PIE-1057: Merge branch 'azure' to main

nat-goodspeed · nat-goodspeed · commit 7dec8574a117 · 2023-10-18T17:39:15.000-04:00
diff --git a/sign-pkg-windows/action.yaml b/sign-pkg-windows/action.yaml
@@ -3,15 +3,21 @@ description:
   Sign and package the Windows Linden viewer.
 
 inputs:
-  certificate:
-    description: "path to certificate file"
-    type: string
+  vault_uri:
+    description: "Azure key vault URI"
+    required: true
+  cert_name:
+    description: "Name of certificate on Azure"
+    required: true
+  client_id:
+    description: "Azure signer app clientId"
+    required: true
+  client_secret:
+    description: "Azure signer app clientSecret"
+    required: true
+  tenant_id:
+    description: "Azure signer app tenantId"
     required: true
-  services:
-    description: "space-separated list of timestamp service URLs"
-    type: string
-    required: false
-    default: "http://timestamp.globalsign.com/scripts/timstamp.dll http://timestamp.comodoca.com/authenticode"
 
 runs:
   using: composite
@@ -24,7 +30,11 @@ runs:
 
     - name: Install Python dependencies
       shell: bash
-      run: pip install pyng autobuild
+      run: pip install pyng
+
+    - name: Install AzureSignTool
+      shell: bash
+      run: dotnet tool install --global AzureSignTool
 
     - name: Sign the executables
       shell: bash
@@ -34,8 +44,11 @@ runs:
                    .app/llplugin/dullahan_host.exe
         do
             python "${{ github.action_path }}/sign.py" \
-                   --service ${{ inputs.services }} \
-                   --certificate "${{ inputs.certificate }}" \
+                   --vault_uri "${{ inputs.vault_uri }}" \
+                   --cert_name "${{ inputs.cert_name }}" \
+                   --client_id "${{ inputs.client_id }}" \
+                   --client_secret "${{ inputs.client_secret }}" \
+                   --tenant_id "${{ inputs.tenant_id }}" \
                    "$exe"
         done
 
@@ -80,8 +93,11 @@ runs:
         # pass installer to next step
         echo "installer=$installer" >> "$GITHUB_ENV"
         python "${{ github.action_path }}/sign.py" \
-               --service ${{ inputs.services }} \
-               --certificate "${{ inputs.certificate }}" \
+               --vault_uri "${{ inputs.vault_uri }}" \
+               --cert_name "${{ inputs.cert_name }}" \
+               --client_id "${{ inputs.client_id }}" \
+               --client_secret "${{ inputs.client_secret }}" \
+               --tenant_id "${{ inputs.tenant_id }}" \
                "$installer"
 
     - name: Post the installer
diff --git a/sign-pkg-windows/sign.py b/sign-pkg-windows/sign.py
@@ -3,7 +3,7 @@
 @file   sign.py
 @author Nat Goodspeed
 @date   2023-09-14
-@brief  Sign the designated executable using Windows signtool.
+@brief  Sign the designated executable using Microsoft AzureSignTool.
 
 $LicenseInfo:firstyear=2023&license=viewerlgpl$
 Copyright (c) 2023, Linden Research, Inc.
@@ -20,7 +20,6 @@
 from datetime import datetime, timedelta
 from pathlib import Path
 
-from autobuild.autobuild_tool_source_environment import SourceEnvError, _available_vsvers, load_vsvars
 from pyng.commands import Commands
 
 
@@ -38,94 +37,42 @@ class Error(Exception):
 
 # Interactively, don't print our int return value
 @command.format(lambda ret: None)
-def sign(executable, *, service: Iterable, certificate,
-         delay=5, retries=6, backoff=1.5, certwarning=14,
-         description='Second Life Setup'):
+def sign(executable, *, vault_uri, cert_name, client_id, client_secret, tenant_id,
+         certwarning=14):
     """
-    Sign the designated executable using Windows signtool.
+    Sign the designated executable using Microsoft AzureSignTool.
 
