Provide codesigned stub exe's #13721
Conversation
29cacdc to
0734113
Compare
CodSpeed Performance ReportMerging #13721 will degrade performances by 66.63%Comparing Summary
Benchmarks breakdown
|
b291430 to
09fd036
Compare
3bad5c6 to
fc341d6
Compare
fc341d6 to
11729f6
Compare
jezdez
left a comment
There was a problem hiding this comment.
Some comments that we need to answer before merging
| # Common installation directories where signtool might be located | ||
| common_paths = [ | ||
| "C:\\Program Files (x86)\\Windows Kits\\10\\bin", | ||
| "C:\\Program Files\\Windows Kits\\10\\bin", | ||
| "C:\\Windows\\System32", | ||
| ] | ||
|
|
||
| signtool_path = None | ||
| # Search for signtool in common paths | ||
| for path in common_paths: | ||
| if signtool_path: | ||
| # We found one already | ||
| return signtool_path | ||
| if not os.path.exists(path): | ||
| continue | ||
| signtool_path = os.path.join(path, "signtool.exe") | ||
| if os.path.exists(signtool_path): | ||
| return signtool_path | ||
| elif "Windows Kits" in path: | ||
| signtool_path = None | ||
| max_version = 0 | ||
| for dirname in os.listdir(path): | ||
| # Use most recent signtool version | ||
| if not dirname.endswith(".0"): | ||
| continue # next dirname | ||
| if int(dirname.replace(".", "")) < max_version: | ||
| continue # next dirname | ||
|
|
||
| maybe_signtool_path = os.path.join(path, dirname, "x64", "signtool.exe") | ||
| if os.path.exists(maybe_signtool_path): | ||
| signtool_path = maybe_signtool_path | ||
| return signtool_path |
There was a problem hiding this comment.
This looks way too complicated for discovering signtool, why is shutil.which not enough? Could we just pass the list of additional paths as the path parameter of shutil.which?
Also, I'm curios, have you taken this code from somewhere given how specific this is about discovering the most recent version? Where does this case happen?
There was a problem hiding this comment.
I took some slight inspiration from https://github.com/Azure/azure-code-signing-action.
which isn't enough because on these images we do not have this in the PATH by default, due to the multiple SDKs that github installs. We could in theory use the path parameter but the version of windows SDK's does vary from system to system and I wanted to prefer what is already set in the path and not override it.
The version info comparison is explicitly so we always take the most recent among whatever sdk is installed
I've also seen evidence, via googling that "C:\\Program Files\\Windows Kits\\10\\bin" and "C:\\Windows\\System32" may contain signtool in some circulstances, so I wrote this additionally so that it is more likely to succeed on local developer systems.
| @pytest.mark.skipif(signtool_unsupported(), reason=signtool_unsupported_because()) | ||
| @pytest.mark.parametrize("stub_file_name", ["cli-32.exe", "cli-64.exe"]) | ||
| def test_stub_exe_signatures(stub_file_name: str) -> None: | ||
| """Verify that signtool verifies the signature of the stub exes""" |
There was a problem hiding this comment.
To clarify, the purpose is to verify that the built stubs are passing? In what situation wouldn't that be the case?
There was a problem hiding this comment.
This is to verify that the pre-built stubs are signed with a valid (chains to windows root) signature. This wouldn't be the case if someone went to refresh the exe's and didn't sign them.
The test is so that we don't get surprised down the line by someone updating the binaries and not having had them signed prior to the PR.
There was a problem hiding this comment.
It'd be important to document how these files were created.
There was a problem hiding this comment.
From my prior research these were created from https://github.com/conda/conda-build/tree/main/conda_build/launcher_sources - For my use-case here I did not rebuild what we've already been shipping for ages and merely took the existing binaries and signed them.
We likely will want to rebuild these in the future, and have stricter provenance guarantees around those binaries -- not to mention the upstream changes those sources have incurred since the last binary updates https://github.com/python/cpython/compare/main/PC/launcher.c -- and additionally since python3.7 there is now a launcher2 in upstream sources: https://github.com/python/cpython/blob/main/PC/launcher2.c
|
Retargeted at the release branch since we plan to do a 24.3.1 release with these changes. |
1170bde to
9cd35fd
Compare
|
@Callek Hmm, the rebasing didn't properly reduce the changes to what you had planned, could you rebase on top of 24.3.x please? |
Sure, I'll do that within the hour |
Co-authored-by: Bianca Henderson <beeankha@gmail.com>
9cd35fd to
0434968
Compare
...and Done |
|
The performance regressions are odd, @Callek any idea what that could be? |
Really odd if this affected performance... it didn't error on my initial pr. Maybe it's comparing against the wrong base? |
EDIT: I didn't think it had a performance issue in initial PR... But now that I'm looking it may have Taking one of the simpler tests This would be using the new binaries for stubs... Secondly the CodSpeed is showing a diff in call stacks between the base and head commits, which is puzzling a bit:
In All the regressed tests it seems to be adding a new @jezdez how should I proceed? EDIT: most regressions seem to be < 1 second added... so maybe it relates to Windows running their certificate verification code under the hood (I'm unsure) |
|
Sorry for additional noise, but looks like we're only running benchmarks on py3.12 on linux so I'd have ZERO idea why this could be impactful here... and even posit that this change is mere noise-in-the-machine |
| return bool(signtool_unsupported_because()) | ||
|
|
||
|
|
||
| @pytest.mark.skipif(signtool_unsupported(), reason=signtool_unsupported_because()) |
There was a problem hiding this comment.
