Improve trusted signing coverage, remove it from nightlies to control costs.

2025-01-24 23:23:47 +00:00 · 2025-01-24 23:23:47 +00:00 · d36c7ea161
parent 23cf9d3579
commit d36c7ea161
2 changed files with 24 additions and 5 deletions
--- a/.github/workflows/build_viewer.yml
+++ b/.github/workflows/build_viewer.yml
@ -6,6 +6,10 @@ on:
        description: 'Include tracy profiling builds'
        required: false
        default: 'false'
+      override_signing:
+        description: 'Manual builds are not signned by default. Force code signing for this run.'
+        required: false
+        default: 'false'
  push:
    branches:
      - "Firestorm*.*.*"
@ -141,7 +145,18 @@ jobs:
          echo "Building for channel ${FS_RELEASE_CHAN}"
          viewer_channel=${FS_RELEASE_CHAN}
        shell: bash
-        
+      - name: Check if release type is signable
+        if: runner.os == 'Windows'
+        run: |
+          if [[ "${FS_RELEASE_TYPE}" == "Release" || "${FS_RELEASE_TYPE}" == "Beta" ]]; then
+            CODESIGNING_ENABLED=true
+          else
+            CODESIGNING_ENABLED=false
+          fi
+          echo "CODESIGNING_ENABLED=${CODESIGNING_ENABLED}" >> $GITHUB_ENV
+          echo "Codesigning enabled: ${CODESIGNING_ENABLED}"
+        shell: bash
+    
      - name: Get the code
        uses: actions/checkout@v4
        with:
@ -261,7 +276,7 @@ jobs:
          done
        shell: bash

-      - name: Set expiration days based on FS_RELEASE_TYPE
+      - name: Set expiration days and codesigning based on FS_RELEASE_TYPE
        run: |
          case "${{ env.FS_RELEASE_TYPE }}" in
            "Nightly" | "Manual" | "Profiling")
@ -315,8 +330,8 @@ jobs:
            }' > ${{github.workspace}}/metadata.json
          echo "CODESIGNING_METADATA_PATH=${{github.workspace}}/metadata.json" >> $env:GITHUB_ENV            
        shell: pwsh
-      - name: Validate Windows 10 SDK version and find signtool.exe
-        if: runner.os == 'Windows'
+      - name: Validate Windows 10 SDK version and find signtool.exe IFF codesigning is enabled for these builds or overridden
+        if: ${{ runner.os == 'Windows' && (env.CODESIGNING_ENABLED == 'true' || github.event.inputs.override_signing == 'true') }}
        id: validate-sdk
        run: |
          try {
--- a/indra/newview/fs_viewer_manifest.py
+++ b/indra/newview/fs_viewer_manifest.py
@ -63,10 +63,13 @@ class FSViewerManifest:
        signtool_path = os.getenv('SIGNTOOL_PATH')
        codesigning_dlib_path = os.getenv('CODESIGNING_DLIB_PATH')
        metadata_file = os.getenv("CODESIGNING_METADATA_PATH")
+        # at some point we might want to sign other DLLs as well.
        executable_paths = [
-            self.args['configuration'] + "\\firestorm-bin.exe",
+            # self.args['configuration'] + "\\firestorm-bin.exe", # no need to sign this we are not packaging it.
            self.args['configuration'] + "\\slplugin.exe",
            self.args['configuration'] + "\\SLVoice.exe",
+            self.args['configuration'] + "\\llwebrtc.dll",
+            self.args['configuration'] + "\\llplugin\\dullahan_host.exe",
            self.args['configuration'] + "\\" + self.final_exe()
        ]

@ -82,6 +85,7 @@ class FSViewerManifest:
                    "/tr", "http://timestamp.acs.microsoft.com", "/td", "SHA256",
                    "/dlib", codesigning_dlib_path, "/dmdf", metadata_file, exe_path
                ], stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+                print(f"Signed {exe_path}")
            except Exception as e:
                print(f"Couldn't sign binary: {exe_path}. Error: {e}")