Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable cross compilation to windows and macos with nix #1491

Merged
merged 5 commits into from
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions .dockerignore

This file was deleted.

3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,6 @@ TODO
Xcode_12.2.xip
.idea/
fuzz/corpus
result
release_build
release_assets
72 changes: 37 additions & 35 deletions contrib/release/release.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,27 @@ WINDOWS_DIR_NAME="$LIANA_PREFIX-x86_64-windows-gnu"
WINDOWS_ARCHIVE="$WINDOWS_DIR_NAME.zip"
MAC_DIR_NAME="$LIANA_PREFIX-x86_64-apple-darwin"
MAC_ARCHIVE="$MAC_DIR_NAME.tar.gz"
MAC_CODESIGN="${MAC_CODESIGN:-"0"}"
RCODESIGN_BIN="${RCODESIGN_BIN:-"$PWD/../../macos_codesigning/apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign"}"
CODESIGN_KEY="${CODESIGN_KEY:-"$PWD/../../macos_codesigning/wizardsardine_liana.key"}"
CODESIGN_CERT="${CODESIGN_CERT:-"$PWD/../../macos_codesigning/antoine_devid_liana_codesigning.cer"}"
NOTARY_API_CREDS_FILE="${NOTARY_API_CREDS_FILE:-"$PWD/../../macos_codesigning/encoded_appstore_api_key.json"}"

create_dir() {
test -d "$1" || mkdir "$1"
if [ -d "$1" ]; then
rm -rf "$1"
fi
mkdir "$1"
}



# Determine the reference time used for determinism (overridable by environment)
export SOURCE_DATE_EPOCH="$(git -c log.showsignature=false log --format=%at -1)"
export TZ=UTC
export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --sort=name"

zip_archive () {
local archive="$1"
shift
touch -d "@$SOURCE_DATE_EPOCH" "$@"
find "$@" -type f -exec touch -d "@$SOURCE_DATE_EPOCH" {} +
find "$@" -type f | sort | zip -oX "$archive" -@
}

# We'll use a folder for the builds output and another one for the final assets.
Expand All @@ -32,63 +45,52 @@ create_dir "$RELEASE_DIR"
create_dir "$BUILD_DIR"

OUT_DIR="$BUILD_DIR" ./contrib/reproducible/guix/guix-build.sh
TARGET_DIR="$BUILD_DIR" ./contrib/reproducible/docker/docker-build.sh

# Create the Linux archive and Debian binary package.
nix build .#release
NIX_BUILD_DIR="$(nix path-info .#release)"

#Create the Linux archive and Debian binary package.
(
cd "$BUILD_DIR"
create_dir "$LINUX_DIR_NAME"
cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md "$LINUX_DIR_NAME"
tar -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME"
cp "$LINUX_ARCHIVE" "$RELEASE_DIR"
tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$LINUX_ARCHIVE" "$LINUX_DIR_NAME"
mv "$LINUX_ARCHIVE" "$RELEASE_DIR"

unzip ../contrib/release/debian/package.zip
sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./package/DEBIAN/control
cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md ./package/usr/bin/
DIRNAME="liana_$VERSION-1_amd64"
mv ./package "$DIRNAME"
dpkg-deb -Zxz --build "$DIRNAME"
dpkg-deb -Zxz --build --root-owner-group "$DIRNAME"
mv "$DIRNAME.deb" "$RELEASE_DIR"
)

# Create the Windows archive and the raw executable
(
cd "$BUILD_DIR"
create_dir "$WINDOWS_DIR_NAME"
cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME"
zip -r "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME"
cp "$WINDOWS_ARCHIVE" "$RELEASE_DIR"
cp "$BUILD_DIR/x86_64-pc-windows-gnu/release/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe"
cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME"
zip_archive "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME"
mv "$WINDOWS_ARCHIVE" "$RELEASE_DIR"
cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe"
)