     Pass:
 
-    executable:  path to executable to sign
-    certificate: path to certificate file with authentication
-    service:     iterable of URLs to timestamp services
-    delay:       initial delay before signing attempt
-    retries:     number of times to attempt the signing operation
-    backoff:     scale factor by which to multiply delay for each retry
-    certwarning: warn if certificate will expire in fewer than this many days
-    description: pass to signtool
+    executable:    path to executable to sign
+    vault_uri:     Azure key vault URI
+    cert_name:     Name of certificate on Azure
+    client_id:     Azure signer app clientId
+    client_secret: Azure signer app clientSecret
+    tenant_id:     Azure signer app tenantId
+    certwarning:   warn if certificate will expire in fewer than this many days
     """
-    # First, locate signtool.
-    # Don't even pretend to support 32-bit any more.
-    os.environ['AUTOBUILD_ADDRSIZE'] = '64'
-    try:
-        vsver = _available_vsvers()[-1]
-    except SourceEnvError as err:
-        raise Error(str(err)) from err
-    except IndexError:
-        raise Error("Can't determine latest Visual Studio version, is it installed?")
-
-    try:
-        vsvars = load_vsvars(vsver)
-    except SourceEnvError as err:
-        raise Error(str(err)) from err
-
-    try:
-        # load_vsvars() returns an ordinary Python dict, that is,
-        # case-sensitive. Empirically the keys are all uppercase. We could go
-        # through the exercise of loading this data into a case-insensitive
-        # dict, but it's simpler to use an uppercase key.
-        VerBinPath = vsvars['WINDOWSSDKVERBINPATH']
-    except KeyError:
-        from pprint import pprint
-        pprint({key: value for key, value in vsvars.items() if 'Kits' in value})
-        raise Error(f"WindowsSdkVerBinPath not set by VS version {vsver}")
-
-    signtool = Path(VerBinPath) / 'X64' / 'signtool.exe'
-    assert signtool.is_file()
-
     name = Path(executable).name
 
-    # If we bang on the timestamp server too hard by signing executables
-    # back-to-back, we may get throttled.
-    # "Error: SignerSign() failed. (-1073700864/0xc000a000)"
-    # may be throttle-related, and it somehow fails the build despite the
-    # backoff loop meant to deal with it. (???)
-    # At any rate, a small fixed delay may keep us out of throttle trouble.
-    done = None
-    for retry in range(retries):
-        if retry:
-            print(f'{name} signing {retry} failed, ', end='')
-        print(f'waiting {delay:.1f} seconds')
-        time.sleep(delay)
-        delay *= backoff
-        # round-robin between listed services
-        svc = service[retry % len(service)]
-        command = [str(signtool), 'sign',
-                   '/f', certificate,
-                   '/t', svc,
-                   '/d', description,
-                   '/fd', 'sha256',
-                   '/v',
-                   executable]
-        try:
-            print(f'{name} attempt {retry+1}:', shlex.join(command))
-        except TypeError:
-            print(repr(command))
-            raise
-        done = subprocess.run(command,
-                              stdout=subprocess.PIPE,
-                              stderr=subprocess.STDOUT,
-                              text=True)
-        print(done.stdout, end='')
-        if done.returncode == 0:
-            break
-    else:
-        raise Error(f'{name} signing failed after {retries} attempts, giving up')
-
-    # Here the last of the retries succeeded, setting 'done'
+    command = ['AzureSignTool', 'sign',
+               '-kvu', vault_uri,
+               '-kvi', client_id,
+               '-kvt', tenant_id,
+               '-kvs', client_secret,
+               '-kvc', cert_name,
+               '-tr',  'http://timestamp.digicert.com',
+               '-v',   executable]
+    print(name, 'signing:', shlex.join(command))
+    done = subprocess.run(command,
+                          stdout=subprocess.PIPE,
+                          stderr=subprocess.STDOUT,
+                          text=True)
+    print(done.stdout, end='')
     rc = done.returncode
-    print('Signing succeeded')
+    if rc != 0:
+        raise Error(name + ' signing failed')
+
+    print(name, 'signing succeeded')
     # Check the certificate expiration date in the output to warn of imminent expiration
     for line in done.stdout.splitlines():
         found = ExpiresLine.search(line)
@@ -136,13 +83,14 @@ def sign(executable, *, service: Iterable, certificate,
             except ValueError:
                 raise Error('failed to parse expiration from: ' + line)
             else:
+                expires = expiration - datetime.now()
+                print(f'Certificate expires in {expires.days} days')
+                if expires < timedelta(certwarning):
+                    print(f'::warning::Certificate expires in {expires.days} days: {expiration}')
                 break
     else:
-        raise Error('Failed to find certificate expiration date')
-    expires = expiration - datetime.now()
-    print(f'Certificate expires in {expires.days} days')
-    if expires < timedelta(certwarning):
-        print(f'::warning::Certificate expires in {expires.days} days: {expiration}')
+##        raise Error('Failed to find certificate expiration date')
+        print('::warning::Failed to find certificate expiration date')
     return rc
 
 
