Merge rc to beta#19136
Merged
Merged
Conversation
Fixes #19099 Supersedes #18384 ### Summary of the issue: Some files are not signed some of the time ### Description of user facing changes: None ### Description of developer facing changes: In the case of alpha, beta, rc, stable and try builds, failure to sign the launcher or most of our executables will fail the build. All CI builds now run serially to avoid race conditions. ### Description of development approach: Set the `ErrorAction` common parameter on `Send-SigningRequest` to `Stop` to cause the signing script to fail if the cmd-let fails. Use `Get-AuthenticodeSignature` to verify the signature of files after `Submit-SigningRequest` returns. ### Testing strategy: CI * [x] Successful signing: https://github.com/nvaccess/nvda/actions/runs/18733609673 * Note that this run's failure was due to a system test failure * Checked that the launcher and all `dll` and `exe` files are signed. Found unsigned `exe`s and `dll` s by unzipping the controller client and launcher into the same directory, and running: ```ps1 (Get-ChildItem -Recurse -Include *.exe, *.dll -Name | Get-AuthenticodeSignature | where-object {$_.Status -ne 'Valid'}).Path ``` The following files do not have valid signatures: * `app\brailleDisplayDrivers\lilli.dll` * `app\miscDeps\tools\msgfmt.exe` * `app\synthDrivers\espeak.dll` * `app\synthDrivers\sonic.dll` * `app\brlapi-0.8.dll` * `app\libgcc_s_dw2-1.dll` * `app\wxbase32u_net_vc140.dll` * `app\wxbase32u_vc140.dll` * `app\wxmsw32u_aui_vc140.dll` * `app\wxmsw32u_core_vc140.dll` * `app\wxmsw32u_html_vc140.dll` * `app\wxmsw32u_stc_vc140.dll` * `Banner.dll` * `System.dll` However, as best as I can tell, we never attempt to sign these files. * [x] Intentionally don't sign a DLL: https://github.com/nvaccess/nvda/actions/runs/18703904287 * [x] Intentionally don't sign the launcher: https://github.com/nvaccess/nvda/actions/runs/18707118372 ### Known issues with pull request: None
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR merges changes from the rc branch to beta, enhancing the signing verification process and simplifying the SCons build configuration.
- Adds comprehensive signature validation with detailed error reporting for signed files
- Removes conditional core allocation logic in favor of a consistent single-core build approach
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| ci/scripts/sign.ps1 | Adds signature verification after signing with detailed HTML reporting and proper error handling |
| ci/scripts/setSconsArgs.ps1 | Simplifies build configuration by removing conditional core allocation logic |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| if ($null -eq $authenticodeSignature.SignerCertificate) { | ||
| "None" | ||
| } else { | ||
| $authenticodeSignature.SignerCertificate | ConvertTo-Html -fragment -Property Subject, Issuer, SerialNumber, Thumbprint, ` |
There was a problem hiding this comment.
Extra spaces between 'Issuer,' and 'SerialNumber,' - should be single space for consistency with other properties.
| if ($null -eq $authenticodeSignature.TimestamperCertificate) { | ||
| "None" | ||
| } else { | ||
| $authenticodeSignature.TimestamperCertificate | ConvertTo-Html -fragment -Property Subject, Issuer, SerialNumber, Thumbprint,` |
There was a problem hiding this comment.
Extra spaces between 'Issuer,' and 'SerialNumber,' - should be single space for consistency with other properties.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.