win-exe.yml 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378
  1. name: Build Windows Installer
  2. on:
  3. release:
  4. types: [published]
  5. workflow_dispatch:
  6. inputs:
  7. version:
  8. description: 'Version'
  9. required: false
  10. isDebug:
  11. description: 'Build debug version with console output'
  12. type: boolean
  13. env:
  14. JAVA_DIST: 'temurin'
  15. JAVA_VERSION: 20
  16. OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/20.0.2/openjfx-20.0.2_windows-x64_bin-jmods.zip'
  17. OPENJFX_JMODS_AMD64_HASH: '18625bbc13c57dbf802486564247a8d8cab72ec558c240a401bf6440384ebd77'
  18. defaults:
  19. run:
  20. shell: bash
  21. jobs:
  22. get-version:
  23. uses: ./.github/workflows/get-version.yml
  24. with:
  25. version: ${{ inputs.version }}
  26. build-msi:
  27. name: Build .msi Installer
  28. runs-on: windows-latest
  29. needs: [get-version]
  30. env:
  31. LOOPBACK_ALIAS: 'cryptomator-vault'
  32. WIN_CONSOLE_FLAG: ''
  33. steps:
  34. - uses: actions/checkout@v4
  35. - name: Setup Java
  36. uses: actions/setup-java@v3
  37. with:
  38. distribution: ${{ env.JAVA_DIST }}
  39. java-version: ${{ env.JAVA_VERSION }}
  40. check-latest: true
  41. cache: 'maven'
  42. - name: Download and extract JavaFX jmods from Gluon
  43. #In the last step we move all jmods files a dir level up because jmods are placed inside a directory in the zip
  44. run: |
  45. curl --output jfxjmods.zip -L "${{ env.OPENJFX_JMODS_AMD64 }}"
  46. if(!(Get-FileHash -Path jfxjmods.zip -Algorithm SHA256).Hash.ToLower().equals("${{ env.OPENJFX_JMODS_AMD64_HASH }}")) {
  47. throw "Wrong checksum of JMOD archive downloaded from ${{ env.OPENJFX_JMODS_AMD64 }}.";
  48. }
  49. Expand-Archive -Path jfxjmods.zip -DestinationPath jfxjmods
  50. Get-ChildItem -Path jfxjmods -Recurse -Filter "*.jmod" | ForEach-Object { Move-Item -Path $_ -Destination $_.Directory.Parent}
  51. shell: pwsh
  52. - name: Ensure major jfx version in pom and in jmods is the same
  53. run: |
  54. JMOD_VERSION_AMD64=$(jmod describe jfxjmods/javafx.base.jmod | head -1)
  55. JMOD_VERSION_AMD64=${JMOD_VERSION_AMD64#*@}
  56. JMOD_VERSION_AMD64=${JMOD_VERSION_AMD64%%.*}
  57. POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
  58. POM_JFX_VERSION=${POM_JFX_VERSION#*@}
  59. POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
  60. if [ $POM_JFX_VERSION -ne $JMOD_VERSION_AMD64 ]; then
  61. >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != amd64 jmod version (${JMOD_VERSION_AMD64})"
  62. exit 1
  63. fi
  64. - name: Set version
  65. run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
  66. - name: Run maven
  67. run: mvn -B clean package -Pdependency-check,win -DskipTests
  68. - name: Patch target dir
  69. run: |
  70. cp LICENSE.txt target
  71. cp target/cryptomator-*.jar target/mods
  72. - name: Run jlink
  73. run: >
  74. ${JAVA_HOME}/bin/jlink
  75. --verbose
  76. --output runtime
  77. --module-path "jfxjmods;${JAVA_HOME}/jmods"
  78. --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
  79. --strip-native-commands
  80. --no-header-files
  81. --no-man-pages
  82. --strip-debug
  83. --compress=1
  84. - name: Change win-console flag if debug is active
  85. if: ${{ inputs.isDebug }}
  86. run: echo "WIN_CONSOLE_FLAG=--win-console" >> $GITHUB_ENV
  87. - name: Run jpackage
  88. run: >
  89. ${JAVA_HOME}/bin/jpackage
  90. --verbose
  91. --type app-image
  92. --runtime-image runtime
  93. --input target/libs
  94. --module-path target/mods
  95. --module org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator
  96. --dest appdir
  97. --name Cryptomator
  98. --vendor "Skymatic GmbH"
  99. --copyright "(C) 2016 - 2023 Skymatic GmbH"
  100. --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
