nik/liana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add script contrib/release/sign.sh for signing binaries

Browse Source
This commit is contained in:
edouardparis 2024-12-03 18:41:12 +01:00
parent a2917c5bd7
commit 34e6afd543
4 changed files with 132 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -12,3 +12,6 @@ TODO
Xcode_12.2.xip Xcode_12.2.xip
.idea/ .idea/
fuzz/corpus fuzz/corpus
result
release_build
release_assets

56
contrib/release/release.sh
View File

@ -15,19 +15,17 @@ WINDOWS_DIR_NAME="$LIANA_PREFIX-x86_64-windows-gnu"
WINDOWS_ARCHIVE="$WINDOWS_DIR_NAME.zip" WINDOWS_ARCHIVE="$WINDOWS_DIR_NAME.zip"
MAC_DIR_NAME="$LIANA_PREFIX-x86_64-apple-darwin" MAC_DIR_NAME="$LIANA_PREFIX-x86_64-apple-darwin"
MAC_ARCHIVE="$MAC_DIR_NAME.tar.gz" MAC_ARCHIVE="$MAC_DIR_NAME.tar.gz"
MAC_CODESIGN="${MAC_CODESIGN:-"0"}"
RCODESIGN_BIN="${RCODESIGN_BIN:-"$PWD/../../macos_codesigning/apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign"}"
CODESIGN_KEY="${CODESIGN_KEY:-"$PWD/../../macos_codesigning/wizardsardine_liana.key"}"
CODESIGN_CERT="${CODESIGN_CERT:-"$PWD/../../macos_codesigning/antoine_devid_liana_codesigning.cer"}"
NOTARY_API_CREDS_FILE="${NOTARY_API_CREDS_FILE:-"$PWD/../../macos_codesigning/encoded_appstore_api_key.json"}"
create_dir() { create_dir() {
test -d "$1" || mkdir "$1" if [ -d "$1" ]; then
rm -rf "$1"
fi
mkdir "$1"
} }
# Determine the reference time used for determinism (overridable by environment) # Determine the reference time used for determinism (overridable by environment)
export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}" export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}"
export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name" export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --sort=name"
# We'll use a folder for the builds output and another one for the final assets. # We'll use a folder for the builds output and another one for the final assets.
RELEASE_DIR="$PWD/release_assets" RELEASE_DIR="$PWD/release_assets"
@ -36,15 +34,17 @@ create_dir "$RELEASE_DIR"
create_dir "$BUILD_DIR" create_dir "$BUILD_DIR"
OUT_DIR="$BUILD_DIR" ./contrib/reproducible/guix/guix-build.sh OUT_DIR="$BUILD_DIR" ./contrib/reproducible/guix/guix-build.sh
TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh
# Create the Linux archive and Debian binary package. nix build .#release
NIX_BUILD_DIR="$(nix path-info .#release)"
#Create the Linux archive and Debian binary package.
( (
cd "$BUILD_DIR" cd "$BUILD_DIR"
create_dir "$LINUX_DIR_NAME" create_dir "$LINUX_DIR_NAME"
cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md "$LINUX_DIR_NAME" cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md "$LINUX_DIR_NAME"
tar -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME" tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME"
cp "$LINUX_ARCHIVE" "$RELEASE_DIR" mv "$LINUX_ARCHIVE" "$RELEASE_DIR"
unzip ../contrib/release/debian/package.zip unzip ../contrib/release/debian/package.zip
sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./package/DEBIAN/control sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./package/DEBIAN/control
@ -59,40 +59,28 @@ TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh
( (
cd "$BUILD_DIR" cd "$BUILD_DIR"
create_dir "$WINDOWS_DIR_NAME" create_dir "$WINDOWS_DIR_NAME"
cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME" cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME"
zip -r "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME" zip -r "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME"
cp "$WINDOWS_ARCHIVE" "$RELEASE_DIR" mv "$WINDOWS_ARCHIVE" "$RELEASE_DIR"
cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe" cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe"
) )
# Create the MacOS archive and a zipped application bundle of liana-gui. # Create the MacOS archive and a zipped application bundle of liana-gui.
( (
cd "$BUILD_DIR" cd "$BUILD_DIR"
create_dir "$MAC_DIR_NAME" create_dir "$MAC_DIR_NAME"
cp "$BUILD_DIR/x86_64-apple-darwin/release/lianad" "$BUILD_DIR/x86_64-apple-darwin/release/liana-cli" "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ../README.md "$MAC_DIR_NAME" cp "$NIX_BUILD_DIR/x86_64-apple-darwin/lianad" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-cli" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ../README.md "$MAC_DIR_NAME"
tar -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME" tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME"
cp "$MAC_ARCHIVE" "$RELEASE_DIR" mv "$MAC_ARCHIVE" "$RELEASE_DIR"
unzip ../contrib/release/macos/Liana.app.zip unzip ../contrib/release/macos/Liana.app.zip
sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./Liana.app/Contents/Info.plist sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./Liana.app/Contents/Info.plist
cp "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ./Liana.app/Contents/MacOS/Liana cp "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ./Liana.app/Contents/MacOS/Liana
zip -ry Liana-noncodesigned.zip Liana.app chmod u+w ./Liana.app/Contents/MacOS/Liana
cp ./Liana-noncodesigned.zip "$RELEASE_DIR/" zip -ry "Liana-$VERSION-noncodesigned.zip" Liana.app
mv "Liana-$VERSION-noncodesigned.zip" "$RELEASE_DIR/"
if [ "$MAC_CODESIGN" = "1" ]; then
$RCODESIGN_BIN sign --digest sha256 --code-signature-flags runtime --pem-source "$CODESIGN_KEY" --der-source "$CODESIGN_CERT" Liana.app/
$RCODESIGN_BIN notary-submit --max-wait-seconds 600 --api-key-path "$NOTARY_API_CREDS_FILE" --staple Liana.app
zip -ry Liana.zip Liana.app
cp ./Liana.zip "$RELEASE_DIR/"
fi
) )
# Finally, sign all the assets find "$RELEASE_DIR" -type f -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt"
(
cd "$RELEASE_DIR"
for asset in $(ls); do
gpg --detach-sign --armor "$asset"
done
)
set +ex set +ex

