Closed rantoniuk closed 1 year ago
bayrakmustafa
commented
1 year ago @rantoniuk We made an update about this. Can you test the final version in develop branch? You should see a log saying Extract CodeSignTool from download path in the log.
rantoniuk
commented
1 year ago I see that message in the logs, but it is still downloaded twice and the temp dir in the second run is different:
Run sslcom/esigner-codesign@develop
...
Extract CodeSignTool from download path C:\a\_temp\d359a464-5754-4b5a-8b88-67feb7635ae0 to ....
...
...
...
CodeSignTool from download path C:\a\_temp\8e1c53c6-7166-460d-a6f1-548b879bd861 to ...Same applies to downloading JDK:
Trying to resolve the latest version from remote
Resolved latest version as 11.0.21.9.1
Trying to download...
Downloading Java 11.0.21.9.1 (Corretto) fromit's also downloaded twice.
The point here is not re-download the tool itself and JDK and re-use the already downloaded tool.
The original error of EEXIST: file already exists is now indeed fixed but in a not efficient way, because the tool is still downloaded twice in the same workflow run - hope that makes sense.
bayrakmustafa
commented
1 year ago @rantoniuk I wrote the wrong log, it looked like it was downloading twice. https://github.com/SSLcom/esigner-codesign/actions/runs/6704246071/job/18216329917 If you look at the logs here, it only downloads once CodeSignTool. I need to look separately for Java installation. I will work on a separate solution for that.
rantoniuk
commented
1 year ago @rantoniuk I wrote the wrong log, it looked like it was downloading twice. https://github.com/SSLcom/esigner-codesign/actions/runs/6704246071/job/18216329917 If you look at the logs here, it only downloads once CodeSignTool.
That's not what I saw in my logs yesterday, but if you say it should be fine then ok. Just to be sure, attaching the more complete log:
Downloading CodeSignTool from https://github.com/SSLcom/CodeSignTool/releases/download/v1.2.7/CodeSignTool-v1.2.7-windows.zip
Creating CodeSignTool extract path C:\a\xxx\xxx\codesign
Created CodeSignTool extract path C:\a\xxx\xxx\codesign
"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command "$ErrorActionPreference = 'Stop' ; try { Add-Type -AssemblyName System.IO.Compression.ZipFile } catch { } ; try { [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\a\_temp\d359a464-5754-4b5a-8b88-67feb7635ae0', 'C:\a\xxx\xxx\codesign', $true) } catch { if (($_.Exception.GetType().FullName -eq 'System.Management.Automation.MethodException') -or ($_.Exception.GetType().FullName -eq 'System.Management.Automation.RuntimeException') ){ Expand-Archive -LiteralPath 'C:\a\_temp\d359a464-5754-4b5a-8b88-67feb7635ae0' -DestinationPath 'C:\a\xxx\xxx\codesign' -Force } else { throw $_ } } ;"
Extract CodeSignTool from download path C:\a\_temp\d359a464-5754-4b5a-8b88-67feb7635ae0 to C:\a\xxx\xxx\codesign
Archive name: CodeSignTool-v1.2.7, C:\a\xxx\xxx\codesign\CodeSignTool-v1.2.7-windowsDownloading CodeSignTool from https://github.com/SSLcom/CodeSignTool/releases/download/v1.2.7/CodeSignTool-v1.2.7-windows.zip
Creating CodeSignTool extract path C:\a\xxx\xxx\codesign
"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command "$ErrorActionPreference = 'Stop' ; try { Add-Type -AssemblyName System.IO.Compression.ZipFile } catch { } ; try { [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\a\_temp\8e1c53c6-7166-460d-a6f1-548b879bd861', 'C:\a\xxx\xxx\codesign', $true) } catch { if (($_.Exception.GetType().FullName -eq 'System.Management.Automation.MethodException') -or ($_.Exception.GetType().FullName -eq 'System.Management.Automation.RuntimeException') ){ Expand-Archive -LiteralPath 'C:\a\_temp\8e1c53c6-7166-460d-a6f1-548b879bd861' -DestinationPath 'C:\a\xxx\xxx\codesign' -Force } else { throw $_ } } ;"
Extract CodeSignTool from download path C:\a\_temp\8e1c53c6-7166-460d-a6f1-548b879bd861 to C:\a\xxx\xxx\codesign
Archive name: CodeSignTool-v1.2.7, C:\a\xxx\xxx\codesign\CodeSignTool-v1.2.7-windowsI need to look separately for Java installation. I will work on a separate solution for that.
