Build and sign Defguard client without wireguard binary

.github/workflows/release.yaml

@@ -206,6 +206,42 @@ jobs:
           asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
           asset_content_type: application/octet-stream
 
+  apt-sign:
+    needs: #Add needs: -ubuntu-22-04-build (on merge dev -> main) 
+      - build-linux
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Sign APT repository
+        run: |
+          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
+          export AWS_REGION=eu-north-1
+          sudo apt update -y
+          sudo apt install -y awscli curl jq
+
+          for DIST in trixie bookworm; do
+            aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
+
+            curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
+              -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
+              -F "file=@Release" \
+              -o response.json
+
+            cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
+            cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
+
+            aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+            aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+
+            aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
+            aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
+          done
+
   update-aur:
     needs:
       - create-release
@@ -273,6 +309,7 @@ jobs:
           sudo -u builduser git push
           cat PKGBUILD
           cat .SRCINFO
+
   build-macos:
     needs:
       - create-release
@@ -350,13 +387,7 @@ jobs:
           asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
           asset_content_type: application/octet-stream
 
-  # Building signed Windows bundle involves a few steps as described here:
-  # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
-  # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows)
-  # 2. Detach the burn engine from the bundle so that it can be signed (also Windows)
-  # 3. Sign the burn engine (Linux)
-  # 4. Reattach the burn engine back to the bundle (Windows again)
-  # 5. Sign the whole bundle (Linux)
+  # Builds Windows MSI and uploads it as artifact
   build-windows:
     needs:
       - create-release
@@ -370,7 +401,7 @@ jobs:
           $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0]
           echo Version: $env:VERSION
           echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: "22"
       - uses: pnpm/action-setup@v4
@@ -391,7 +422,7 @@ jobs:
         run: pnpm install --frozen-lockfile
       - uses: dtolnay/rust-toolchain@stable
       - name: Install Protoc
-        uses: arduino/setup-protoc@v2
+        uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Remove "default-run" line from Cargo.toml
@@ -401,68 +432,17 @@ jobs:
         uses: tauri-apps/tauri-action@v0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Bundle application
-        run: |
-          dotnet tool install --global wix --version 4.0.5
-          wix extension add WixToolset.Bal.wixext/4
-          wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
-          wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
-      - name: Upload unsigned bundle and burn-engine
+      - name: Upload unsigned bundle
         uses: actions/upload-artifact@v4
         with:
-          name: unsigned-bundle-and-burnengine
-          path: |
-            src-tauri/resources-windows/defguard-client.exe
-            src-tauri/resources-windows/burnengine.exe
-  sign-burn-engine:
-    needs:
-      - build-windows
-    runs-on:
-      - self-hosted
-      - Linux
-      - X64
-    steps:
-      - name: Write release version
-        run: |
-          VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
-          echo Version: $VERSION
-          echo "VERSION=$VERSION" >> ${GITHUB_ENV}
-      - name: Download unsigned bundle & burn-engine
-        uses: actions/download-artifact@v4
-        with:
-          name: unsigned-bundle-and-burnengine
-      - name: Sign burn-engine
-        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
-      - name: Upload bundle and burn-engine artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: unsigned-bundle-and-signed-burnengine
-          path: |
-            defguard-client.exe
-            burnengine-signed.exe
-  reattach-burn-engine:
-    needs:
-      - sign-burn-engine
-    runs-on: windows-latest
-    steps:
-      - name: Download unsigned bundle and signed burn-engine
-        uses: actions/download-artifact@v4
-        with:
-          name: unsigned-bundle-and-signed-burnengine
-      - name: Reattach burn-engine
-        run: |
-          dotnet tool install --global wix --version 4.0.5
-          wix extension add WixToolset.Bal.wixext/4
-          wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe
-      - name: Upload bundle with reattached burn-engine
-        uses: actions/upload-artifact@v4
-        with:
-          name: unsigned-bundle-with-reattached-signed-burn-engine
-          path: defguard-client-reattached.exe
+          name: unsigned-bundle
+          path: src-tauri/target/release/bundle/msi/defguard-client_${{ env.VERSION }}_x64_en-US.msi
+
+  # Signs the MSI and uploads it as release asset
   sign-bundle:
     needs:
       - create-release
-      - reattach-burn-engine
+      - build-windows
     runs-on:
       - self-hosted
       - Linux
@@ -473,53 +453,19 @@ jobs:
           VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
           echo Version: $VERSION
           echo "VERSION=$VERSION" >> ${GITHUB_ENV}
-      - name: Download unsigned bundle & signed burn-engine
+      - name: Download unsigned bundle
         uses: actions/download-artifact@v4
         with:
-          name: unsigned-bundle-with-reattached-signed-burn-engine
+          name: unsigned-bundle
       - name: Sign bundle
-        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
+        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client_${{ env.VERSION }}_x64_en-US.msi -out defguard-client-signed.msi
       - name: Upload installer asset
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-client-signed.exe
-          asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
+          asset_path: defguard-client-signed.msi
+          asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.msi
           asset_content_type: application/octet-stream
-  apt-sign:
-    needs: #Add needs: -ubuntu-22-04-build (on merge dev -> main) 
-      - build-linux
-    runs-on:
-      - self-hosted
-      - Linux
-      - X64
-    strategy:
-      fail-fast: false
-    steps:
-      - name: Sign APT repository
-        run: |
-          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
-          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
-          export AWS_REGION=eu-north-1
-          sudo apt update -y
-          sudo apt install -y awscli curl jq
-
-          for DIST in trixie bookworm; do
-            aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
-
-            curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
-              -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
-              -F "file=@Release" \
-              -o response.json
-
-            cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
-            cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
-
-            aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
-            aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
 
-            aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
-            aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
-          done

nix/package.nix

@@ -8,7 +8,7 @@
   makeDesktopItem,
 }: let
   pname = "defguard-client";
-  version = "1.5.2"; # TODO: Get this from Cargo.toml or git
+  version = "1.6.0"; # TODO: Get this from Cargo.toml or git
 
   desktopItem = makeDesktopItem {
     name = pname;

package.json

@@ -1,7 +1,7 @@
 {
   "name": "defguard-client",
   "private": false,
-  "version": "1.5.2",
+  "version": "1.6.0",
   "type": "module",
   "scripts": {
     "dev": "npm-run-all --parallel vite typesafe-i18n",