# Create the MacOS archive and a zipped application bundle of liana-gui.
(
cd "$BUILD_DIR"
create_dir "$MAC_DIR_NAME"
cp "$BUILD_DIR/x86_64-apple-darwin/release/lianad" "$BUILD_DIR/x86_64-apple-darwin/release/liana-cli" "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ../README.md "$MAC_DIR_NAME"
tar -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME"
cp "$MAC_ARCHIVE" "$RELEASE_DIR"
cp "$NIX_BUILD_DIR/x86_64-apple-darwin/lianad" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-cli" "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ../README.md "$MAC_DIR_NAME"
tar --mtime="@${SOURCE_DATE_EPOCH}" -czf "$MAC_ARCHIVE" "$MAC_DIR_NAME"
mv "$MAC_ARCHIVE" "$RELEASE_DIR"

unzip ../contrib/release/macos/Liana.app.zip
sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./Liana.app/Contents/Info.plist
cp "$BUILD_DIR/x86_64-apple-darwin/release/liana-gui" ./Liana.app/Contents/MacOS/Liana
zip -ry Liana-noncodesigned.zip Liana.app
cp ./Liana-noncodesigned.zip "$RELEASE_DIR/"

if [ "$MAC_CODESIGN" = "1" ]; then
$RCODESIGN_BIN sign --digest sha256 --code-signature-flags runtime --pem-source "$CODESIGN_KEY" --der-source "$CODESIGN_CERT" Liana.app/
$RCODESIGN_BIN notary-submit --max-wait-seconds 600 --api-key-path "$NOTARY_API_CREDS_FILE" --staple Liana.app
zip -ry Liana.zip Liana.app
cp ./Liana.zip "$RELEASE_DIR/"
fi
cp "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ./Liana.app/Contents/MacOS/Liana
zip_archive "Liana-$VERSION-noncodesigned.zip" Liana.app
mv "Liana-$VERSION-noncodesigned.zip" "$RELEASE_DIR/"
)

# Finally, sign all the assets
(
cd "$RELEASE_DIR"
for asset in $(ls); do
gpg --detach-sign --armor "$asset"
done
)
find "$RELEASE_DIR" -type f ! -name "shasums.txt" -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt"

set +ex
115 changes: 115 additions & 0 deletions contrib/release/sign.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
#!/usr/bin/env sh

set -e # Exit immediately if a command exits with a non-zero status
set -x # Print commands and their arguments as they are executed

VERSION="${VERSION:-"8.0"}"
# Define the release directory
RELEASE_DIR="$PWD/release_assets"
RELEASE_BUILD_DIR="$PWD/release_build"

# Function to perform GPG signing
sign_with_gpg() {
(
cd "$RELEASE_DIR"
gpg --detach-sign --armor "shasums.txt"
)
}

# Function to convert a path to an absolute path
absolute_path() {
local path="$1"
if [[ "$path" = /* ]]; then
echo "$path"
else
echo "$PWD/$path"
fi
}

# Determine the reference time used for determinism (overridable by environment)
export SOURCE_DATE_EPOCH="$(git -c log.showsignature=false log --format=%at -1)"
export TZ=UTC

zip_archive () {
local archive="$1"
shift
touch -d "@$SOURCE_DATE_EPOCH" "$@"
find "$@" -type f -exec touch -d "@$SOURCE_DATE_EPOCH" {} +
zip -r -oX - "$@" > "$archive"
}



# Function to perform rcodesign signing
sign_with_rcodesign() {
# Ensure the correct number of arguments are provided
if [ "$#" -ne 3 ]; then
echo "Usage: $0 rcodesign <cert_path> <key_path> <apikey_json_path>"
exit 1
fi

# Assign arguments to variables
CODESIGN_CERT="$(absolute_path $1)"
CODESIGN_KEY="$(absolute_path $2)"
NOTARY_API_CREDS_FILE="$(absolute_path $3)"