  101. --java-options "--enable-preview"
  102. --java-options "--enable-native-access=org.cryptomator.jfuse.win"
  103. --java-options "-Xss5m"
  104. --java-options "-Xmx256m"
  105. --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
  106. --java-options "-Dfile.encoding=\"utf-8\""
  107. --java-options "-Djava.net.useSystemProxies=true"
  108. --java-options "-Dcryptomator.logDir=\"@{localappdata}/Cryptomator\""
  109. --java-options "-Dcryptomator.pluginDir=\"@{appdata}/Cryptomator/Plugins\""
  110. --java-options "-Dcryptomator.settingsPath=\"@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json\""
  111. --java-options "-Dcryptomator.p12Path=\"@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12\""
  112. --java-options "-Dcryptomator.ipcSocketPath=\"@{localappdata}/Cryptomator/ipc.socket\""
  113. --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Cryptomator\""
  114. --java-options "-Dcryptomator.loopbackAlias=\"${{ env.LOOPBACK_ALIAS }}\""
  115. --java-options "-Dcryptomator.showTrayIcon=true"
  116. --java-options "-Dcryptomator.buildNumber=\"msi-${{ needs.get-version.outputs.revNum }}\""
  117. --java-options "-Dcryptomator.integrationsWin.autoStartShellLinkName=\"Cryptomator\""
  118. --java-options "-Dcryptomator.integrationsWin.keychainPaths=\"@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json\""
  119. --java-options "-Djavafx.verbose=${{ inputs.isDebug }}"
  120. --resource-dir dist/win/resources
  121. --icon dist/win/resources/Cryptomator.ico
  122. ${WIN_CONSOLE_FLAG}
  123. - name: Patch Application Directory
  124. run: |
  125. cp dist/win/contrib/* appdir/Cryptomator
  126. - name: Set LOOPBACK_ALIAS in patchWebDAV.bat
  127. shell: pwsh
  128. run: |
  129. $patchScript = "appdir\Cryptomator\patchWebDAV.bat"
  130. try {
  131. (Get-Content $patchScript ) -replace '::REPLACE ME', "SET LOOPBACK_ALIAS=`"${{ env.LOOPBACK_ALIAS}}`"" | Set-Content $patchScript
  132. } catch {
  133. Write-Host "Failed to set LOOPBACK_ALIAS for patchWebDAV.bat"
  134. exit 1
  135. }
  136. - name: Fix permissions
  137. run: attrib -r appdir/Cryptomator/Cryptomator.exe
  138. shell: pwsh
  139. - name: Extract integrations DLL for code signing
  140. shell: pwsh
  141. run: gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --extract integrations.dll }
  142. - name: Codesign
  143. uses: skymatic/code-sign-action@v2
  144. with:
  145. certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
  146. password: ${{ secrets.WIN_CODESIGN_P12_PW }}
  147. certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
  148. description: Cryptomator
  149. timestampUrl: 'http://timestamp.digicert.com'
  150. folder: appdir/Cryptomator
  151. recursive: true
  152. - name: Repack signed DLL into jar
  153. shell: pwsh
  154. run: |
  155. gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --update integrations.dll; Remove-Item integrations.dll}
  156. - name: Generate license for MSI
  157. run: >
  158. mvn -B license:add-third-party
  159. "-Dlicense.thirdPartyFilename=license.rtf"
  160. "-Dlicense.outputDirectory=dist/win/resources"
  161. "-Dlicense.fileTemplate=dist/win/resources/licenseTemplate.ftl"
  162. "-Dlicense.includedScopes=compile"
  163. "-Dlicense.excludedGroups=^org\.cryptomator"
  164. "-Dlicense.failOnMissing=true"
  165. "-Dlicense.licenseMergesUrl=file:///${{ github.workspace }}/license/merges"
  166. shell: pwsh
  167. - name: Create MSI
  168. run: >
  169. ${JAVA_HOME}/bin/jpackage
  170. --verbose
  171. --type msi
  172. --win-upgrade-uuid bda45523-42b1-4cae-9354-a45475ed4775
  173. --app-image appdir/Cryptomator
  174. --dest installer
  175. --name Cryptomator
  176. --vendor "Skymatic GmbH"
  177. --copyright "(C) 2016 - 2023 Skymatic GmbH"
