Merge beta to master#19137
Merged
Merged
Conversation
Fixes #19099 Supersedes #18384 ### Summary of the issue: Some files are not signed some of the time ### Description of user facing changes: None ### Description of developer facing changes: In the case of alpha, beta, rc, stable and try builds, failure to sign the launcher or most of our executables will fail the build. All CI builds now run serially to avoid race conditions. ### Description of development approach: Set the `ErrorAction` common parameter on `Send-SigningRequest` to `Stop` to cause the signing script to fail if the cmd-let fails. Use `Get-AuthenticodeSignature` to verify the signature of files after `Submit-SigningRequest` returns. ### Testing strategy: CI * [x] Successful signing: https://github.com/nvaccess/nvda/actions/runs/18733609673 * Note that this run's failure was due to a system test failure * Checked that the launcher and all `dll` and `exe` files are signed. Found unsigned `exe`s and `dll` s by unzipping the controller client and launcher into the same directory, and running: ```ps1 (Get-ChildItem -Recurse -Include *.exe, *.dll -Name | Get-AuthenticodeSignature | where-object {$_.Status -ne 'Valid'}).Path ``` The following files do not have valid signatures: * `app\brailleDisplayDrivers\lilli.dll` * `app\miscDeps\tools\msgfmt.exe` * `app\synthDrivers\espeak.dll` * `app\synthDrivers\sonic.dll` * `app\brlapi-0.8.dll` * `app\libgcc_s_dw2-1.dll` * `app\wxbase32u_net_vc140.dll` * `app\wxbase32u_vc140.dll` * `app\wxmsw32u_aui_vc140.dll` * `app\wxmsw32u_core_vc140.dll` * `app\wxmsw32u_html_vc140.dll` * `app\wxmsw32u_stc_vc140.dll` * `Banner.dll` * `System.dll` However, as best as I can tell, we never attempt to sign these files. * [x] Intentionally don't sign a DLL: https://github.com/nvaccess/nvda/actions/runs/18703904287 * [x] Intentionally don't sign the launcher: https://github.com/nvaccess/nvda/actions/runs/18707118372 ### Known issues with pull request: None
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR merges changes from the beta branch to master, primarily focusing on enhancing the code signing process and simplifying the build configuration.
Key changes include:
- Enhanced signature verification with detailed error reporting and GitHub workflow summary output
- Simplified SCons build configuration by removing conditional multi-core logic
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| ci/scripts/sign.ps1 | Adds comprehensive signature validation with detailed error reporting and GitHub summary output |
| ci/scripts/setSconsArgs.ps1 | Simplifies build configuration by removing multi-core build logic and conditional processing |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| if ($null -eq $authenticodeSignature.SignerCertificate) { | ||
| "None" | ||
| } else { | ||
| $authenticodeSignature.SignerCertificate | ConvertTo-Html -fragment -Property Subject, Issuer, SerialNumber, Thumbprint, ` |
There was a problem hiding this comment.
Extra space in 'SerialNumber, Thumbprint' - should have single space after comma.
| if ($null -eq $authenticodeSignature.TimestamperCertificate) { | ||
| "None" | ||
| } else { | ||
| $authenticodeSignature.TimestamperCertificate | ConvertTo-Html -fragment -Property Subject, Issuer, SerialNumber, Thumbprint,` |
There was a problem hiding this comment.
Extra space in 'SerialNumber, Thumbprint' - should have single space after comma.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.