Let's see if inlining this skipping into the test may prevent the tests to degrade performance wise
|
As proven by the test PR #13787 the performance degradation seems to be something entirely different, or just a branch targeting issue in Codspeed. Let's merge this as-is. |
* Add missing news for #13653 (#13711) * add missing news for #13653 * Provide codesigned stub exe's (#13721) Co-authored-by: Bianca Henderson <beeankha@gmail.com> * Changelog 24.4.0 (#13847) * Update .authors.yml * Update .mailmap * Update news * Updated authorship for 24.4.0 * Updated CHANGELOG for 24.4.0 * Add first-time contributions * Disable anaconda-anon-usage for CI. (#13803) (#13848) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * Fix `pluggy 1.5.0` failure in tests (#13838) (#13849) Co-authored-by: Ken Odegard <kodegard@anaconda.com> * Bump conda-incubator/setup-miniconda in /.github/workflows (#13855) Bumps [conda-incubator/setup-miniconda](https://github.com/conda-incubator/setup-miniconda) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/conda-incubator/setup-miniconda/releases) - [Changelog](https://github.com/conda-incubator/setup-miniconda/blob/main/CHANGELOG.md) - [Commits](conda-incubator/setup-miniconda@0301788...a426040) --- updated-dependencies: - dependency-name: conda-incubator/setup-miniconda dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 in /.github/workflows (#13856) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.4 to 6.0.5. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@9153d83...6d6857d) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * 🔄 synced file(s) with conda/infrastructure (#13857) Co-authored-by: Conda Bot <conda-bot@users.noreply.github.com> * Explicitly use macos-13 for macOS Intel runners (#13836) * Bump conda/actions from 24.2.0 to 24.4.0 in /.github/workflows (#13858) Bumps [conda/actions](https://github.com/conda/actions) from 24.2.0 to 24.4.0. - [Release notes](https://github.com/conda/actions/releases) - [Commits](conda/actions@f46142e...1e442e0) --- updated-dependencies: - dependency-name: conda/actions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump conda/actions from 24.2.0 to 24.4.0 in /.github/workflows (#13859) Bumps [conda/actions](https://github.com/conda/actions) from 24.2.0 to 24.4.0. - [Release notes](https://github.com/conda/actions/releases) - [Commits](conda/actions@f46142e...1e442e0) Refs #13858. --- updated-dependencies: - dependency-name: conda/actions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Explicitly use macos-13 for macOS Intel runners (#13836) * Add arm64 review builds (#13845) * Fix `conda env create/update --json` regression (#13860) * Add test to check json output when creating envs with yaml file * Add environment_with_pip.yml * Reformat test, change import --------- Co-authored-by: Ken Odegard <kodegard@anaconda.com> * Pass CODECOV_TOKEN to codecov GitHub Action step. (#13867) * Update test durations (#13873) * [pre-commit.ci] pre-commit autoupdate (#13876) * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/astral-sh/ruff-pre-commit: v0.3.7 → v0.4.2](astral-sh/ruff-pre-commit@v0.3.7...v0.4.2) * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Enable ruff --unsafe-fixes * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Disable ruff --unsafe-fixes again * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Daniel Bast <2790401+dbast@users.noreply.github.com> * Bump CodSpeedHQ/action from 2.3.1 to 2.4.0 in /.github/workflows (#13875) * Bump CodSpeedHQ/action from 2.3.1 to 2.4.0 in /.github/workflows Bumps [CodSpeedHQ/action](https://github.com/codspeedhq/action) from 2.3.1 to 2.4.0. - [Release notes](https://github.com/codspeedhq/action/releases) - [Changelog](https://github.com/CodSpeedHQ/action/blob/main/CHANGELOG.md) - [Commits](CodSpeedHQ/action@aa99394...ac302de) --- updated-dependencies: - dependency-name: CodSpeedHQ/action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Update .github/workflows/tests.yml --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ken Odegard <kodegard@anaconda.com> * Small typo fix (#13877) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Daniel Holth <dholth@anaconda.com> Co-authored-by: Justin Wood (Callek) <callek@gmail.com> Co-authored-by: Bianca Henderson <beeankha@gmail.com> Co-authored-by: Jannis Leidel <jannis@leidel.info> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Ken Odegard <kodegard@anaconda.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: conda-bot <18747875+conda-bot@users.noreply.github.com> Co-authored-by: Conda Bot <conda-bot@users.noreply.github.com> Co-authored-by: jaimergp <jaimergp@users.noreply.github.com> Co-authored-by: Bianca Henderson <bhenderson@anaconda.com> Co-authored-by: Daniel Bast <2790401+dbast@users.noreply.github.com> Co-authored-by: Erik Whiting <erik@erikwhiting.com>
Description
Checklist - did you ...
newsdirectory (using the template) for the next release's release notes?