  178. --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum}}"
  179. --win-menu
  180. --win-dir-chooser
  181. --win-shortcut-prompt
  182. --win-update-url "https:\\cryptomator.org"
  183. --win-menu-group Cryptomator
  184. --resource-dir dist/win/resources
  185. --license-file dist/win/resources/license.rtf
  186. --file-associations dist/win/resources/FAvaultFile.properties
  187. env:
  188. JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
  189. - name: Codesign MSI
  190. uses: skymatic/code-sign-action@v2
  191. with:
  192. certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
  193. password: ${{ secrets.WIN_CODESIGN_P12_PW }}
  194. certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
  195. description: Cryptomator Installer
  196. timestampUrl: 'http://timestamp.digicert.com'
  197. folder: installer
  198. - name: Add possible alpha/beta tags to installer name
  199. run: mv installer/Cryptomator-*.msi Cryptomator-${{ needs.get-version.outputs.semVerStr }}-x64.msi
  200. - name: Create detached GPG signature with key 615D449FE6E6A235
  201. run: |
  202. echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
  203. echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a Cryptomator-*.msi
  204. env:
  205. GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
  206. GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
  207. - name: Upload artifacts
  208. uses: actions/upload-artifact@v3
  209. with:
  210. name: msi
  211. path: |
  212. Cryptomator-*.msi
  213. Cryptomator-*.asc
  214. if-no-files-found: error
  215. - name: Publish .msi on GitHub Releases
  216. if: startsWith(github.ref, 'refs/tags/')
  217. uses: softprops/action-gh-release@v1
  218. with:
  219. fail_on_unmatched_files: true
  220. token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
  221. files: |
  222. *.msi
  223. *.asc
  224. build-exe:
  225. name: Build .exe installer
  226. runs-on: windows-latest
  227. needs: [get-version, build-msi]
  228. steps:
  229. - uses: actions/checkout@v4
  230. - name: Download .msi
  231. uses: actions/download-artifact@v3
  232. with:
  233. name: msi
  234. path: dist/win/bundle/resources
  235. - name: Strip version info from msi file name
  236. run: mv dist/win/bundle/resources/Cryptomator*.msi dist/win/bundle/resources/Cryptomator.msi
  237. - uses: actions/setup-java@v3
  238. with:
  239. distribution: ${{ env.JAVA_DIST }}
  240. java-version: ${{ env.JAVA_VERSION }}
  241. check-latest: true
  242. cache: 'maven'
  243. - name: Generate license for exe
  244. run: >
  245. mvn -B license:add-third-party
  246. "-Dlicense.thirdPartyFilename=license.rtf"
  247. "-Dlicense.fileTemplate=dist/win/bundle/resources/licenseTemplate.ftl"
  248. "-Dlicense.outputDirectory=dist/win/bundle/resources"
  249. "-Dlicense.includedScopes=compile"
  250. "-Dlicense.excludedGroups=^org\.cryptomator"
  251. "-Dlicense.failOnMissing=true"
  252. "-Dlicense.licenseMergesUrl=file:///${{ github.workspace }}/license/merges"
  253. shell: pwsh
  254. - name: Download WinFsp
  255. run: |
  256. $winfspUrl = (Select-String -Path ".\dist\win\bundle\resources\winFspMetaData.wxi" -Pattern '<\?define BundledWinFspDownloadLink="(.+)".*?>').Matches.Groups[1].Value
  257. curl --output dist/win/bundle/resources/winfsp.msi -L $winfspUrl
  258. shell: pwsh
  259. - name: Compile to wixObj file
  260. run: >
  261. "${WIX}/bin/candle.exe" dist/win/bundle/bundleWithWinfsp.wxs
  262. -ext WixBalExtension
  263. -ext WixUtilExtension
  264. -out dist/win/bundle/
  265. -dBundleVersion="${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
  266. -dBundleVendor="Skymatic GmbH"
  267. -dBundleCopyright="(C) 2016 - 2023 Skymatic GmbH"
  268. -dAboutUrl="https://cryptomator.org"