98
contrib/release/sign.sh Executable file
View File

@ -0,0 +1,98 @@
#!/usr/bin/env sh
set -e # Exit immediately if a command exits with a non-zero status
set -x # Print commands and their arguments as they are executed
VERSION="${VERSION:-"8.0"}"
# Define the release directory
RELEASE_DIR="$PWD/release_assets"
RELEASE_BUILD_DIR="$PWD/release_build"
# Function to perform GPG signing
sign_with_gpg() {
(
cd "$RELEASE_DIR"
gpg --detach-sign --armor "shasums.txt"
)
}
# Function to convert a path to an absolute path
absolute_path() {
local path="$1"
if [[ "$path" = /* ]]; then
echo "$path"
else
echo "$PWD/$path"
fi
}
# Function to perform rcodesign signing
sign_with_rcodesign() {
# Ensure the correct number of arguments are provided
if [ "$#" -ne 3 ]; then
echo "Usage: $0 rcodesign <cert_path> <key_path> <apikey_json_path>"
exit 1
fi
# Assign arguments to variables
CODESIGN_CERT="$(absolute_path $1)"
CODESIGN_KEY="$(absolute_path $2)"
NOTARY_API_CREDS_FILE="$(absolute_path $3)"
# Verify that the provided files exist
if [ ! -f "$CODESIGN_CERT" ]; then
echo "Certificate file not found: $CODESIGN_CERT"
exit 1
fi
if [ ! -f "$CODESIGN_KEY" ]; then
echo "Key file not found: $CODESIGN_KEY"
exit 1
fi
if [ ! -f "$NOTARY_API_CREDS_FILE" ]; then
echo "API credentials file not found: $NOTARY_API_CREDS_FILE"
exit 1
fi
cd "$RELEASE_BUILD_DIR"
rcodesign sign \
--digest sha256 \
--code-signature-flags runtime \
--pem-source "$CODESIGN_KEY" \
--der-source "$CODESIGN_CERT" \
Liana.app/
rcodesign notary-submit \
--max-wait-seconds 600 \
--api-key-path "$NOTARY_API_CREDS_FILE" \
--staple Liana.app
zip -ry "Liana-$VERSION.zip" Liana.app
mv "Liana-$VERSION.zip" "$RELEASE_DIR/"
}
if [ "$#" -lt 1 ]; then
echo "Usage: $0 <gpg|rcodesign> [args...]"
exit 1
fi
COMMAND="$1"
shift # Shift the arguments to access any additional parameters
case "$COMMAND" in
gpg)
sign_with_gpg
;;
rcodesign)
sign_with_rcodesign "$@"
;;
*)
echo "Invalid command: $COMMAND"
echo "Usage: $0 <gpg|rcodesign> [args...]"
exit 1
;;
esac
# Disable debugging and exit on success
set +ex

15
flake.nix
View File

@ -81,6 +81,9 @@
mkdir -p $CARGO_ZIGBUILD_CACHE_DIR mkdir -p $CARGO_ZIGBUILD_CACHE_DIR
export CC=zigcc export CC=zigcc
export CXX=zigc++ export CXX=zigc++
# rcodesign needs place to sign binary
export RUSTFLAGS="-C link-arg=-Wl,-headerpad_max_install_names"
''; '';
installPhaseCommand = '' installPhaseCommand = ''
@ -144,12 +147,12 @@
}; };
releaseShell = pkgs.mkShell { releaseShell = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = [
zip pkgs.zip
unzip pkgs.unzip
gnutar pkgs.gnutar
dpkg pkgs.dpkg
rcodesign pkgs.rcodesign
]; ];
}; };