Skip to content

Commit

Permalink
Add script contrib/release/sign.sh for signing binaries
Browse files Browse the repository at this point in the history
  • Loading branch information
edouardparis committed Dec 5, 2024
1 parent e17d90c commit 48d29fe
Show file tree
Hide file tree
Showing 4 changed files with 137 additions and 40 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,6 @@ TODO
Xcode_12.2.xip
.idea/
fuzz/corpus
result
release_build
release_assets
61 changes: 27 additions & 34 deletions contrib/release/release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@
# ==============================================================================

set -ex
# Increase open files limit
ulimit -n 4096

# Increase stack size
ulimit -s 16384

VERSION="${VERSION:-"8.0"}"
LIANA_PREFIX="liana-$VERSION"
Expand All @@ -15,19 +20,17 @@ WINDOWS_DIR_NAME="$LIANA_PREFIX-x86_64-windows-gnu"
WINDOWS_ARCHIVE="$WINDOWS_DIR_NAME.zip"
MAC_DIR_NAME="$LIANA_PREFIX-x86_64-apple-darwin"
MAC_ARCHIVE="$MAC_DIR_NAME.tar.gz"
MAC_CODESIGN="${MAC_CODESIGN:-"0"}"
RCODESIGN_BIN="${RCODESIGN_BIN:-"$PWD/../../macos_codesigning/apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign"}"
CODESIGN_KEY="${CODESIGN_KEY:-"$PWD/../../macos_codesigning/wizardsardine_liana.key"}"
CODESIGN_CERT="${CODESIGN_CERT:-"$PWD/../../macos_codesigning/antoine_devid_liana_codesigning.cer"}"
NOTARY_API_CREDS_FILE="${NOTARY_API_CREDS_FILE:-"$PWD/../../macos_codesigning/encoded_appstore_api_key.json"}"

create_dir() {
test -d "$1" || mkdir "$1"
if [ -d "$1" ]; then
rm -rf "$1"
fi
mkdir "$1"
}

# Determine the reference time used for determinism (overridable by environment)
export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}"
export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --sort=name"

# We'll use a folder for the builds output and another one for the final assets.
RELEASE_DIR="$PWD/release_assets"
Expand All @@ -36,15 +39,17 @@ create_dir "$RELEASE_DIR"
create_dir "$BUILD_DIR"

OUT_DIR="$BUILD_DIR" ./contrib/reproducible/guix/guix-build.sh
TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh

# Create the Linux archive and Debian binary package.
nix build .#release
NIX_BUILD_DIR="$(nix path-info .#release)"
#Create the Linux archive and Debian binary package.
(
cd "$BUILD_DIR"
create_dir "$LINUX_DIR_NAME"
cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md "$LINUX_DIR_NAME"
tar -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME"
cp "$LINUX_ARCHIVE" "$RELEASE_DIR"
tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME"
mv "$LINUX_ARCHIVE" "$RELEASE_DIR"
unzip ../contrib/release/debian/package.zip
sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./package/DEBIAN/control
Expand All @@ -59,40 +64,28 @@ TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh
(
cd "$BUILD_DIR"
create_dir "$WINDOWS_DIR_NAME"
cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME"
cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME"
zip -r "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME"
cp "$WINDOWS_ARCHIVE" "$RELEASE_DIR"
cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe"
mv "$WINDOWS_ARCHIVE" "$RELEASE_DIR"
cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe"
)
# Create the MacOS archive and a zipped application bundle of liana-gui.
(
cd "$BUILD_DIR"
create_dir "$MAC_DIR_NAME"
cp "$BUILD_DIR/x86_64-apple-darwin/release/lianad" "$BUILD_DIR/x86_64-apple-darwin/release/liana-cli" "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ../README.md "$MAC_DIR_NAME"
tar -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME"
cp "$MAC_ARCHIVE" "$RELEASE_DIR"
cp "$NIX_BUILD_DIR/x86_64-apple-darwin/lianad" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-cli" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ../README.md "$MAC_DIR_NAME"
tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME"
mv "$MAC_ARCHIVE" "$RELEASE_DIR"
unzip ../contrib/release/macos/Liana.app.zip
sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./Liana.app/Contents/Info.plist
cp "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ./Liana.app/Contents/MacOS/Liana
zip -ry Liana-noncodesigned.zip Liana.app
cp ./Liana-noncodesigned.zip "$RELEASE_DIR/"