  269. -dHelpUrl="https://cryptomator.org/contact"
  270. -dUpdateUrl="https://cryptomator.org/downloads/"
  271. - name: Create executable with linker
  272. run: >
  273. "${WIX}/bin/light.exe" -b dist/win/ dist/win/bundle/bundleWithWinfsp.wixobj
  274. -ext WixBalExtension
  275. -ext WixUtilExtension
  276. -out installer/unsigned/Cryptomator-Installer.exe
  277. - name: Detach burn engine in preparation to sign
  278. run: >
  279. "${WIX}/bin/insignia.exe"
  280. -ib installer/unsigned/Cryptomator-Installer.exe
  281. -o tmp/engine.exe
  282. - name: Codesign burn engine
  283. uses: skymatic/code-sign-action@v2
  284. with:
  285. certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
  286. password: ${{ secrets.WIN_CODESIGN_P12_PW }}
  287. certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
  288. description: Cryptomator Installer
  289. timestampUrl: 'http://timestamp.digicert.com'
  290. folder: tmp
  291. - name: Reattach signed burn engine to installer
  292. run : >
  293. "${WIX}/bin/insignia.exe"
  294. -ab tmp/engine.exe installer/unsigned/Cryptomator-Installer.exe
  295. -o installer/Cryptomator-Installer.exe
  296. - name: Codesign EXE
  297. uses: skymatic/code-sign-action@v2
  298. with:
  299. certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
  300. password: ${{ secrets.WIN_CODESIGN_P12_PW }}
  301. certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
  302. description: Cryptomator Installer
  303. timestampUrl: 'http://timestamp.digicert.com'
  304. folder: installer
  305. - name: Add possible alpha/beta tags to installer name
  306. run: mv installer/Cryptomator-Installer.exe Cryptomator-${{ needs.get-version.outputs.semVerStr }}-x64.exe
  307. - name: Create detached GPG signature with key 615D449FE6E6A235
  308. run: |
  309. echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
  310. echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a Cryptomator-*.exe
  311. env:
  312. GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
  313. GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
  314. - name: Upload artifacts
  315. uses: actions/upload-artifact@v3
  316. with:
  317. name: exe
  318. path: |
  319. Cryptomator-*.exe
  320. Cryptomator-*.asc
  321. if-no-files-found: error
  322. - name: Publish .msi on GitHub Releases
  323. if: startsWith(github.ref, 'refs/tags/')
  324. uses: softprops/action-gh-release@v1
  325. with:
  326. fail_on_unmatched_files: true
  327. token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
  328. files: |
  329. Cryptomator-*.exe
  330. Cryptomator-*.asc
  331. allowlist:
  332. name: Anti Virus Allowlisting
  333. if: startsWith(github.ref, 'refs/tags/')
  334. runs-on: ubuntu-latest
  335. needs: [build-msi, build-exe]
  336. steps:
  337. - name: Download .msi
  338. uses: actions/download-artifact@v3
  339. with:
  340. name: msi
  341. path: msi
  342. - name: Download .exe
  343. uses: actions/download-artifact@v3
  344. with:
  345. name: exe
  346. path: exe
  347. - name: Collect files
  348. run: |
  349. mkdir files
  350. cp msi/*.msi files
  351. cp exe/*.exe files
  352. - name: Upload to Kaspersky
  353. uses: SamKirkland/FTP-Deploy-Action@v4.3.4
  354. with:
  355. protocol: ftps
  356. server: allowlist.kaspersky-labs.com
  357. port: 990
  358. username: ${{ secrets.ALLOWLIST_KASPERSKY_USERNAME }}
  359. password: ${{ secrets.ALLOWLIST_KASPERSKY_PASSWORD }}
  360. local-dir: files/
  361. - name: Upload to Avast
  362. uses: SamKirkland/FTP-Deploy-Action@v4.3.4
  363. with:
  364. protocol: ftp
  365. server: whitelisting.avast.com
  366. port: 21
  367. username: ${{ secrets.ALLOWLIST_AVAST_USERNAME }}
  368. password: ${{ secrets.ALLOWLIST_AVAST_PASSWORD }}
  369. local-dir: files/