSPACE/release/mac/encrypted-certificate.p12.enc \
67+
-out $GITHUB_WORKSPACE/release/mac/certificate.p12 \
68+
-k "$OPENSSL_CERT_K"
7769
env:
7870
OPENSSL_CERT_K: ${{ secrets.OPENSSL_CERT_K }}
71+
MAC_CERTIFICATE_ENCRYPTED: ${{ secrets.MAC_CERTIFICATE_ENCRYPTED }}
7972

8073
- name: Add OSX Signing Certificate to Keychain
8174
uses: apple-actions/import-codesign-certs@v2
8275
with:
83-
p12-filepath: ${{ github.workspace }}/release_script/mac_only/Certificates.p12
76+
p12-filepath: ${{ github.workspace }}/release/mac/certificate.p12
8477
p12-password: ${{ secrets.CERTIFICATE_P12_PASSWORD }}
8578

86-
- name: Build GUI
79+
- name: Build
8780
run: |
88-
mkdir $GITHUB_WORKSPACE/temp
89-
touch temp/timestamp.txt
90-
touch temp/versionstring.txt
91-
python $GITHUB_WORKSPACE/release_script/make-release.py --no-prompts
92-
GUI_COMMIT_TIME=`cat temp/timestamp.txt`
93-
GUI_VERSION_STRING=`cat temp/versionstring.txt`
94-
95-
- name: Configure AWS credentials from Production account
81+
python $GITHUB_WORKSPACE/release/build.py
82+
cp $GITHUB_WORKSPACE/OpenBCI_GUI/sketch.icns $GITHUB_WORKSPACE/application.macosx/OpenBCI_GUI.app/Contents/Resources/sketch.icns
83+
84+
- name: Sign Build
85+
run: |
86+
codesign -f -v -s "Developer ID Application: OpenBCI, Inc. (3P82WRGLM8)" $GITHUB_WORKSPACE/application.macosx/OpenBCI_GUI.app
87+
88+
- name: Create DMG
89+
run: |
90+
dmgbuild -s release/mac/dmgbuild_settings.py \
91+
-D app=$GITHUB_WORKSPACE/application.macosx/OpenBCI_GUI.app \
92+
OpenBCI_GUI $GITHUB_WORKSPACE/application.macosx.dmg
93+
94+
- name: Sign DMG
95+
run: |
96+
codesign -f -v -s "Developer ID Application: OpenBCI, Inc. (3P82WRGLM8)" $GITHUB_WORKSPACE/application.macosx.dmg
97+
98+
- name: Package
99+
run: python $GITHUB_WORKSPACE/release/package.py
100+
101+
- name: Configure AWS Credentials
96102
uses: aws-actions/configure-aws-credentials@v2
97103
with:
98104
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
99105
aws-region: ${{ env.AWS_REGION }}
100106

101-
- name: Get branch names
107+
- name: Get Branch Names
102108
id: branch-name
103109
uses: tj-actions/branch-names@v7
104110

105-
- name: Store DMG on AWS S3
111+
- name: Store Build on AWS
106112
run: |
107113
cd $GITHUB_WORKSPACE
108114
ls

.github/workflows/windows_build_deploy.yml

Lines changed: 26 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ env:
1717
jobs:
1818
build:
1919
name: Build for Windows
20-
runs-on: windows-2019
20+
runs-on: windows-latest
2121

2222
steps:
2323
- name: Clone Repository
@@ -28,95 +28,63 @@ jobs:
2828
with:
2929
python-version: '3.9'
3030
architecture: 'x64'
31-
cache: 'pip' # caching pip dependencies
32-
33-
- name: Install Python Dependencies
34-
run: |
35-
python -m pip install requests
36-
python -m pip install beautifulsoup4
31+
cache: 'pip'
3732

3833
- name: Install Processing
3934
run: |
40-
mkdir %GITHUB_WORKSPACE%\temp
41-
cd %GITHUB_WORKSPACE%\temp
35+
mkdir %GITHUB_WORKSPACE%\processing
36+
cd %GITHUB_WORKSPACE%\processing
4237
curl -O -L --insecure https://github.com/processing/processing4/releases/download/processing-1292-4.2/processing-4.2-windows-x64.zip
43-
ls -l %GITHUB_WORKSPACE%\temp
38+
ls -l %GITHUB_WORKSPACE%\processing
4439
unzip processing-4.2-windows-x64.zip
45-
ls -l %GITHUB_WORKSPACE%\temp\processing-4.2
40+
ls -l %GITHUB_WORKSPACE%\processing\processing-4.2
4641
mkdir %userprofile%\documents\processing\libraries
4742
xcopy %GITHUB_WORKSPACE%\OpenBCI_GUI\libraries\* %userprofile%\documents\processing\libraries /s /i /q
4843
ls -l %userprofile%\documents\processing\libraries
4944
shell: cmd
5045

