Add script contrib/release/sign.sh for signing binaries

.gitignore

@@ -12,3 +12,6 @@ TODO
 Xcode_12.2.xip
 .idea/
 fuzz/corpus
+result
+release_build
+release_assets

contrib/release/release.sh

@@ -15,19 +15,17 @@ WINDOWS_DIR_NAME="$LIANA_PREFIX-x86_64-windows-gnu"
 WINDOWS_ARCHIVE="$WINDOWS_DIR_NAME.zip"
 MAC_DIR_NAME="$LIANA_PREFIX-x86_64-apple-darwin"
 MAC_ARCHIVE="$MAC_DIR_NAME.tar.gz"
-MAC_CODESIGN="${MAC_CODESIGN:-"0"}"
-RCODESIGN_BIN="${RCODESIGN_BIN:-"$PWD/../../macos_codesigning/apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign"}"
-CODESIGN_KEY="${CODESIGN_KEY:-"$PWD/../../macos_codesigning/wizardsardine_liana.key"}"
-CODESIGN_CERT="${CODESIGN_CERT:-"$PWD/../../macos_codesigning/antoine_devid_liana_codesigning.cer"}"
-NOTARY_API_CREDS_FILE="${NOTARY_API_CREDS_FILE:-"$PWD/../../macos_codesigning/encoded_appstore_api_key.json"}"
 
 create_dir() {
-    test -d "$1" || mkdir "$1"
+    if [ -d "$1" ]; then
+        rm -rf "$1"
+    fi
+    mkdir "$1"
 }
 
 # Determine the reference time used for determinism (overridable by environment)
 export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}"
-export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
+export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --sort=name"
 
 # We'll use a folder for the builds output and another one for the final assets.
 RELEASE_DIR="$PWD/release_assets"
@@ -36,15 +34,17 @@ create_dir "$RELEASE_DIR"
 create_dir "$BUILD_DIR"
 
 OUT_DIR="$BUILD_DIR" ./contrib/reproducible/guix/guix-build.sh
-TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh
 
-# Create the Linux archive and Debian binary package.
+nix build .#release
+NIX_BUILD_DIR="$(nix path-info .#release)"
+
+#Create the Linux archive and Debian binary package.
 (
     cd "$BUILD_DIR"
     create_dir "$LINUX_DIR_NAME"
     cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md "$LINUX_DIR_NAME"
-    tar -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME"
-    cp "$LINUX_ARCHIVE" "$RELEASE_DIR"
+    tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME"
+    mv "$LINUX_ARCHIVE" "$RELEASE_DIR"
 
     unzip ../contrib/release/debian/package.zip
     sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./package/DEBIAN/control
@@ -59,40 +59,28 @@ TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh
 (
     cd "$BUILD_DIR"
     create_dir "$WINDOWS_DIR_NAME"
-    cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME"
+    cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME"
     zip -r "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME"
-    cp "$WINDOWS_ARCHIVE" "$RELEASE_DIR"
-    cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe"
+    mv "$WINDOWS_ARCHIVE" "$RELEASE_DIR"
+    cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe"
 )
 
 # Create the MacOS archive and a zipped application bundle of liana-gui.
 (
     cd "$BUILD_DIR"
     create_dir "$MAC_DIR_NAME"
-    cp "$BUILD_DIR/x86_64-apple-darwin/release/lianad" "$BUILD_DIR/x86_64-apple-darwin/release/liana-cli" "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ../README.md "$MAC_DIR_NAME"
-    tar -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME"
-    cp "$MAC_ARCHIVE" "$RELEASE_DIR"
+    cp "$NIX_BUILD_DIR/x86_64-apple-darwin/lianad" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-cli" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ../README.md "$MAC_DIR_NAME"
+    tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME"
+    mv "$MAC_ARCHIVE" "$RELEASE_DIR"
 
     unzip ../contrib/release/macos/Liana.app.zip
     sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./Liana.app/Contents/Info.plist
-    cp "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ./Liana.app/Contents/MacOS/Liana
-    zip -ry Liana-noncodesigned.zip Liana.app
-    cp ./Liana-noncodesigned.zip "$RELEASE_DIR/"
-
-    if [ "$MAC_CODESIGN" = "1" ]; then
-        $RCODESIGN_BIN sign --digest sha256 --code-signature-flags runtime --pem-source "$CODESIGN_KEY" --der-source "$CODESIGN_CERT" Liana.app/
-        $RCODESIGN_BIN notary-submit --max-wait-seconds 600 --api-key-path "$NOTARY_API_CREDS_FILE" --staple Liana.app
-        zip -ry Liana.zip Liana.app
-        cp ./Liana.zip "$RELEASE_DIR/"
-    fi
+    cp "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ./Liana.app/Contents/MacOS/Liana
+    chmod u+w ./Liana.app/Contents/MacOS/Liana
+    zip -ry "Liana-$VERSION-noncodesigned.zip" Liana.app
+    mv "Liana-$VERSION-noncodesigned.zip" "$RELEASE_DIR/"
 )
 
