Reproducible builds (#8)

* Implemented reproducible builds

* Updated build scripts

* Documented AV false positives

* Update README.md

* Update release.yml

* Build action drafts checksums

* Update release.yml

* build.ps1 output utf8

Authored-by: Nathan Beals <ndbeals@users.noreply.github.com>

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v2
       with:
-        go-version: ^1.14
+        go-version: ^1.16
       id: go
 
     - name: Check out code into the Go module directory
@@ -30,9 +30,15 @@ jobs:
     - name: Release Build
       run: .\build.ps1 -release -ver ${{ github.event.inputs.releaseVersion }}
       shell: powershell
-
-    - name: Upload Artifacts
-      uses: actions/upload-artifact@v2
+
+    - name: Upload checksums
+      uses: actions/upload-artifact@v2.2.2
+      with:
+        name: checksums
+        path: checksums.md
+
+    - name: Upload Binaries
+      uses: actions/upload-artifact@v2.2.2
       with:
         name: release
         path: release/
@@ -43,46 +49,37 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - name: Download Artifacts
+    - name: Download Binaries
       uses: actions/download-artifact@v2
       with:
         name: release
+
+    - name: Download Checksums
+      uses: actions/download-artifact@v2.0.8
+      with:
+        name: checksums
 
     - name: Build Changelog
       id: build_changelog
       uses: heinrichreimer/github-changelog-generator-action@v2.1.1
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         sinceTag: ${{ github.events.inputs.prevVersion }}
-
-    - name: Create Release
-      id: create_release
-      uses: actions/create-release@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Merge Body
+      run: |
+        echo "${{ steps.build_changelog.outputs.changelog}}" > changelog.md
+        cat checksums.md >> changelog.md
+        
+    - name: Release
+      uses: softprops/action-gh-release@v1
       with:
-        release_name: Release ${{ github.event.inputs.releaseVersion }}
-        tag_name: ${{ github.event.inputs.releaseVersion }}
-        body: ${{ steps.build_changelog.outputs.changelog}}
+        body_path: changelog.md
         draft: true
-        prerelease: false
-
-    - name: Upload Release Asset x64
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: winssh-pageant-${{ github.event.inputs.releaseVersion }}_amd64.zip
-        asset_name: winssh-pageant-${{ github.event.inputs.releaseVersion }}_amd64.zip
-        asset_content_type: application/zip
-
-    - name: Upload Release Asset x86
-      uses: actions/upload-release-asset@v1
+        name: Release ${{ github.event.inputs.releaseVersion }}
+        tag_name: ${{ github.event.inputs.releaseVersion }}
+        files: |
+          winssh-pageant-${{ github.event.inputs.releaseVersion }}_amd64.zip
+          winssh-pageant-${{ github.event.inputs.releaseVersion }}_386.zip
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: winssh-pageant-${{ github.event.inputs.releaseVersion }}_386.zip
-        asset_name: winssh-pageant-${{ github.event.inputs.releaseVersion }}_386.zip
-        asset_content_type: application/zip
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -40,6 +40,11 @@ Until I decide on a better way to do this, you can auto-start this program by cr
 5. Locate and select the `winssh-pageant.exe` executable
 6. Finish and run the task (or otherwise log out and back in)
 
+### Antivirus Flagging
+Your antivirus software may flag this as malware, It's a false positive and a known quirk with go binaries (https://golang.org/doc/faq#virus). The official releases use reproducible builds via `-trimpath`. The expected checksums are posted with the release they're meant for, some users may choose to build this project themself and confirm the checksums, `sha256sum`.
+
+More information can be found here: https://github.com/ndbeals/winssh-pageant/issues/7#issuecomment-787520972
+
 
 ## Bug Reporting, Help & Feature Requests
 Please put report all

build.ps1

@@ -37,31 +37,42 @@ if ($Release)
     Copy-Item LICENSE $outDir
 
     Remove-Item -LiteralPath $ReleasePath -ErrorAction SilentlyContinue
+
+    Write-Output "
+## Checksums
+| Architecture | Checksum |
+|---|---|" | Out-File -FilePath checksums.md -Encoding utf8 
 }
+
 # Build for each architecture
 Foreach ($arch in $Architectures)
 {
     $env:GOARCH=$arch
 
     if ($Release)
     {        
-        go build -ldflags -H=windowsgui -o $outDir\winssh-pageant.exe
+        go build -ldflags -H=windowsgui -trimpath -o $outDir\winssh-pageant.exe
         if ($LastExitCode -ne 0) { $returnValue = $LastExitCode }
-        # Remove-Item -LiteralPath $ReleasePath -ErrorAction SilentlyContinue
         Compress-Archive -Path $outDir\* -DestinationPath $releaseDir\$ReleasePath-${ver}_$arch.zip -Force
+
+        $hash = (Get-FileHash $outDir\winssh-pageant.exe).Hash 
+        Write-Output "| $arch | $hash |" | Out-File -FilePath checksums.md -Encoding utf8 -Append
 
         Remove-Item -LiteralPath $outDir\winssh-pageant.exe
     } else {
-        go build -ldflags -H=windowsgui -o $outDir\winssh-pageant-$arch.exe
+        go build -ldflags -H=windowsgui -trimpath -o $outDir\winssh-pageant-$arch.exe
     }
 }
 
-
 # Restore env vars
 $env:GOOS = $oldGOOS
 $env:GOARCH = $oldGOARCH
 
 # Cleanup
-Remove-Item -LiteralPath $BuildPath -Force -Recurse -ErrorAction SilentlyContinue
+if ($Release)
+{
+    Write-Output "" | Out-File -FilePath checksums.md -Encoding utf8 -Append
+    Remove-Item -LiteralPath $BuildPath -Force -Recurse -ErrorAction SilentlyContinue
+}
 
 exit $returnValue