[COMPASS-4129] Upgrade windows installer libraries for signing dlls Created: 03/Feb/20  Updated: 10/Jan/24  Resolved: 08/Jun/22

Status: Closed
Project: Compass
Component/s: Tech debt
Affects Version/s: None
Fix Version/s: No version

Type: Investigation Priority: Major - P3
Reporter: Lucas Hrabovsky (Inactive) Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Problem/Incident
is caused by COMPASS-4127 Windows ffmpeg.dll failed to sign Closed
Related
Documentation Changes: Not Needed

 Description   
  • Discovered in COMPASS-4127
  • After BUILD-2932, we can update the windows installer system libraries (Squirrel.Windows) to sign dll's and take advantage of all the other bug fixes to Squirrel.Windows since 2017. Upgrade electron-winstaller in hadron-build to latest (currently 4.0.0, but we're stuck on 2.5.1)


 Comments   
Comment by Maurizio Casimirri [ 08/Jun/22 ]

We updated electron-installer, to sign dlls though we would need a different notary mechanism as the notary-service currently do not support it

Comment by Githook User [ 03/Feb/20 ]

Author:

{'name': 'Lucas Hrabovsky', 'username': 'imlucas', 'email': 'hrabovsky.lucas@gmail.com'}

Message: build: COMPASS-4127: Fix code signing on Windows (#1895)

Evergreen:
https://evergreen.mongodb.com/version/5e386060e3c3311158f8f2e2

    1. Todo
    1. Description

Rollback `electron-winstaller` to `2.5.1` for now. Don't upgrade until [BUILD-2932](https://jira.mongodb.org/browse/BUILD-2932) is done.

    1. Notes

[Evergreen windows builds](https://evergreen.mongodb.com/task/10gen_compass_master_windows_package_and_publish_compass_3d7b0895c3d7ed4aada6f997286a8a57d7f835b5_20_01_31_17_33_22) started failing with the electron 6 update:

```
[2020/01/31 12:47:29.021] × Error: Error: Failed with exit code: 4294967295

[2020/01/31 12:47:29.021] Output:
[2020/01/31 12:47:29.021] System.AggregateException: One or more errors occurred. ---> System.Exception: Failed to sign, command invoked was: '.\signtool.exe sign yes C:\Users\mci-exec\AppData\Local\SquirrelTemp\tempa\lib\net45\ffmpeg.dll'
[2020/01/31 12:47:29.021] at Squirrel.Update.Program.<signPEFile>d__17.MoveNext()
```

Normally, `Failed with exit code: 4294967295` means [the signtool.exe notary service client](https://jira.mongodb.org/browse/BUILD-920) is getting a 500 service error due to an outage.

However, all other OS were signing with no issues [see BUILD-10250](https://jira.mongodb.org/browse/BUILD-10250).

```
cd /cygdrive/z/data/mci/src/dist/MongoDBCompassDev-win32-x64;

$ ../../signtool.exe sign yes ffmpeg.dll
2020/02/03 16:34:55 Signing service didn't return a permalink

$ ../../signtool.exe sign yes libEGL.dll
2020/02/03 16:35:14 Signing service didn't return a permalink

$ ../../signtool.exe sign yes MongoDBCompassDev.exe
Worked
$ ../../signtool.exe sign yes Squirrel.exe
Worked
```

So, it can't be a service issue and must be something related to the changes to `hadron-build` for COMPASS-3933 electron 6 support.

Only a handful of commits and [e3ff85c9303bc43e56976226d10d6b9897324b66](https://github.com/mongodb-js/hadron-build/commit/e3ff85c9303bc43e56976226d10d6b9897324b66)
`electron-winstaller` was upgraded from `2.5.1` to `4.0.0`. This changed the effective version of the [Squirrel.Windows](https://github.com/Squirrel/Squirrel.Windows) framework electron uses for win32 auto-update:

In `electron-winstaller@2.5.2` :arrow_right: [squirrel.windows@1.5.2](https://github.com/Squirrel/Squirrel.Windows/releases/tag/1.5.2):

> ### Releasify now disallows non-Semver versions
>
> While using non-Semver versions in your NuGet package was always incorrect and resulted in undefined behavior, due to #868, these are now a full non-starter. We now require packages to have Semver-compatible versions names. Note that this doesn't affect your EXE versions, which can still use all four Win32 version numbers.
>
> ### Bug Fixes
>
> - Allow uppercase characters in SemVer versions (#924, thanks)
> - Sign DLL and .node files during Releasify
> - Ensure that Stub Executables pass along their parameters to the target

And now the facepalm moment; [BUILD-2932](https://jira.mongodb.org/browse/BUILD-2932) (created in 2017) as the notary service doesn't support dll signing the way we need it to.

    1. Motivation and Context
  • [x] Dependency update
    1. Dependents

mongodb-js/hadron-build#110

    1. Types of changes
Generated at Wed Feb 07 22:35:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.