-# Finally, sign all the assets
-(
-    cd "$RELEASE_DIR"
-    for asset in $(ls); do
-        gpg --detach-sign --armor "$asset"
-    done
-)
+find "$RELEASE_DIR" -type f -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt"
 
 set +ex

contrib/release/sign.sh

@@ -0,0 +1,98 @@
+#!/usr/bin/env sh
+
+set -e  # Exit immediately if a command exits with a non-zero status
+set -x  # Print commands and their arguments as they are executed
+
+VERSION="${VERSION:-"8.0"}"
+# Define the release directory
+RELEASE_DIR="$PWD/release_assets"
+RELEASE_BUILD_DIR="$PWD/release_build"
+
+# Function to perform GPG signing
+sign_with_gpg() {
+    (
+        cd "$RELEASE_DIR"
+        gpg --detach-sign --armor "shasums.txt"
+    )
+}
+
+# Function to convert a path to an absolute path
+absolute_path() {
+    local path="$1"
+    if [[ "$path" = /* ]]; then
+        echo "$path"
+    else
+        echo "$PWD/$path"
+    fi
+}
+
+# Function to perform rcodesign signing
+sign_with_rcodesign() {
+    # Ensure the correct number of arguments are provided
+    if [ "$#" -ne 3 ]; then
+        echo "Usage: $0 rcodesign <cert_path> <key_path> <apikey_json_path>"
+        exit 1
+    fi
+
+    # Assign arguments to variables
+    CODESIGN_CERT="$(absolute_path $1)"
+    CODESIGN_KEY="$(absolute_path $2)"
+    NOTARY_API_CREDS_FILE="$(absolute_path $3)"
+
+    # Verify that the provided files exist
+    if [ ! -f "$CODESIGN_CERT" ]; then
+        echo "Certificate file not found: $CODESIGN_CERT"
+        exit 1
+    fi
+
+    if [ ! -f "$CODESIGN_KEY" ]; then
+        echo "Key file not found: $CODESIGN_KEY"
+        exit 1
+    fi
+
+    if [ ! -f "$NOTARY_API_CREDS_FILE" ]; then
+        echo "API credentials file not found: $NOTARY_API_CREDS_FILE"
+        exit 1
+    fi
+
+    cd "$RELEASE_BUILD_DIR"
+    rcodesign sign \
+        --digest sha256 \
+        --code-signature-flags runtime \
+        --pem-source "$CODESIGN_KEY" \
+        --der-source "$CODESIGN_CERT" \
+        Liana.app/
+
+    rcodesign notary-submit \
+        --max-wait-seconds 600 \
+        --api-key-path "$NOTARY_API_CREDS_FILE" \
+        --staple Liana.app
+
+    zip -ry "Liana-$VERSION.zip" Liana.app
+    mv "Liana-$VERSION.zip" "$RELEASE_DIR/"
+}
+
+if [ "$#" -lt 1 ]; then
+    echo "Usage: $0 <gpg|rcodesign> [args...]"
+    exit 1
+fi
+
+COMMAND="$1"
+shift  # Shift the arguments to access any additional parameters
+
+case "$COMMAND" in
+    gpg)
+        sign_with_gpg
+        ;;
+    rcodesign)
+        sign_with_rcodesign "$@"
+        ;;
+    *)
+        echo "Invalid command: $COMMAND"
+        echo "Usage: $0 <gpg|rcodesign> [args...]"
+        exit 1
+        ;;
+esac
+
+# Disable debugging and exit on success
+set +ex

flake.nix

@@ -81,6 +81,9 @@
             mkdir -p $CARGO_ZIGBUILD_CACHE_DIR
             export CC=zigcc
             export CXX=zigc++
+
+            # rcodesign needs place to sign binary
+            export RUSTFLAGS="-C link-arg=-Wl,-headerpad_max_install_names"
           '';
 
           installPhaseCommand = ''
@@ -144,12 +147,12 @@
         };
 
         releaseShell = pkgs.mkShell {
-          buildInputs = with pkgs; [
-            zip
-            unzip
-            gnutar
-            dpkg
-            rcodesign
+          buildInputs = [
+            pkgs.zip
+            pkgs.unzip
+            pkgs.gnutar
+            pkgs.dpkg
+            pkgs.rcodesign
           ];
         };