COR-1627: streamline windows node signing process

- Moves the signing of the libraries and executables into the build script
- Avoids repacking of cabinet files

Author: drsk

.github/workflows/release-test.yaml

@@ -0,0 +1,217 @@
+name: Windows signing streamlining
+
+on:
+  push:
+    push:
+      branches:cor_1627_streamline_windows_signing_process/windows
+
+env:
+  UBUNTU_VERSION: '22.04'
+  STATIC_LIBRARIES_IMAGE_TAG: 'rust-1.82_ghc-9.10.2'
+  RUST_VERSION: '1.82'
+  STACK_VERSION: '3.7.1'
+  FLATBUFFERS_VERSION: '23.5.26'
+  GHC_VERSION: '9.10.2'
+  PROTOC_VERSION: '28.3'
+  STATIC_NODE_BINARY_IMAGE_NAME: 'static-node-binaries'
+  DOCKER_ARTIFACT_NAME: 'image'
+  AWS_ROLE_TO_ASSUME: 'arn:aws:iam::192549843005:role/github_concordium-node'
+  S3_ARN_TEMPLATES: '{
+      \"database-exporter\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"database-exporter_${VERSION}.deb\"},
+      \"p2p-bootstrapper\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"p2p-bootstrapper_${VERSION}.deb\"},
+      \"node-stagenet-linux\": {\"bucket\": \"distribution.stagenet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-stagenet-node_${VERSION}_amd64.deb\"},
+      \"node-flynet-linux\": {\"bucket\": \"distribution.flynet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-flynet-node_${VERSION}_amd64.deb\"},
+      \"node-testnet-linux\": {\"bucket\": \"distribution.testnet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-testnet-node_${VERSION}_amd64.deb\"},
+      \"node-mainnet-linux\": {\"bucket\": \"distribution.mainnet.concordium.software\", \"dir\": \"deb\", \"name\": \"concordium-mainnet-node_${VERSION}_amd64.deb\"},
+      \"node-macos\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"macos\", \"name\": \"concordium-node-${VERSION}.pkg\"},
+      \"node-windows\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"windows\", \"name\": \"Node-${VERSION}.msi\"}
+    }'
+  DOCKER_TAGS_TEMPLATES: '{
+      \"docker-stagenet\": \"concordium/stagenet-node:${VERSION}\",
+      \"docker-testnet\": \"concordium/testnet-node:${VERSION}\",
+      \"docker-mainnet\": \"concordium/mainnet-node:${VERSION}\",
+      \"docker-bootstrapper\": \"concordium/bootstrapper:${VERSION}\"
+    }'
+  REGISTRY: docker.io
+  SERVICE: "${{ inputs.service }}"
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+
+  validate-preconditions:
+    runs-on: ubuntu-latest
+    outputs:
+      s3_arns: ${{ steps.render.outputs.s3_arns }}
+      docker_tags: ${{ steps.render.outputs.docker_tags }}
+      release_type: ${{ steps.versions_derivation.outputs.release_type }}
+      base_version: ${{ steps.versions_derivation.outputs.base_version }}
+      version: ${{ steps.versions_derivation.outputs.version }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Validate version
+        id: versions_derivation
+        run: |
+          CARGO_VERSION=$(yq .package.version concordium-node/Cargo.toml)
+          if [ -z "${{ env.SERVICE }}" ]; then
+            IFS='-' read -r VERSION BUILD RELEASE_TYPE <<< "${{ github.ref_name }}"
+            # if [ ! "$VERSION" = "$CARGO_VERSION" ]; then
+            #   echo "::error::${CARGO_VERSION} does not match ${VERSION}."
+            #   exit 1
+            # fi
+          else
+            RELEASE_TYPE="${{ env.SERVICE }}"
+            BUILD=$(git rev-parse --short HEAD)
+          fi
+          echo "::notice::RELEASE_TYPE=${RELEASE_TYPE}"
+          echo "release_type=${RELEASE_TYPE}" >> "$GITHUB_OUTPUT"
+          echo "version=${CARGO_VERSION}-${BUILD}" >> "$GITHUB_OUTPUT"
+          echo "base_version=${CARGO_VERSION}" >> "$GITHUB_OUTPUT"
+      - name: Templates rendering
+        id: render
+        run: |
+          export VERSION="${{ steps.versions_derivation.outputs.version }}"
+          echo "s3_arns=${{ env.S3_ARN_TEMPLATES }}" >> $GITHUB_OUTPUT
+          echo "docker_tags=${{ env.DOCKER_TAGS_TEMPLATES }}" >> $GITHUB_OUTPUT
+
+  node-windows:
+    runs-on: windows-latest  
+    # TODO (drsk) the next line needs to be in again after testing !!!
+    # environment: release # This step needs to use the release context to access credentials for code signing.
+    needs: [validate-preconditions]
+    if: contains(fromJSON('["rc", "alpha", "node-windows"]'), needs.validate-preconditions.outputs.release_type)
+    defaults:
+      run:
+        shell: pwsh
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install dependencies
+        run: |
+          choco install yq jq -y
+        shell: bash
+
+      - name: Extrapolate artifact name
+        run: |
+          ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r '.["${{ github.job }}"].name')
+          echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Install DigiCert Client tools (Windows only)
+        id: digicert_client
+        uses: digicert/[email protected]
+
+      - name: Import Windows certificate (Windows only)
+        id: windows_certificate
+        env:
+          # Base64 encoding of the pfx/p12 certificate for Windows code signing.
+          SM_CLIENT_CERT_FILE_B64: ${{ secrets.WINDOWS_SM_CLIENT_CERT_FILE_B64 }}
+        run: |
+          $CERTIFICATE_PATH_BASE64="$env:RUNNER_TEMP\cert-b64.txt"
+          $CERTIFICATE_PATH="$env:RUNNER_TEMP\cert.pfx"
+
+          Set-Content -Path $CERTIFICATE_PATH_BASE64 -Value $env:SM_CLIENT_CERT_FILE_B64
+          certutil -decode $CERTIFICATE_PATH_BASE64 $CERTIFICATE_PATH
+          echo "CERTIFICATE_PATH=$CERTIFICATE_PATH" >> $env:GITHUB_OUTPUT
+
+      - name: Run smctl healthcheck to confirm if the tool is configured properly.
+        working-directory: ${{steps.build.outputs.bin_dir}}
+        env:
+          WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
+          WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
+          SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
+          SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
+        run: |
+          smctl healthcheck --all
+        shell: cmd
+
+      - name: Install Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-msvc
+
+      - name: Install Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-gnu
+
+      - name: Setup node folder
+        run: |
+          mkdir -p "C:/Program Files/node/include"
+          Add-Content -Path $env:GITHUB_PATH -Value "C:/Program Files/node"
+
+      - name: Install flatbuffers
+        run: |
+          curl -L -O https://github.com/google/flatbuffers/releases/download/v${{ env.FLATBUFFERS_VERSION }}/Windows.flatc.binary.zip
+          unzip Windows.flatc.binary.zip
+          mv flatc.exe "C:/Program Files/node/"
+
+      - name: Install protobuf (protoc)
+        run: |
+          curl -L -O https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-win64.zip
+          unzip protoc-${{ env.PROTOC_VERSION }}-win64.zip
+          mv bin/protoc.exe "C:/Program Files/node/"
+          mv include/* "C:/Program Files/node/include"
+
+      - name: Setup Haskell
+        uses: haskell-actions/setup@v2
+        with:
+          ghc-version: ${{ env.GHC_VERSION }}
+          enable-stack: true
+          stack-version: ${{ env.STACK_VERSION }}
+
+      - uses: milliewalky/setup-7-zip@v1
+
+      - name: Install GCC
+        run: |
+          curl -L -O https://github.com/brechtsanders/winlibs_mingw/releases/download/14.2.0posix-19.1.1-12.0.0-msvcrt-r2/winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z
+          7z x winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z -oC:/gcc
+          Add-Content -Path $env:GITHUB_PATH -Value "C:/gcc/mingw64/bin"
+
+      - name: Install LMDB
+        run: stack exec -- pacman -S --noconfirm mingw-w64-x86_64-lmdb
+
+      - name: Build and Sign Windows Node
+        env:
+          WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
+          WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
+          SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
+          SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
+          SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
+        run: |
+          ./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }}
+    
+      - name: Sign installer with smctl
+        working-directory: ${{steps.build.outputs.bin_dir}}
+        env:
+          WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
+          WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
+          SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
+          SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
+          SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
+        run: |
+          smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./service/windows/installer/Node.msi --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
+        shell: cmd
+
+      - name: Rename the package to target filename.
+        run: |
+          cp ./service/windows/installer/Node.msi ./${{ env.ARTIFACT_NAME }}
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ github.job }}
+          path: ${{ env.ARTIFACT_NAME }}