# Verify that the provided files exist
if [ ! -f "$CODESIGN_CERT" ]; then
echo "Certificate file not found: $CODESIGN_CERT"
exit 1
fi

if [ ! -f "$CODESIGN_KEY" ]; then
echo "Key file not found: $CODESIGN_KEY"
exit 1
fi

if [ ! -f "$NOTARY_API_CREDS_FILE" ]; then
echo "API credentials file not found: $NOTARY_API_CREDS_FILE"
exit 1
fi

cd "$RELEASE_BUILD_DIR"
chmod u+w ./Liana.app/Contents/MacOS/Liana

rcodesign sign \
--digest sha256 \
--code-signature-flags runtime \
--pem-source "$CODESIGN_KEY" \
--der-source "$CODESIGN_CERT" \
Liana.app/

rcodesign notary-submit \
--max-wait-seconds 600 \
--api-key-path "$NOTARY_API_CREDS_FILE" \
--staple Liana.app

zip_archive "Liana-$VERSION.zip" Liana.app
mv "Liana-$VERSION.zip" "$RELEASE_DIR/"
sha256sum "$RELEASE_DIR/Liana-$VERSION.zip" | tee -a "$RELEASE_DIR/shasums.txt"
}

if [ "$#" -lt 1 ]; then
echo "Usage: $0 <gpg|rcodesign> [args...]"
exit 1
fi

COMMAND="$1"
shift # Shift the arguments to access any additional parameters

case "$COMMAND" in
gpg)
sign_with_gpg
;;
rcodesign)
sign_with_rcodesign "$@"
;;
*)
echo "Invalid command: $COMMAND"
echo "Usage: $0 <gpg|rcodesign> [args...]"
exit 1
;;
esac

# Disable debugging and exit on success
set +ex
56 changes: 54 additions & 2 deletions contrib/reproducible/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# Liana reproducible builds

## Reproducible build of linux binaries with GUIX

Releases of Liana are built in a reproducible manner, providing an assurance the binary a user is
going to run corresponds to the sources published. It enables the possibility for the user, or a
third party, to audit the code being ran.
Expand All @@ -13,5 +15,55 @@ builds [here](https://bootstrappable.org/).

For instructions on bootstrappable builds of Linux releases, see the [`guix`](./guix) folder.

For instructions on reproducible builds of Windows and MacOS releases, see the [`docker`](./docker)
folder.

## Reproducible build of windows and macos binaries with NIX

You will have to install [Nix](https://nixos.org/download/#download-nix), a package manager.
We rely on nix flakes, so you may need to activate this feature by setting in your `~/.config/nix/nix.conf`:

```
experimental-features = nix-command flakes
```

### Windows

Simply run:

```
nix build .#x86_64-pc-windows-gnu
```

Binary will be present in the `./result` folder.


### MACOS

First you need get the MacOS SDK. It is required to be able to build the MacOS binaries. The `12_2` version is
required (`Xcode_12.2.xip`). You need to download it from Apple's website. An Apple ID and cookies
enabled for the hostname are required. You can create one for free. (Note it is illegal to
distribute the archive.) Once logged in you can use the [direct
link](https://download.developer.apple.com/Developer_Tools/Xcode_12.2/Xcode_12.2.xip) to download
the archive. Alternatively, go to 'Downloads', then 'More' and search for [`Xcode
12.2`](https://developer.apple.com/download/all/?q=Xcode%2012.2).
The `sha256sum` of the downloaded XIP archive should be
`28d352f8c14a43d9b8a082ac6338dc173cb153f964c6e8fb6ba389e5be528bd0`.

Then you have to extract the SDK and add it to the nix store:

```
nix run github:edouardparis/unxip#unxip -- Xcode_12.2.xip Xcode_12.2
cd Xcode_12.2
nix-store --add-fixed --recursive sha256 Xcode.app
```
It may take a long time.

Then to compile binaries for new apple CPUs:
```
nix build .#aarch64-apple-darwin
```
Or for legacy CPUs:
```
nix build .#x86_64-apple-darwin
```

Binaries will be present in the `./result` folder.
33 changes: 0 additions & 33 deletions contrib/reproducible/docker/README.md

This file was deleted.

Loading
Loading