diff --git a/.gitignore b/.gitignore index 5d499192..b984a1f8 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,6 @@ TODO Xcode_12.2.xip .idea/ fuzz/corpus +result +release_build +release_assets diff --git a/contrib/release/release.sh b/contrib/release/release.sh index fc7e52e0..6d23d247 100755 --- a/contrib/release/release.sh +++ b/contrib/release/release.sh @@ -15,19 +15,17 @@ WINDOWS_DIR_NAME="$LIANA_PREFIX-x86_64-windows-gnu" WINDOWS_ARCHIVE="$WINDOWS_DIR_NAME.zip" MAC_DIR_NAME="$LIANA_PREFIX-x86_64-apple-darwin" MAC_ARCHIVE="$MAC_DIR_NAME.tar.gz" -MAC_CODESIGN="${MAC_CODESIGN:-"0"}" -RCODESIGN_BIN="${RCODESIGN_BIN:-"$PWD/../../macos_codesigning/apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign"}" -CODESIGN_KEY="${CODESIGN_KEY:-"$PWD/../../macos_codesigning/wizardsardine_liana.key"}" -CODESIGN_CERT="${CODESIGN_CERT:-"$PWD/../../macos_codesigning/antoine_devid_liana_codesigning.cer"}" -NOTARY_API_CREDS_FILE="${NOTARY_API_CREDS_FILE:-"$PWD/../../macos_codesigning/encoded_appstore_api_key.json"}" create_dir() { - test -d "$1" || mkdir "$1" + if [ -d "$1" ]; then + rm -rf "$1" + fi + mkdir "$1" } # Determine the reference time used for determinism (overridable by environment) export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}" -export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name" +export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --sort=name" # We'll use a folder for the builds output and another one for the final assets. RELEASE_DIR="$PWD/release_assets" @@ -36,15 +34,17 @@ create_dir "$RELEASE_DIR" create_dir "$BUILD_DIR" OUT_DIR="$BUILD_DIR" ./contrib/reproducible/guix/guix-build.sh -TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh -# Create the Linux archive and Debian binary package. +nix build .#release +NIX_BUILD_DIR="$(nix path-info .#release)" + +#Create the Linux archive and Debian binary package. ( cd "$BUILD_DIR" create_dir "$LINUX_DIR_NAME" cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md "$LINUX_DIR_NAME" - tar -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME" - cp "$LINUX_ARCHIVE" "$RELEASE_DIR" + tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME" + mv "$LINUX_ARCHIVE" "$RELEASE_DIR" unzip ../contrib/release/debian/package.zip sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./package/DEBIAN/control @@ -59,40 +59,28 @@ TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh ( cd "$BUILD_DIR" create_dir "$WINDOWS_DIR_NAME" - cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME" + cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME" zip -r "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME" - cp "$WINDOWS_ARCHIVE" "$RELEASE_DIR" - cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe" + mv "$WINDOWS_ARCHIVE" "$RELEASE_DIR" + cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe" ) # Create the MacOS archive and a zipped application bundle of liana-gui. ( cd "$BUILD_DIR" create_dir "$MAC_DIR_NAME" - cp "$BUILD_DIR/x86_64-apple-darwin/release/lianad" "$BUILD_DIR/x86_64-apple-darwin/release/liana-cli" "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ../README.md "$MAC_DIR_NAME" - tar -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME" - cp "$MAC_ARCHIVE" "$RELEASE_DIR" + cp "$NIX_BUILD_DIR/x86_64-apple-darwin/lianad" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-cli" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ../README.md "$MAC_DIR_NAME" + tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME" + mv "$MAC_ARCHIVE" "$RELEASE_DIR" unzip ../contrib/release/macos/Liana.app.zip sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./Liana.app/Contents/Info.plist - cp "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ./Liana.app/Contents/MacOS/Liana - zip -ry Liana-noncodesigned.zip Liana.app - cp ./Liana-noncodesigned.zip "$RELEASE_DIR/" - - if [ "$MAC_CODESIGN" = "1" ]; then - $RCODESIGN_BIN sign --digest sha256 --code-signature-flags runtime --pem-source "$CODESIGN_KEY" --der-source "$CODESIGN_CERT" Liana.app/ - $RCODESIGN_BIN notary-submit --max-wait-seconds 600 --api-key-path "$NOTARY_API_CREDS_FILE" --staple Liana.app - zip -ry Liana.zip Liana.app - cp ./Liana.zip "$RELEASE_DIR/" - fi + cp "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ./Liana.app/Contents/MacOS/Liana + chmod u+w ./Liana.app/Contents/MacOS/Liana + zip -ry "Liana-$VERSION-noncodesigned.zip" Liana.app + mv "Liana-$VERSION-noncodesigned.zip" "$RELEASE_DIR/" ) -# Finally, sign all the assets -( - cd "$RELEASE_DIR" - for asset in $(ls); do - gpg --detach-sign --armor "$asset" - done -) +find "$RELEASE_DIR" -type f -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt" set +ex diff --git a/contrib/release/sign.sh b/contrib/release/sign.sh new file mode 100755 index 00000000..055bef8b --- /dev/null +++ b/contrib/release/sign.sh @@ -0,0 +1,98 @@ +#!/usr/bin/env sh + +set -e # Exit immediately if a command exits with a non-zero status +set -x # Print commands and their arguments as they are executed + +VERSION="${VERSION:-"8.0"}" +# Define the release directory +RELEASE_DIR="$PWD/release_assets" +RELEASE_BUILD_DIR="$PWD/release_build" + +# Function to perform GPG signing +sign_with_gpg() { + ( + cd "$RELEASE_DIR" + gpg --detach-sign --armor "shasums.txt" + ) +} + +# Function to convert a path to an absolute path +absolute_path() { + local path="$1" + if [[ "$path" = /* ]]; then + echo "$path" + else + echo "$PWD/$path" + fi +} + +# Function to perform rcodesign signing +sign_with_rcodesign() { + # Ensure the correct number of arguments are provided + if [ "$#" -ne 3 ]; then + echo "Usage: $0 rcodesign " + exit 1 + fi + + # Assign arguments to variables + CODESIGN_CERT="$(absolute_path $1)" + CODESIGN_KEY="$(absolute_path $2)" + NOTARY_API_CREDS_FILE="$(absolute_path $3)" + + # Verify that the provided files exist + if [ ! -f "$CODESIGN_CERT" ]; then + echo "Certificate file not found: $CODESIGN_CERT" + exit 1 + fi + + if [ ! -f "$CODESIGN_KEY" ]; then + echo "Key file not found: $CODESIGN_KEY" + exit 1 + fi + + if [ ! -f "$NOTARY_API_CREDS_FILE" ]; then + echo "API credentials file not found: $NOTARY_API_CREDS_FILE" + exit 1 + fi + + cd "$RELEASE_BUILD_DIR" + rcodesign sign \ + --digest sha256 \ + --code-signature-flags runtime \ + --pem-source "$CODESIGN_KEY" \ + --der-source "$CODESIGN_CERT" \ + Liana.app/ + + rcodesign notary-submit \ + --max-wait-seconds 600 \ + --api-key-path "$NOTARY_API_CREDS_FILE" \ + --staple Liana.app + + zip -ry "Liana-$VERSION.zip" Liana.app + mv "Liana-$VERSION.zip" "$RELEASE_DIR/" +} + +if [ "$#" -lt 1 ]; then + echo "Usage: $0 [args...]" + exit 1 +fi + +COMMAND="$1" +shift # Shift the arguments to access any additional parameters + +case "$COMMAND" in + gpg) + sign_with_gpg + ;; + rcodesign) + sign_with_rcodesign "$@" + ;; + *) + echo "Invalid command: $COMMAND" + echo "Usage: $0 [args...]" + exit 1 + ;; +esac + +# Disable debugging and exit on success +set +ex diff --git a/flake.nix b/flake.nix index 9877d135..48f98a77 100644 --- a/flake.nix +++ b/flake.nix @@ -81,6 +81,9 @@ mkdir -p $CARGO_ZIGBUILD_CACHE_DIR export CC=zigcc export CXX=zigc++ + + # rcodesign needs place to sign binary + export RUSTFLAGS="-C link-arg=-Wl,-headerpad_max_install_names" ''; installPhaseCommand = '' @@ -144,12 +147,12 @@ }; releaseShell = pkgs.mkShell { - buildInputs = with pkgs; [ - zip - unzip - gnutar - dpkg - rcodesign + buildInputs = [ + pkgs.zip + pkgs.unzip + pkgs.gnutar + pkgs.dpkg + pkgs.rcodesign ]; };