scripts/distribution/windows/build-all.ps1

@@ -30,4 +30,30 @@ cargo +$rustVersion-x86_64-pc-windows-msvc build --release --locked
 Pop-Location
 if ($LASTEXITCODE -ne 0) { throw "Failed building node runner service" }
 
-service\windows\installer\build.ps1 -toolchain $rustVersion-x86_64-pc-windows-msvc -nodeVersion $nodeVersion
+# Sign files if smctl is available and necessary environment variables are set.
+if ($env:WINDOWS_SM_KEYPAIR_ALIAS -and $env:WINDOWS_PKCS11_CONFIG -and $env:SM_ARGS -and (Get-Command "smctl" -ErrorAction SilentlyContinue)) {
+
+# Move to the location of the script so that relative paths make sense
+Push-Location $PSScriptRoot
+
+$StackInstallRoot = stack path --local-install-root
+
+try {
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input .\$StackInstallRoot\lib\ConcordiumConsensusDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\lib\ConcordiumBaseDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\smart-contracts\lib\ConcordiumSmartContractEngineDLL --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-base\lib\Sha2DLL.dll --config-file $env:WINDOWS_PKCS11_CONFIG  $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\target\x86_64-pc-windows-msvc\release\NodeRunnerService --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\collector\target\release\NodeCollector  --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+smctl sign --keypair-alias $env:WINDOWS_SM_KEYPAIR_ALIAS --input ..\..\..\concordium-node\target\release\ConcordiumNode  --config-file $env:WINDOWS_PKCS11_CONFIG $env:SM_ARGS
+}
+finally{
+    Pop-Location
+}
+
+} else {
+    Write-Output "Not signing: Missing required environment variables or smctl utility missing. WINDOWS_SM_KEYPAIR_ALIAS, WINDOWS_PKCS11_CONFIG, SM_ARGS need to be set."
+}
+
+# Build the installer
+service\windows\installer\build.ps1 -toolchain $rustVersion-x86_64-pc-windows-msvc -nodeVersion $nodeVersion