Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: change nosign flag to sign and flip the logic #10156

Closed
wants to merge 1 commit into from
Closed

build: change nosign flag to sign and flip the logic #10156

wants to merge 1 commit into from

Conversation

JoeDoyle23
Copy link
Member

Checklist
  • make -j8 test (UNIX), or vcbuild test nosign (Windows) passes
  • commit message follows commit guidelines
Affected core subsystem(s)

build

Description of change

Makes the default build on Windows not try to sign the node.exe
binary after a build. Instead the 'sign' flag now indicates that the
binary should be signed. The 'nosign' flag is left as a noop.

This is a common stumbling block for new users compiling Node on Windows. If the nosign flag is left off any vcbuild.bat command, they see what appears to be an error with the build. Seeing as the only time node.exe gets signed is for official builds, it makes more sense to default to not trying to sign the binary and to flip the flag to indicate when it should be attempted.

If accepted, this change will require the Windows build process to be adjusted to include the sign flag when calling vcbuild.bat.

@jasnell
Copy link
Member

jasnell commented Dec 6, 2016

@nodejs/platform-windows @nodejs/build

@seishun
Copy link
Contributor

seishun commented Dec 6, 2016

Oh, yes, finally.

Copy link
Contributor

@seishun seishun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but need input from someone more familiar with batch scripts.

@jbergstroem
Copy link
Member

Makes sense. Is this major seeing how it changes default behavior? This is usually when @bnoordhuis joins and sets me straight.

@richardlau
Copy link
Member

Perhaps sign should be enabled for build-release (is that what the release builds on the CI use)?

@seishun
Copy link
Contributor

seishun commented Dec 6, 2016

Perhaps sign should be enabled for build-release (is that what the release builds on the CI use)?

I don't think so, contributors need to build release for tests.

@richardlau
Copy link
Member

I specifically meant the build-release argument, not the release argument.

@mscdex mscdex added the build Issues and PRs related to build files or the CI. label Dec 6, 2016
@mscdex mscdex added the windows Issues and PRs related to the Windows platform. label Dec 6, 2016
@seishun
Copy link
Contributor

seishun commented Dec 7, 2016

Ah, sorry about it. I don't see where build-release is used in the batch script though.

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also update BUILDING.md?

Regarding semver-major: grey area. This change would break third-party build farms but we don't make any real commitments w.r.t. the stability of our build tools.

If I had to make the call, I'd play it safe and make it semver-major as it's not a critical bug fix.

@cjihrig
Copy link
Contributor

cjihrig commented Dec 7, 2016

It looks like the pull request template needs to be updated too.

+1 to semver major to be safe.

