Skip to content

Make sure chrome-sandbox has setuid bit #13761

Make sure chrome-sandbox has setuid bit

Make sure chrome-sandbox has setuid bit #13761

Workflow file for this run

name: Package
on:
pull_request:
paths-ignore:
- '.github/actions/spelling/**'
- 'docs/**'
- '**.md'
push:
branches:
- main
- release-*
tags:
- '*'
workflow_dispatch:
inputs:
sign:
type: boolean
default: true
description: Whether to check signing result
defaults:
run:
shell: bash
jobs:
check-paths:
uses: ./.github/workflows/paths-ignore.yaml
with:
paths-ignore-globs: |
.github/actions/spelling/**
docs/**
**.md
package:
needs: check-paths
if: needs.check-paths.outputs.should-run == 'true'
strategy:
matrix:
include:
- platform: mac
arch: x86_64
runs-on: macos-13
- platform: mac
arch: aarch64
runs-on: macos-latest
- platform: win
runs-on: windows-2019
- platform: linux
runs-on: ubuntu-20.04
runs-on: ${{ matrix.runs-on }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
# Needed to run `git describe` to get full version info
fetch-depth: 0
- uses: ./.github/actions/yarn-install
- run: yarn build
- run: yarn package
- name: Build bats.tar.gz
if: matrix.platform == 'linux'
run: make -C bats bats.tar.gz
- name: Upload bats.tar.gz
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: matrix.platform == 'linux'
with:
name: bats.tar.gz
path: bats/bats.tar.gz
if-no-files-found: error
- name: Upload mac disk image
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: matrix.platform == 'mac'
with:
name: Rancher Desktop.${{ matrix.arch }}.dmg
path: dist/Rancher Desktop*.dmg
if-no-files-found: error
- name: Upload mac zip
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: matrix.platform == 'mac'
with:
name: Rancher Desktop-mac.${{ matrix.arch }}.zip
path: dist/Rancher Desktop*.zip
if-no-files-found: error
- name: Upload Windows installer
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: matrix.platform == 'win'
with:
name: Rancher Desktop Setup.msi
path: dist/Rancher.Desktop*.msi
if-no-files-found: error
- name: Upload Windows zip
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: matrix.platform == 'win'
with:
name: Rancher Desktop-win.zip
path: dist/Rancher Desktop-*-win.zip
if-no-files-found: error
- name: Upload Linux zip
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: matrix.platform == 'linux'
with:
name: Rancher Desktop-linux.zip
path: dist/rancher-desktop-*-linux.zip
if-no-files-found: error
- name: Trigger OBS build
if: matrix.platform == 'linux' && github.ref_type == 'branch' && ( startsWith(github.ref_name, 'main') || startsWith(github.ref_name, 'release-') )
run: |
if [[ -z $AWS_ACCESS_KEY_ID ]] || [[ -z $OBS_WEBHOOK_TOKEN ]]; then
echo "Secrets unavailable, skipping."
exit 0
fi
# in pull requests GITHUB_REF_NAME is in the form "<pr_number>/merge";
# remove slashes since they aren't valid in filenames
no_slash_ref_name="${GITHUB_REF_NAME//\//-}"
zip_name="rancher-desktop-linux-${no_slash_ref_name}.zip"
# Copy zip file to S3
aws s3 cp \
dist/rancher-desktop-*-linux.zip \
"s3://rancher-desktop-assets-for-obs/$zip_name"
# Trigger OBS services for relevant package in dev channel
curl -X POST \
-H "Authorization: Token ${OBS_WEBHOOK_TOKEN}" \
"https://build.opensuse.org/trigger/runservice?project=isv:Rancher:dev&package=rancher-desktop-${GITHUB_REF_NAME}"
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
OBS_WEBHOOK_TOKEN: ${{ secrets.OBS_WEBHOOK_TOKEN }}
sign-win:
name: Test Signing (Windows)
needs: package
runs-on: windows-2022
if: >-
(github.event_name == 'push' && github.ref == 'refs/heads/main') ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.sign)
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: ./.github/actions/yarn-install
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
name: Download artifact
with:
name: Rancher Desktop-win.zip
- name: Generate test signing certificate
shell: powershell
run: |
$cert = New-SelfSignedCertificate `
-Type Custom `
-Subject "CN=Rancher-Sandbox, C=CA" `
-KeyUsage DigitalSignature `
-CertStoreLocation Cert:\CurrentUser\My `
-FriendlyName "Rancher-Sandbox Code Signing" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
Write-Output $cert
Write-Output "CSC_FINGERPRINT=$($cert.Thumbprint)" `
| Out-File -Append -Encoding ASCII "${env:GITHUB_ENV}"
timeout-minutes: 1
- name: Sign artifact
shell: powershell
run: yarn sign (Get-Item "Rancher Desktop*-win.zip")
timeout-minutes: 10
- name: Verify installer signature
shell: powershell
run: |
$usedCert = (Get-AuthenticodeSignature -FilePath 'dist\Rancher*Desktop*.msi').SignerCertificate
Write-Output $usedCert
if ($usedCert.Thumbprint -ne $env:CSC_FINGERPRINT) {
Throw "Installer signed with wrong certificate"
}
timeout-minutes: 1
sign-mac:
name: Test Signing (macOS)
needs: package
strategy:
matrix:
include:
- arch: aarch64
# skip x86_64, we don't need to duplicate the testing for now.
runs-on: macos-latest
if: >-
(github.event_name == 'push' && github.ref == 'refs/heads/main') ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.sign)
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: ./.github/actions/yarn-install
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
name: Download artifact
with:
name: Rancher Desktop-mac.${{ matrix.arch }}.zip
- name: Generate test signing certificate
run: |
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-keyform pem -sha256 -days 3650 -nodes -subj \
"/C=CA/CN=RD Test Signing Key" \
-addext keyUsage=critical,digitalSignature \
-addext extendedKeyUsage=critical,codeSigning
# Create a custom keychain so we can unlock it properly.
security create-keychain -p "" tmp.keychain
security default-keychain -d user -s tmp.keychain
security unlock-keychain -p "" tmp.keychain
security set-keychain-settings -u tmp.keychain # Disable keychain auto-lock
security import key.pem -k tmp.keychain -t priv -A
security import cert.pem -k tmp.keychain -t cert -A
security set-key-partition-list -S apple-tool:,apple:,codesign: -s \
-k "" tmp.keychain
# Print out the valid certificates for debugging.
security find-identity
# Determine the key fingerprint.
awk_expr='/)/ { print $2 ; exit }'
hash="$(security find-identity | awk "$awk_expr")"
echo "CSC_FINGERPRINT=${hash}" >> "$GITHUB_ENV"
timeout-minutes: 1
- name: Flag build for M1
if: matrix.arch == 'aarch64'
run: echo "M1=1" >> "${GITHUB_ENV}"
- name: Sign artifact
run: |
for zip in Rancher\ Desktop-*mac*.zip; do
echo "::group::Signing ${zip}"
yarn sign --skip-notarize --skip-constraints "${zip}"
echo "::endgroup::"
done
timeout-minutes: 15
- name: Verify signature
run: |
codesign --verify --deep --strict --verbose=2 dist/*.dmg
codesign --verify --deep --strict --verbose=2 dist/*.zip
timeout-minutes: 5