Merge branch 'main' into window-size

Author: j-chmielewski

.github/workflows/release.yaml

@@ -225,6 +225,14 @@ jobs:
           asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
           asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
           asset_content_type: application/octet-stream
+
+  # Building signed windows bundle involves a few steps as described here:
+  # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
+  # 1. Build defguard & bundle the binaries (defguard & wireguard) using wix (windows)
+  # 2. Detach the burn engine from the bundle so that it can be signed (also windows)
+  # 3. Sign the burn engine (linux)
+  # 4. Reattach the burn engine back to the bundle (windows again)
+  # 5. Sign the whole bundle (linux)
   build-windows:
     needs:
       - create-release
@@ -271,18 +279,70 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Bundle application
         run: |
+          # prepare wix extension
           dotnet tool install --global wix --version 4.0.5
           wix extension add WixToolset.Bal.wixext/4
+          # bundle defguard & wireguard binaries together
           wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
-      - name: Upload installer artifact
+          # detach burn engine from the bundle to be signed
+          wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
+      - name: Upload unsigned bundle and burn-engine
         uses: actions/upload-artifact@v4
         with:
-          name: defguard-client.exe
-          path: src-tauri/resources-windows/defguard-client.exe
-  sign-msi:
+          name: unsigned-bundle-and-burnengine
+          path: |
+            src-tauri/resources-windows/defguard-client.exe
+            src-tauri/resources-windows/burnengine.exe
+  sign-burn-engine:
     needs:
       - build-windows
+    runs-on:
+      - self-hosted
+      - Linux
+    steps:
+      - name: Write release version
+        run: |
+          VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+          echo Version: $VERSION
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+      - name: Download unsigned bundle & burn-engine
+        uses: actions/download-artifact@v4
+        with:
+          name: unsigned-bundle-and-burnengine
+      - name: Sign burn-engine
+        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
+      - name: Upload bundle and burn-engine artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-bundle-and-signed-burnengine
+          path: |
+            defguard-client.exe
+            burnengine-signed.exe
+  reattach-burn-engine:
+    needs:
+      - sign-burn-engine
+    runs-on: windows-latest
+    steps:
+      - name: Download unsigned bundle & signed burn-engine
+        uses: actions/download-artifact@v4
+        with:
+          name: unsigned-bundle-and-signed-burnengine
+      - name: Reattach burn-engine
+        run: |
+          # prepare wix extension
+          dotnet tool install --global wix --version 4.0.5
+          wix extension add WixToolset.Bal.wixext/4
+          # reattach burn engine to the bundle
+          wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe
+      - name: Upload bundle with reattached burn-engine
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-bundle-with-reattached-signed-burn-engine
+          path: defguard-client-reattached.exe
+  sign-bundle:
+    needs:
       - create-release
+      - reattach-burn-engine
     runs-on:
       - self-hosted
       - Linux
@@ -292,13 +352,13 @@ jobs:
           VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
           echo Version: $VERSION
           echo "VERSION=$VERSION" >> $GITHUB_ENV
-      - name: Download a single artifact
+      - name: Download unsigned bundle & signed burn-engine
         uses: actions/download-artifact@v4
         with:
-          name: defguard-client.exe
-      - name: Sign MSI
-        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client.exe -out defguard-client-signed.exe
-      - name: Upload installer
+          name: unsigned-bundle-with-reattached-signed-burn-engine
+      - name: Sign bundle
+        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
+      - name: Upload installer asset
         uses: actions/[email protected]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -25,6 +25,12 @@ To learn more about the system see our [documentation](https://defguard.gitbook.
 
 Make sure to install prerequisites from [tauri](https://tauri.app/v1/guides/getting-started/prerequisites/).
 
+### Proto submodule
+Make sure you have cloned, and up to date, proto submodule in `src-tauri/proto`
+
+### Protoc compiler
+Make sure you have [protoc](https://grpc.io/docs/protoc-installation/) available.
+
 ### Install pnpm and node deps
 
 ```bash
@@ -37,10 +43,16 @@ pnpm install
 pnpm tauri dev
 ```
 
+### Build command
+```bash
+pnpm tauri build
+```
+Built packages are available after in `src-tauri/target/release/bundle`.
+
 ### Windows
 
 Remove `default-run` line from `[package]` section in `Cargo.toml` to build the project.
 
 # Legal
 
-  - *defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.*
+  - *defguard is not an official WireGuard project, and WireGuard is a registered trademark of Jason A. Donenfeld.*