chore: automate signing (#174)

crystall-bitquill · web-flow · commit 2773ed82929c · 2024-02-22T11:22:51.000-08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -180,6 +180,25 @@ jobs:
       - name: Run build installer script
         run: |
           .\build_installer.ps1 x64 ${{ env.BUILD_TYPE}} "${{env.CMAKE_GENERATOR}}" C:/mysql-${{ vars.MYSQL_VERSION }}-winx64
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          role-skip-session-tagging: true
+          aws-access-key-id: ${{ secrets.AWS_BUILD_KEY }}
+          aws-secret-access-key: ${{ secrets.AWS_BUILD_SECRET_KEY }}
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
+          role-duration-seconds: 3600
+
+      - name: Run signer script
+        shell: pwsh
+        working-directory: ./scripts
+        run: |
+          choco upgrade jq -y
+          . ".\sign_installer.ps1"
+          Invoke-SignInstaller ${{ github.workspace }}\wix winx64a ${{github.ref_name}} ${{ secrets.AWS_UNSIGNED_BUCKET }} ${{ secrets.AWS_SIGNED_BUCKET }} ${{ secrets.AWS_S3_KEY }}aws-mysql-odbc-${{github.ref_name}}-winx64a.msi
       
       - name: Upload Windows installer as artifact
         if: success()
diff --git a/docs/building-the-aws-driver/BuildingTheAwsDriver.md b/docs/building-the-aws-driver/BuildingTheAwsDriver.md
@@ -15,11 +15,11 @@
     cmake -S . -B build -G "Visual Studio 16 2019" -DMYSQL_DIR="C:\Program Files\MySQL\MySQL Server 8.0" -DMYSQLCLIENT_STATIC_LINKING=TRUE
     cmake --build build --config Release
     ```
-4. To build the installer, MySQL 8.0.31 is required. Other MySQL versions may not work. Download the [MySQL 8.0.31](https://downloads.mysql.com/archives/community/) ZIP archive or msi installer. If the zip archive is used, unzip it to a folder before using it.
+4. To build the installer, MySQL 8.0.36 is required. Other MySQL versions may not work. Download the [MySQL 8.0.36](https://downloads.mysql.com/archives/community/) ZIP archive or msi installer. If the zip archive is used, unzip it to a folder before using it.
 
-    Run `build_installer.ps1` with specified MySQL 8.0.31 installation or unzipped folder path in a developer powershell. For example
+    Run `build_installer.ps1` with specified MySQL 8.0.36 installation or unzipped folder path in a developer powershell. For example
     ```
-    .\build_installer.ps1 x64 Release "Visual Studio 16 2019"  "C:\Users\Roy\Downloads\mysql-8.0.31-winx64\mysql-8.0.31-winx64"
+    .\build_installer.ps1 x64 Release "Visual Studio 16 2019"  "C:\Users\MyUser\Downloads\mysql-8.0.36-winx64\mysql-8.0.36-winx64"
     ```
 