🚀
rantoniuk
commented
1 year ago @bayrakmustafa I just did a re-run with @develop and unfortunately I can't confirm this is fixed (i.e. in terms of performance).
I still see the tool is downloaded twice to two different temporary directories:
1st step:
Extract CodeSignTool from download path C:\a\_temp\ff917438-dac5-4f22-97aa-c87ebb1ce2d0 to C:\a\myapp\codesign
2nd step:
Extract CodeSignTool from download path C:\a\_temp\1ad6912c-0c1a-4ecc-b975-fc77e68f5856 to C:\a\myapp\codesignOf course, the same applies for JDK. Do you have another issue open that I can watch for a fix?
bayrakmustafa
commented
1 year ago @rantoniuk Are you signing on different github action jobs? I did my tests in the same job. Can you share the Github action yml file?
rantoniuk
commented
1 year ago Same job, different steps:
jobs:
build-app:
runs-on: Windows-8CPU-32GB
steps:
- name: "Checkout"
uses: actions/checkout@v4
- name: "Checkout ScopePy"
uses: actions/checkout@v4
with:
repository: org/repo2
ref: ${{ github.event.inputs.branch }}
token: ${{ secrets.token }}
path: repo2
...
- name: "Run pyinstaller app"
working-directory: repo2
run: |
pyinstaller --noconfirm app.spec
...
- name: Sign exe with CodeSignTool
uses: sslcom/esigner-codesign@develop
with:
command: sign
username: ${{ secrets.SSL_COM_TEST_USERNAME }}
password: ${{ secrets.SSL_COM_TEST_PASSWORD }}
credential_id: ${{ secrets.SSL_COM_TEST_CREDENTIAL_ID }}
totp_secret: ${{ secrets.SSL_COM_TEST_TOTP_SECRET }}
file_path: repo2/dist/starter/App.exe
output_path: repo2/dist/app
malware_block: false
override: false
environment_name: TEST
clean_logs: true
jvm_max_memory: 4096M
...
some other build actions to prepare the final package
...
- name: Sign package with CodeSignTool
uses: sslcom/esigner-codesign@develop
with:
command: sign
username: ${{ secrets.SSL_COM_TEST_USERNAME }}
password: ${{ secrets.SSL_COM_TEST_PASSWORD }}
credential_id: ${{ secrets.SSL_COM_TEST_CREDENTIAL_ID }}
totp_secret: ${{ secrets.SSL_COM_TEST_TOTP_SECRET }}
file_path: Output/App-${{ github.event.inputs.version }}-unsigned.exe
output_path: Output/signed
malware_block: true
override: false
environment_name: TEST
clean_logs: true
jvm_max_memory: 4096M
Note that the working directory is different, in the first step it's repo2, in the second it's Output - however, for the signing tool it should be irrelevant.
bayrakmustafa
commented
1 year ago @rantoniuk It's a problem with windows runner. I solved the problem. I also worked on Java installation. It only needs to download once. Can you test again?
rantoniuk
commented
1 year ago All looks good now, thanks a lot!
JDK home: C:\hostedtoolcache\windows\Java_Corretto_jdk\11.0.21.9.1\x64
JDK version: 11
JDK is already installed C:\hostedtoolcache\windows\Java_Corretto_jdk\11.0.21.9.1\x64Please throw in here a comment when it's tagged/released.
rantoniuk
commented
1 year ago @bayrakmustafa any chance for 1.2.9 release with this? thanks in advance!
bayrakmustafa
commented
12 months ago @bayrakmustafa any chance for 1.2.9 release with this? thanks in advance!
@rantoniuk I released version 1.2.9. You can use it :)
During the codesign process, the action downloads the code and extracts it:
In our case, we're signing twice in our pipeline run, once the application package executable file and once the whole installation executable file. Because of that, the action is used twice in the workflow definition and during the second run it fails with:
For now we have a temporary workaround where between the signing steps, we forcibly remove that directory with
rm -rfbut that results in the action needing to re-download the tool again.@bayrakmustafa could you take a look if a check could be added somewhere that if this directory already exists?