@@ -98,13 +98,13 @@ Prerequisites:
and tools which can be included in the global `PATH`.

```console
> .\vcbuild nosign
> vcbuild
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing .\ is undoing part of #8704 -- Is this intentional?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From memory I think the .\ was added for compatibility with PowerShell.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PowerShell... yup, unintentional,reverted.

@richardlau
Copy link
Member

richardlau commented Dec 7, 2016

@seishun build-release turns on some flags, currently:

if defined build_release (
  set config=Release
  set package=1
  set msi=1
  set licensertf=1
  set download_arg="--download=all"
  set i18n_arg=small-icu
)

(Note this block is only executed for vcbuild build-release and not for vcbuild release). I'm suggesting sign should be set in this block, as I think (need someone from the build/release team to confirm) that build-release is used in the release jobs on Jenkins.

@JoeDoyle23
Copy link
Member Author

@richardlau Yes, I think I missed adding it there. Updated.

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with the final nit that the status line of the commit log is just over the 50 character limit.

@JoeDoyle23
Copy link
Member Author

Sorry about that. I tried to trim it up to be under 50. I guess I could have dropped the last the.

Copy link
Contributor

@bzoz bzoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As already mentioned by @cjihrig https://github.com/nodejs/node/blob/master/.github/PULL_REQUEST_TEMPLATE.md should be updated to.

Other than that LGTM! Can't wait for this to land!

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gibfahn
Copy link
Member

gibfahn commented Dec 8, 2016

I guess it'd be good to get a review from someone in @nodejs/release , particularly for #10156 (comment)

Copy link
Contributor

@cjihrig cjihrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but this needs to be rebased. Could you squash the commits while you're at it?

@JoeDoyle23
Copy link
Member Author

@cjihrig Done!

@joaocgreis
Copy link
Member

@JoeDoyle23 sorry for joining the party so late. Your change to set sign by default in build-release looks good, it should not break our release process this way. I would still like vcbuild build-release nosign to work, as it's useful to test locally. Something like:

diff --git a/vcbuild.bat b/vcbuild.bat
index 3a6827c..bc578c8 100644
--- a/vcbuild.bat
+++ b/vcbuild.bat
@@ -51,7 +51,7 @@ if /i "%1"=="x64"           set target_arch=x64&goto arg-ok
 if /i "%1"=="vc2015"        set target_env=vc2015&goto arg-ok
 if /i "%1"=="noprojgen"     set noprojgen=1&goto arg-ok
 if /i "%1"=="nobuild"       set nobuild=1&goto arg-ok
-if /i "%1"=="nosign"        goto arg-ok
+if /i "%1"=="nosign"        set "sign="&goto arg-ok
 if /i "%1"=="sign"          set sign=1&goto arg-ok
 if /i "%1"=="nosnapshot"    set nosnapshot=1&goto arg-ok
 if /i "%1"=="noetw"         set noetw=1&goto arg-ok
@@ -73,7 +73,7 @@ if /i "%1"=="jslint"        set jslint=1&goto arg-ok
 if /i "%1"=="jslint-ci"     set jslint_ci=1&goto arg-ok
 if /i "%1"=="package"       set package=1&goto arg-ok
 if /i "%1"=="msi"           set msi=1&set licensertf=1&set download_arg="--download=all"&set i18n_arg=small-icu&goto arg-ok
-if /i "%1"=="build-release" set build_release=1&goto arg-ok
+if /i "%1"=="build-release" set build_release=1&set sign=1&goto arg-ok
 if /i "%1"=="upload"        set upload=1&goto arg-ok
 if /i "%1"=="small-icu"     set i18n_arg=%1&goto arg-ok
 if /i "%1"=="full-icu"      set i18n_arg=%1&goto arg-ok
@@ -97,7 +97,6 @@ goto next-arg
 if defined build_release (
   set config=Release
   set package=1
-  set sign=1
   set msi=1
   set licensertf=1
   set download_arg="--download=all"

That requires nosign to be after build-release but we already live with that for other parameters.

To be careful, I'd like to make a test build before this lands. I'll start it when my comment above is included or rejected if that's the case. Thanks!

@JoeDoyle23
Copy link
Member Author

@joaocgreis I didn't have much insight into all the ways build-release was used. I think your use case makes perfect sense to add back in.

@joaocgreis
Copy link
Member

Test build: https://nodejs.org/download/test/v8.0.0-test201612141edf886649/ (should be exactly the same as without the changes here, it just proves that there is no problem with the release scripts).

LGTM

@JoeDoyle23 Looks like there are still conflicts, can you please rebase again so we can start a CI run?

Makes the default build on Windows not try to sign the node.exe
binary after a build. Instead the 'sign' flag now indicates that the
binary should be signed. The 'nosign' flag is left as a noop.
@JoeDoyle23 JoeDoyle23 reopened this Dec 14, 2016
@joaocgreis
Copy link
Member

CI: https://ci.nodejs.org/job/node-test-pull-request/5407/ (freebsd failure unrelated to this)

Regarding semver, an ill configured 3rd party release farm could indeed start releasing unsigned binaries because of this. It pains me, but I'll add the label. Why did the @nodejs-github-bot add the dont-land-on-v7.x and watch labels? (cc @nodejs/github-bot )

I can land this tomorrow if there are no objections.

@joaocgreis joaocgreis added the semver-major PRs that contain breaking changes and should be released in the next major version. label Dec 15, 2016
@gibfahn
Copy link
Member

gibfahn commented Dec 15, 2016

Regarding semver, an ill configured 3rd party release farm could indeed start releasing unsigned binaries because of this. It pains me, but I'll add the label.

😭 , but agreed

joaocgreis pushed a commit that referenced this pull request Dec 18, 2016
Makes the default build on Windows not try to sign the node.exe
binary after a build. Instead the 'sign' flag now indicates that the
binary should be signed. The 'nosign' flag is left as a noop.

Reviewed-By: Nikolai Vavilov <vvnicholas@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Bartosz Sosnowski <bartosz@janeasystems.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
PR-URL: #10156
@joaocgreis
Copy link
Member

Landed in 92ed1ab

@JoeDoyle23 thanks!

@joaocgreis joaocgreis closed this Dec 18, 2016
italoacasas pushed a commit to italoacasas/node that referenced this pull request Jan 18, 2017
Makes the default build on Windows not try to sign the node.exe
binary after a build. Instead the 'sign' flag now indicates that the
binary should be signed. The 'nosign' flag is left as a noop.

Reviewed-By: Nikolai Vavilov <vvnicholas@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Bartosz Sosnowski <bartosz@janeasystems.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
PR-URL: nodejs#10156
@jasnell jasnell mentioned this pull request Apr 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI. semver-major PRs that contain breaking changes and should be released in the next major version. windows Issues and PRs related to the Windows platform.
Projects
None yet
Development

Successfully merging this pull request may close these issues.