if [ "$MAC_CODESIGN" = "1" ]; then
$RCODESIGN_BIN sign --digest sha256 --code-signature-flags runtime --pem-source "$CODESIGN_KEY" --der-source "$CODESIGN_CERT" Liana.app/
$RCODESIGN_BIN notary-submit --max-wait-seconds 600 --api-key-path "$NOTARY_API_CREDS_FILE" --staple Liana.app
zip -ry Liana.zip Liana.app
cp ./Liana.zip "$RELEASE_DIR/"
fi
cp "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ./Liana.app/Contents/MacOS/Liana
chmod u+w ./Liana.app/Contents/MacOS/Liana
zip -ry "Liana-$VERSION-noncodesigned.zip" Liana.app
mv "Liana-$VERSION-noncodesigned.zip" "$RELEASE_DIR/"
)
# Finally, sign all the assets
(
cd "$RELEASE_DIR"
for asset in $(ls); do
gpg --detach-sign --armor "$asset"
done
)
find "$RELEASE_DIR" -type f -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt"
set +ex
98 changes: 98 additions & 0 deletions contrib/release/sign.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
#!/usr/bin/env sh

set -e # Exit immediately if a command exits with a non-zero status
set -x # Print commands and their arguments as they are executed

VERSION="${VERSION:-"8.0"}"
# Define the release directory
RELEASE_DIR="$PWD/release_assets"
RELEASE_BUILD_DIR="$PWD/release_build"

# Function to perform GPG signing
sign_with_gpg() {
(
cd "$RELEASE_DIR"
gpg --detach-sign --armor "shasums.txt"
)
}

# Function to convert a path to an absolute path
absolute_path() {
local path="$1"
if [[ "$path" = /* ]]; then
echo "$path"
else
echo "$PWD/$path"
fi
}

# Function to perform rcodesign signing
sign_with_rcodesign() {
# Ensure the correct number of arguments are provided
if [ "$#" -ne 3 ]; then
echo "Usage: $0 rcodesign <cert_path> <key_path> <apikey_json_path>"
exit 1
fi

# Assign arguments to variables
CODESIGN_CERT="$(absolute_path $1)"
CODESIGN_KEY="$(absolute_path $2)"
NOTARY_API_CREDS_FILE="$(absolute_path $3)"

# Verify that the provided files exist
if [ ! -f "$CODESIGN_CERT" ]; then
echo "Certificate file not found: $CODESIGN_CERT"
exit 1
fi

if [ ! -f "$CODESIGN_KEY" ]; then
echo "Key file not found: $CODESIGN_KEY"
exit 1
fi

if [ ! -f "$NOTARY_API_CREDS_FILE" ]; then
echo "API credentials file not found: $NOTARY_API_CREDS_FILE"
exit 1
fi

cd "$RELEASE_BUILD_DIR"
rcodesign sign \
--digest sha256 \
--code-signature-flags runtime \
--pem-source "$CODESIGN_KEY" \
--der-source "$CODESIGN_CERT" \
Liana.app/

rcodesign notary-submit \
--max-wait-seconds 600 \
--api-key-path "$NOTARY_API_CREDS_FILE" \
--staple Liana.app

zip -ry "Liana-$VERSION.zip" Liana.app
mv "Liana-$VERSION.zip" "$RELEASE_DIR/"
}

if [ "$#" -lt 1 ]; then
echo "Usage: $0 <gpg|rcodesign> [args...]"
exit 1
fi

COMMAND="$1"
shift # Shift the arguments to access any additional parameters

case "$COMMAND" in
gpg)
sign_with_gpg
;;
rcodesign)
sign_with_rcodesign "$@"
;;
*)
echo "Invalid command: $COMMAND"
echo "Usage: $0 <gpg|rcodesign> [args...]"
exit 1
;;
esac

# Disable debugging and exit on success
set +ex
15 changes: 9 additions & 6 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,9 @@
mkdir -p $CARGO_ZIGBUILD_CACHE_DIR
export CC=zigcc
export CXX=zigc++
# rcodesign needs place to sign binary
export RUSTFLAGS="-C link-arg=-Wl,-headerpad_max_install_names"
'';

installPhaseCommand = ''
Expand Down Expand Up @@ -144,12 +147,12 @@
};

releaseShell = pkgs.mkShell {
buildInputs = with pkgs; [
zip
unzip
gnutar
dpkg
rcodesign
buildInputs = [
pkgs.zip
pkgs.unzip
pkgs.gnutar
pkgs.dpkg
pkgs.rcodesign
];
};

Expand Down

0 comments on commit 48d29fe

Please sign in to comment.