From de7ea2b6580e8626b7aa50ab93818f8d1f587b76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= Date: Thu, 21 May 2026 07:18:31 -0400 Subject: [PATCH 1/2] Avoid blocked Rust toolchain action Replace dtolnay/rust-toolchain usage in non-release workflows with direct rustup installation steps, matching existing Devolutions workflow patterns. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/ci-unix.yml | 7 ++++--- .github/workflows/dotnet-tool.yml | 7 ++++--- .github/workflows/parity-extensions.yml | 12 ++++++++++-- .github/workflows/rust-sip-parity.yml | 10 ++++++++-- .github/workflows/windows.yml | 5 ++++- 5 files changed, 30 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci-unix.yml b/.github/workflows/ci-unix.yml index bf3ff1f..d751431 100644 --- a/.github/workflows/ci-unix.yml +++ b/.github/workflows/ci-unix.yml @@ -11,9 +11,10 @@ jobs: - uses: actions/checkout@v6 - name: Install Rust stable (rustfmt, clippy) - uses: dtolnay/rust-toolchain@stable - with: - components: rustfmt, clippy + run: | + rustup toolchain install stable --profile minimal + rustup default stable + rustup component add rustfmt clippy --toolchain stable - name: rustfmt run: cargo fmt --all --check diff --git a/.github/workflows/dotnet-tool.yml b/.github/workflows/dotnet-tool.yml index d2fc9e0..25e91e5 100644 --- a/.github/workflows/dotnet-tool.yml +++ b/.github/workflows/dotnet-tool.yml @@ -56,9 +56,10 @@ jobs: uses: actions/checkout@v6 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable - with: - targets: ${{ matrix.target }} + shell: pwsh + run: | + rustup toolchain install stable --profile minimal --target "${{ matrix.target }}" + rustup default stable - name: Cache cargo artifacts uses: Swatinem/rust-cache@v2.9.1 diff --git a/.github/workflows/parity-extensions.yml b/.github/workflows/parity-extensions.yml index e067a57..d4987b0 100644 --- a/.github/workflows/parity-extensions.yml +++ b/.github/workflows/parity-extensions.yml @@ -20,7 +20,11 @@ jobs: runs-on: windows-2022 steps: - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - name: Install Rust toolchain + shell: pwsh + run: | + rustup toolchain install stable --profile minimal + rustup default stable - run: cargo build -p psign --bin psign-tool - name: Bootstrap Devolutions test PKI + pack minimal MSIX shell: pwsh @@ -45,7 +49,11 @@ jobs: runs-on: windows-2022 steps: - uses: actions/checkout@v6 - - uses: dtolnay/rust-toolchain@stable + - name: Install Rust toolchain + shell: pwsh + run: | + rustup toolchain install stable --profile minimal + rustup default stable - run: cargo build -p psign --bin psign-tool - name: Catalog verify (Rust) shell: pwsh diff --git a/.github/workflows/rust-sip-parity.yml b/.github/workflows/rust-sip-parity.yml index 9fdcdc3..654e15f 100644 --- a/.github/workflows/rust-sip-parity.yml +++ b/.github/workflows/rust-sip-parity.yml @@ -16,7 +16,10 @@ jobs: - uses: actions/checkout@v6 - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable + shell: pwsh + run: | + rustup toolchain install stable --profile minimal + rustup default stable - name: CMS authenticated-attribute RS256 prehash vs embedded signature (library) run: cargo test -p psign-sip-digest --lib rsa_pkcs1v15_signed_attrs_verify --locked @@ -85,7 +88,10 @@ jobs: - uses: actions/checkout@v6 - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable + shell: pwsh + run: | + rustup toolchain install stable --profile minimal + rustup default stable - name: SIP digest crate (full portable lib tests) run: cargo test -p psign-sip-digest --lib --locked diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 6291d15..7aa9e0a 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -14,7 +14,10 @@ jobs: - uses: actions/checkout@v6 - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable + shell: pwsh + run: | + rustup toolchain install stable --profile minimal + rustup default stable - name: Build run: cargo build --workspace --all-targets From 383e0696114e4dbb92fbdb11547fa84e421906e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= Date: Thu, 21 May 2026 09:06:01 -0400 Subject: [PATCH 2/2] Fix CI clippy failures Address clippy warnings surfaced by ci-unix after replacing the Rust toolchain action, including the portable sign-pe command variant size and follow-on lint gates. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- crates/psign-digest-cli/src/main.rs | 21 +++++++++++---------- src/portable_sign.rs | 26 ++++++++++++++------------ 2 files changed, 25 insertions(+), 22 deletions(-) diff --git a/crates/psign-digest-cli/src/main.rs b/crates/psign-digest-cli/src/main.rs index e5f3fa4..c0e3bf6 100644 --- a/crates/psign-digest-cli/src/main.rs +++ b/crates/psign-digest-cli/src/main.rs @@ -4,7 +4,7 @@ // for formats implemented in `psign-sip-digest`. This does not replace full `psign` verify. use anyhow::{Context, Result, anyhow}; -#[cfg(any(feature = "azure-kv-sign-portable", feature = "artifact-signing-rest"))] +#[cfg(feature = "azure-kv-sign-portable")] use base64::Engine as _; use clap::{Args, Parser, Subcommand, ValueEnum}; use psign_authenticode_trust::{ @@ -724,7 +724,7 @@ enum Command { #[arg(long = "azure-authority")] azure_authority: Option, #[command(flatten)] - artifact_signing: ArtifactSigningPortableOptions, + artifact_signing: Box, /// Output signed PE path. #[arg(long, value_name = "PATH")] output: PathBuf, @@ -1778,7 +1778,7 @@ fn parse_artifact_signing_certificates(bytes: &[u8]) -> Result<(x509_cert::Certi }; let end = end + "-----END CERTIFICATE-----".len(); certs.push( - rdp::parse_certificate(rest[..end].as_bytes()) + rdp::parse_certificate(&rest.as_bytes()[..end]) .context("parse Artifact Signing PEM certificate")?, ); rest = &rest[end..]; @@ -2344,7 +2344,7 @@ where "portable sign-pe accepts only one signing source: --cert/--key, --azure-key-vault-*, or --artifact-signing-*" )); } - let mut pkcs7 = if has_artifact { + let pkcs7 = if has_artifact { #[cfg(feature = "artifact-signing-rest")] { create_pe_authenticode_pkcs7_der_artifact_signing( @@ -2437,17 +2437,18 @@ where ) })? }; - match (timestamp_url, timestamp_digest) { + let pkcs7 = match (timestamp_url, timestamp_digest) { (Some(url), Some(timestamp_digest)) => { #[cfg(feature = "timestamp-http")] { - pkcs7 = timestamp_pkcs7_der_rfc3161(&pkcs7, &url, timestamp_digest) - .with_context(|| { + timestamp_pkcs7_der_rfc3161(&pkcs7, &url, timestamp_digest).with_context( + || { format!( "RFC3161 timestamp portable Authenticode signature for {}", path.display() ) - })?; + }, + )? } #[cfg(not(feature = "timestamp-http"))] { @@ -2467,8 +2468,8 @@ where "portable sign-pe requires --timestamp-url with --timestamp-digest" )); } - (None, None) => {} - } + (None, None) => pkcs7, + }; let signed = pe_embed::pe_append_authenticode_pkcs7_certificate(pe, &pkcs7) .with_context(|| format!("embed Authenticode signature in {}", path.display()))?; std::fs::write(&output, signed).with_context(|| format!("write {}", output.display()))?; diff --git a/src/portable_sign.rs b/src/portable_sign.rs index 1e570ac..d75f33a 100644 --- a/src/portable_sign.rs +++ b/src/portable_sign.rs @@ -477,12 +477,13 @@ fn run_portable_sign_pe_azure_key_vault( output: &Path, args: &SignArgs, ) -> Result<()> { - let mut argv = Vec::new(); - argv.push(OsString::from("psign-tool")); - argv.push(OsString::from("sign-pe")); - argv.push(target.as_os_str().to_os_string()); - argv.push(OsString::from("--digest")); - argv.push(OsString::from(portable_digest_name(args.digest)?)); + let mut argv = vec![ + OsString::from("psign-tool"), + OsString::from("sign-pe"), + target.as_os_str().to_os_string(), + OsString::from("--digest"), + OsString::from(portable_digest_name(args.digest)?), + ]; for chain_cert in &args.additional_certs { argv.push(OsString::from("--chain-cert")); argv.push(chain_cert.as_os_str().to_os_string()); @@ -548,12 +549,13 @@ fn run_portable_sign_pe_artifact_signing( output: &Path, args: &SignArgs, ) -> Result<()> { - let mut argv = Vec::new(); - argv.push(OsString::from("psign-tool")); - argv.push(OsString::from("sign-pe")); - argv.push(target.as_os_str().to_os_string()); - argv.push(OsString::from("--digest")); - argv.push(OsString::from(portable_digest_name(args.digest)?)); + let mut argv = vec![ + OsString::from("psign-tool"), + OsString::from("sign-pe"), + target.as_os_str().to_os_string(), + OsString::from("--digest"), + OsString::from(portable_digest_name(args.digest)?), + ]; for chain_cert in &args.additional_certs { argv.push(OsString::from("--chain-cert")); argv.push(chain_cert.as_os_str().to_os_string());