 ### Troubleshooting:
diff --git a/scripts/sign_installer.ps1 b/scripts/sign_installer.ps1
@@ -0,0 +1,119 @@
+# Sign a single file
+function Invoke-SignFile {
+    [OutputType([Boolean])]
+    Param(
+        # The path to the file to sign
+        [Parameter(Mandatory=$true)]
+        [string]$SourcePath,
+        # The path to the signed file
+        [Parameter(Mandatory=$true)]
+        [string]$TargetPath,
+        # The name of the unsigned AWS bucket
+        [Parameter(Mandatory=$true)]
+        [string]$AwsUnsignedBucket,
+        [Parameter(Mandatory=$true)]
+        # The name of the signed AWS bucket
+        [string]$AwsSignedBucket,
+        # The name of the AWS key
+        [Parameter(Mandatory=$true)]
+        [string]$AwsKey,
+        [Parameter(Mandatory=$false)]
+        [bool]$AsMockResponse=$false
+    )
+
+    Write-Host "Signing is enabled. Will attempt to sign"
+    
+    # Remember to install 'jq' dependency before
+    if ($AsMockResponse) {
+        Copy-Item $SourcePath $TargetPath
+        return $true
+    }
+    
+    # Upload unsigned .msi to S3 Bucket
+    Write-Host "Obtaining version id and uploading unsigned .msi to S3 Bucket"
+    $versionId = $( aws s3api put-object --bucket $AwsUnsignedBucket --key $AwsKey --body $SourcePath --acl bucket-owner-full-control | jq '.VersionId' )
+    $jobId = ""
+
+    if ([string]::IsNullOrEmpty($versionId)) {
+        Write-Host "Failed to PUT unsigned file in bucket."
+        return $false
+    }
+    
+    # Attempt to get Job ID from bucket tagging, will retry up to 3 times before exiting with a failure code.
+    # Will sleep for 5 seconds between retries.
+    Write-Host "Attempt to get Job ID from bucket tagging, will retry up to 3 times before exiting with a failure code."
+    for ( $i = 0; $i -lt 3; $i++ ) {
+        # Get job ID
+        $id=$( aws s3api get-object-tagging --bucket $AwsUnsignedBucket --key $AwsKey --version-id $versionId | jq -r '.TagSet[0].Value' )
+        if ( $id -ne "null" ) {
+            $jobId = $id
+            break
+        }
+    
+        Write-Host "Will sleep for 5 seconds between retries."
+        Start-Sleep -Seconds 5
+    }
+    
+    if ( $jobId -eq "" ) {
+        Write-Host "Exiting because unable to retrieve job ID"
+        return $false
+    }
+    
+    # Poll signed S3 bucket to see if the signed artifact is there
+    Write-Host "Poll signed S3 bucket to see if the signed artifact is there"
+    aws s3api wait object-exists --bucket $AwsSignedBucket --key $AwsKey-$jobId
+    
+    # Get signed msi from S3
+    Write-Host "Get signed msi from S3 to $TargetPath"
+    aws s3api get-object --bucket $AwsSignedBucket --key $AwsKey-$jobId $TargetPath
+    
+    Write-Host "Signing completed"
+    return $true
+}
+
+# Sign the installer file for architecture and ODBC version
+function Invoke-SignInstaller {
+    [OutputType([Boolean])]
+    Param(
+        # The path to the build directory.
+        [Parameter(Mandatory=$true)]
+        [string]$BuildDir,
+        # The architecture name.
+        [Parameter(Mandatory=$true)]
+        [string]$Architecture,
+        # The ODBC version.
+        [Parameter(Mandatory=$true)]
+        [string]$OdbcVersion,
+        # The name of the unsigned AWS bucket
+        [Parameter(Mandatory=$true)]
+        [string]$AwsUnsignedBucket,
+        [Parameter(Mandatory=$true)]
+        # The name of the signed AWS bucket
+        [string]$AwsSignedBucket,
+        # The name of the AWS key
+        [Parameter(Mandatory=$true)]
+        [string]$AwsKey,
+        [Parameter(Mandatory=$false)]
+        [bool]$AsMockResponse=$false
+    )
+
+    $unsignedInstallerPath=$(Join-Path $BuildDir "aws-mysql-odbc-$OdbcVersion-$Architecture.msi")
+    $signedInstallerPath=$(Join-Path $BuildDir "aws-mysql-odbc-$OdbcVersion-$Architecture-signed.msi")
+    
+    Write-Host "unsignedInstallerPath=${unsignedInstallerPath}"
+    Write-Host "signedInstallerPath=${signedInstallerPath}"
+
+    # Sign the installer
+    Write-Host "Signing the installer."
+    if ( !(Invoke-SignFile $unsignedInstallerPath $signedInstallerPath $AwsUnsignedBucket $AwsSignedBucket $AwsKey -AsMockResponse $AsMockResponse) ) {
+        Write-Host "Failed to sign installer file."
+        return $false
+    }
+
+    # Remove unsigned installer and remove "-signed" in signed installer name
+    Write-Host "Removing unsigned executable."
+    Remove-Item -Path $unsignedInstallerPath
+    Rename-Item -Path $signedInstallerPath -NewName "awsmysql-odbc-$OdbcVersion-$Architecture.msi"
+
+    return $true
+}
