From f4a0249930ab20e60dc197248eafa131efd363ee Mon Sep 17 00:00:00 2001 From: Manu Date: Sun, 3 May 2026 21:40:21 +0100 Subject: [PATCH 1/2] chore(sign-windows): add screenshot loop + window enumeration for CI debug The sign-windows job started failing during v0.15.0 around what looks like a second OAuth panel opened by SimplySign Desktop, but the failure mode is invisible in headless Xvfb. Add a scrot loop that captures the display every 2s, a dump_windows helper called at the four key handoff points, and an if: failure() artifact upload so the screenshots come back from CI. --- .github/workflows/release.yml | 7 +++++++ scripts/windows-sign.sh | 24 +++++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a1a18dc..8f47b6df 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -380,6 +380,13 @@ jobs: scripts/windows-sign.sh dist/unsigned/*.exe rm -f "$ARCHIVE" cd dist && zip -j "$(basename "$ARCHIVE" .zip).zip" unsigned/*.exe && cd .. + - name: Upload sign-windows screenshots + if: failure() + uses: actions/upload-artifact@v4 + with: + name: sign-windows-screens + path: /tmp/sign-screens/ + if-no-files-found: ignore - uses: actions/upload-artifact@v4 if: env.HAS_SIGNING != '' with: diff --git a/scripts/windows-sign.sh b/scripts/windows-sign.sh index 44dbea95..d50174f2 100755 --- a/scripts/windows-sign.sh +++ b/scripts/windows-sign.sh @@ -32,12 +32,21 @@ for f in "$@"; do fi done +dump_windows() { + echo "==> X11 windows snapshot:" + for wid in $(xdotool search --name "" 2>/dev/null); do + local name + name=$(xdotool getwindowname "$wid" 2>/dev/null || true) + [[ -n "$name" ]] && echo " wid=$wid name='$name'" + done +} + # --- Install dependencies --- echo "==> Installing dependencies..." sudo apt-get update -qq sudo apt-get install -y -qq \ - xvfb xdotool oathtool osslsigncode \ + xvfb xdotool oathtool osslsigncode scrot \ p11-kit opensc stalonetray \ libpulse-mainloop-glib0 libxss1 libnss3 libxkbcommon0 \ > /dev/null 2>&1 @@ -92,6 +101,14 @@ XVFB_PID=$! export DISPLAY=:99 sleep 2 +mkdir -p /tmp/sign-screens +( while true; do + scrot -o "/tmp/sign-screens/$(date +%s.%N).png" 2>/dev/null + sleep 2 + done ) & +SCROT_PID=$! +trap "kill $SCROT_PID 2>/dev/null || true" EXIT + stalonetray --geometry 1x1+0+0 --grow-gravity W & sleep 1 @@ -101,6 +118,7 @@ echo "==> Launching SimplySign Desktop..." "$SSD_EXE" & SSD_PID=$! sleep 8 +dump_windows echo "==> Searching for login window..." WINDOW_ID=$(timeout 30 xdotool search --sync --onlyvisible --name "SimplySign" 2>/dev/null | head -1 || true) @@ -121,6 +139,8 @@ fi xdotool windowactivate --sync "$WINDOW_ID" 2>/dev/null || true sleep 1 +dump_windows + # Generate TOTP right before typing to avoid expiration TOTP=$(oathtool --totp=sha256 -b --digits=6 "$CERTUM_TOTP_SECRET") @@ -172,6 +192,7 @@ if [[ "$TOKEN_READY" != "true" ]]; then exit 1 fi echo "==> PKCS#11 token available" +dump_windows # --- Start p11-kit server --- @@ -211,6 +232,7 @@ echo "==> Key alias: $KEY_ALIAS" for f in "$@"; do echo "==> Signing $f..." + dump_windows java -jar "$JSIGN_JAR" \ --storetype PKCS11 \ From f27e7c7625fc9359d20a791837c5c8286529c223 Mon Sep 17 00:00:00 2001 From: Manu Date: Sun, 3 May 2026 22:11:48 +0100 Subject: [PATCH 2/2] fix(sign-windows): pin SSD 2.9.14 and dismiss version-check modal Screenshots from the v0.0.0-debug1 run showed a "Newer application version is available (2.9.14)" modal popping in front of the login form right when xdotool started typing. The modal stole focus, swallowed the email and TOTP keystrokes, and the first Return only dismissed the modal; the WebKit OAuth panel was left without cached credentials, so the second Get Softcards List call (jsign signing) opened an empty panel that Certum cancels after 60s. Pin to 2.9.14-9.4.3.0 so the modal does not appear, and dismiss any version-check modal defensively in case Certum advertises a newer release in the future. --- scripts/windows-sign.sh | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/scripts/windows-sign.sh b/scripts/windows-sign.sh index d50174f2..7b438d16 100755 --- a/scripts/windows-sign.sh +++ b/scripts/windows-sign.sh @@ -54,7 +54,7 @@ echo "==> Dependencies installed" # --- Install SimplySign Desktop --- -SSD_URL="https://files.certum.eu/software/SimplySignDesktop/Linux-Ubuntu/2.9.13-9.4.2.0/SimplySignDesktop-2.9.13-9.4.2.0-x86_64-prod-ubuntu.bin" +SSD_URL="https://files.certum.eu/software/SimplySignDesktop/Linux-Ubuntu/2.9.14-9.4.3.0/SimplySignDesktop-2.9.14-9.4.3.0-x86_64-prod-ubuntu.bin" SSD_DIR="/opt/SimplySignDesktop" if [[ ! -d "$SSD_DIR" ]]; then @@ -120,6 +120,19 @@ SSD_PID=$! sleep 8 dump_windows +# Dismiss "Newer application version is available" modal if it appeared. +# It steals focus from the login form; if SSD ever falls behind Certum's +# advertised version again we still want signing to proceed. +VERSION_MODAL=$(xdotool search --name "Application version check" 2>/dev/null | head -1 || true) +if [[ -n "$VERSION_MODAL" ]]; then + echo "==> Dismissing version-check modal (wid=$VERSION_MODAL)" + xdotool windowactivate --sync "$VERSION_MODAL" 2>/dev/null || true + sleep 0.5 + xdotool key --window "$VERSION_MODAL" Escape + sleep 1 + dump_windows +fi + echo "==> Searching for login window..." WINDOW_ID=$(timeout 30 xdotool search --sync --onlyvisible --name "SimplySign" 2>/dev/null | head -1 || true) if [[ -z "$WINDOW_ID" ]]; then