5146
- name: Set Path
5247
run: |
53-
echo %GITHUB_WORKSPACE%\temp\processing-4.2 >> %GITHUB_PATH%
54-
echo C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64 >> %GITHUB_PATH%
55-
ls -l "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64"
48+
echo %GITHUB_WORKSPACE%\processing\processing-4.2>>%GITHUB_PATH%
49+
echo C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64>>%GITHUB_PATH%
5650
shell: cmd
5751

5852
- name: Print Path
59-
run: echo %GITHUB_PATH%
60-
shell: cmd
61-
62-
- name: Explicitly run processing-java
63-
run: |
64-
%GITHUB_WORKSPACE%\temp\processing-4.2\processing-java.exe --help
53+
run: echo %PATH%
6554
shell: cmd
6655

67-
- name: Check processing-java command
68-
run: |
69-
set PATH=%PATH%;%GITHUB_WORKSPACE%\temp\processing-4.2
70-
processing-java --help
56+
- name: Check processing-java Command
57+
run: processing-java --help
7158
shell: cmd
7259

7360
- name: Run Unit Tests
74-
run: |
75-
set PATH=%PATH%;%GITHUB_WORKSPACE%\temp\processing-4.2
76-
ls -l
77-
python %GITHUB_WORKSPACE%\GuiUnitTests\run-unittests.py
61+
run: python %GITHUB_WORKSPACE%\GuiUnitTests\run-unittests.py
7862
shell: cmd
7963

80-
- name: Build without Signing
81-
if: ${{ true }}
82-
run: |
83-
echo %cd%
84-
ls
85-
set PATH=%PATH%;%GITHUB_WORKSPACE%\temp\processing-4.2
86-
set PATH=%PATH%;C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64
87-
type nul > temp/versionstring.txt
88-
type nul > temp/timestamp.txt
89-
python %GITHUB_WORKSPACE%\release_script\make-release.py --no-prompts
64+
- name: Build
65+
run: python %GITHUB_WORKSPACE%\release\build.py
9066
shell: cmd
9167

92-
- name: Decrypt pfx files
93-
if: ${{ false }}
68+
- name: Sign
9469
run: |
95-
iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1'))
96-
appveyor-tools\secure-file -decrypt $env:GITHUB_WORKSPACE\release_script\windows_only\0a2d0e9821bd184a1d969a1db3630c92-SHA2.pfx.enc -secret $env:PFX_SECRET -salt $env:PFX_SALT -out $env:GITHUB_WORKSPACE\release_script\windows_only\0a2d0e9821bd184a1d969a1db3630c92-SHA2.pfx
97-
ls -l $env:GITHUB_WORKSPACE\release_script\windows_only
98-
env:
99-
PFX_PASS: ${{ secrets.PFX_PASS }}
100-
PFX_SECRET: ${{ secrets.PFX_SECRET }}
101-
PFX_SALT: ${{ secrets.PFX_SALT }}
102-
103-
- name: Build and Sign
104-
if: ${{ false }}
105-
run: |
106-
python %GITHUB_WORKSPACE%\release_script\make-release.py --no-prompts --pfx-password %PFX_PASS% --pfx-path %GITHUB_WORKSPACE%\release_script\windows_only\0a2d0e9821bd184a1d969a1db3630c92-SHA2.pfx
107-
env:
108-
PFX_PASS: ${{ secrets.PFX_PASS }}
109-
PFX_SECRET: ${{ secrets.PFX_SECRET }}
110-
PFX_SALT: ${{ secrets.PFX_SALT }}
70+
dotnet tool install --global azuresigntool
71+
mt -manifest %GITHUB_WORKSPACE%\release\windows\gui.manifest -outputresource:%GITHUB_WORKSPACE%\application.windows64\OpenBCI_GUI.exe;#1
72+
mt -manifest %GITHUB_WORKSPACE%\release\windows\java.manifest -outputresource:%GITHUB_WORKSPACE%\application.windows64\java\bin\java.exe;#1
73+
mt -manifest %GITHUB_WORKSPACE%\release\windows\javaw.manifest -outputresource:%GITHUB_WORKSPACE%\application.windows64\java\bin\javaw.exe;#1
74+
azuresigntool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --timestamp-rfc3161 http://timestamp.digicert.com --verbose %GITHUB_WORKSPACE%\application.windows64\OpenBCI_GUI.exe
75+
shell: cmd
76+
77+
- name: Package
78+
run: python %GITHUB_WORKSPACE%\release\package.py
11179
shell: cmd
11280

113-
- name: Configure AWS credentials from Production account
81+
- name: Configure AWS credentials
11482
uses: aws-actions/configure-aws-credentials@v2
11583
with:
11684
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
11785
aws-region: ${{ env.AWS_REGION }}
11886

119-
- name: Get branch names
87+
- name: Get Branch Names
12088
id: branch-name
12189
uses: tj-actions/branch-names@v7
12290

0 commit comments

Comments
 (0)