Feat/hardware signing (#11)

* Add Secure Enclave hardware signing and test signing server

Author: redaranj

.github/workflows/test.yml

@@ -40,11 +40,68 @@ jobs:
       - name: Build iOS Framework
         run: make ios-framework
 
-      - name: Build & test
+      - name: Setup Signing Server
         run: |
-          set -eo pipefail
+          echo "Setting up C2PA signing server..."
+          make setup-server
+
+      - name: Build Signing Server
+        run: |
+          cd signing-server
+          swift build
+
+      - name: Start Signing Server
+        run: |
+          cd signing-server
+          DYLD_LIBRARY_PATH=libs:$DYLD_LIBRARY_PATH .build/debug/Run serve --env development --hostname 127.0.0.1 --port 8080 &
+          echo $! > ../server.pid
+          echo "Server started with PID $(cat ../server.pid)"
+
+      - name: Wait for Server to be Ready
+        run: |
+          echo "Waiting for signing server to be ready..."
+          max_attempts=30
+          attempt=0
+          while [ $attempt -lt $max_attempts ]; do
+            if curl -s http://127.0.0.1:8080/health > /dev/null 2>&1; then
+              echo "✓ Signing server is ready"
+              break
+            fi
+            echo "Waiting for server... (attempt $((attempt + 1))/$max_attempts)"
+            sleep 2
+            attempt=$((attempt + 1))
+          done
+
+          if [ $attempt -eq $max_attempts ]; then
+            echo "❌ Server failed to start after $max_attempts attempts"
+            exit 1
+          fi
+
+      - name: Verify Server Endpoints
+        run: |
+          echo "Testing server endpoints..."
+          curl -v http://127.0.0.1:8080/health || echo "Health check failed"
+          echo ""
+          echo "Server is listening on:"
+          lsof -i :8080 || echo "No process on port 8080"
+
+      - name: Clean Build Directory
+        run: |
+          cd example
+          xcodebuild clean -project C2PAExample.xcodeproj -scheme "$SCHEME"
+
+      - name: Resolve Package Dependencies
+        run: |
+          cd example
+          xcodebuild -resolvePackageDependencies -project C2PAExample.xcodeproj -scheme "$SCHEME"
+
+      - name: Build & Test
+        run: |
+          set -o pipefail
           cd example
-          xcrun xcodebuild test \
+          echo "CI environment variable: true"
+          echo "Testing with server at http://127.0.0.1:8080"
+          TEST_RUNNER_CI=true xcrun xcodebuild test \
             -project C2PAExample.xcodeproj \
             -scheme "$SCHEME" \
             -sdk iphonesimulator \
@@ -54,17 +111,36 @@ jobs:
             | xcpretty --test --color
 
       - name: Generate test summary
+        if: always()
         run: |
           cd example
-          xcrun xcresulttool get test-results summary --path TestResults.xcresult || true
-          xcrun xcresulttool get object --path TestResults.xcresult --format json > test-results.json || true
-          xcrun xcresulttool get test-results tests --path TestResults.xcresult || true
+          if [ -d TestResults.xcresult ]; then
+            echo "=== Test Summary ==="
+            xcrun xcresulttool get test-results summary --path TestResults.xcresult || true
+            echo ""
+            echo "=== Test Results ==="
+            xcrun xcresulttool get test-results tests --path TestResults.xcresult || true
+            echo ""
+            echo "=== Exporting JSON ==="
+            # Use the legacy flag as required by newer versions
+            xcrun xcresulttool get --legacy --path TestResults.xcresult --format json > test-results.json 2>&1 || echo "Failed to export JSON"
+            if [ -s test-results.json ]; then
+              echo "Successfully exported test results to JSON ($(wc -c < test-results.json) bytes)"
+            else
+              echo "Warning: test-results.json is empty or not created"
+            fi
+          else
+            echo "TestResults.xcresult not found"
+          fi
 
       - name: Upload test summary
+        if: always()
         uses: actions/upload-artifact@v4
         with:
           name: TestSummary-${{ matrix.xcode }}-${{ matrix.device }}
-          path: example/test-results.json
+          path: |
+            example/test-results.json
+            example/TestResults.xcresult
 
       - name: Export coverage LCOV
         if: success()
@@ -75,29 +151,13 @@ jobs:
           DERIVED_DATA=$(xcodebuild -showBuildSettings -project C2PAExample.xcodeproj -scheme C2PAExample -sdk iphonesimulator | grep -m 1 " BUILD_DIR " | sed 's/.*= //' | sed 's|/Build/Products||')
           echo "Derived data path: $DERIVED_DATA"
 
-          # Find Coverage.profdata
-          PROFDATA_PATH=""
-          if [ -n "$DERIVED_DATA" ]; then
-            PROFDATA_PATH=$(find "$DERIVED_DATA/Build/ProfileData" -name "Coverage.profdata" -type f 2>/dev/null | head -1 || true)
-          fi
-
-          # Method 2: If not found, look in common CI locations
-          if [ -z "$PROFDATA_PATH" ]; then
-            PROFDATA_PATH=$(find ~/Library/Developer/Xcode/DerivedData -path "*/Build/ProfileData/*/Coverage.profdata" -type f 2>/dev/null | grep -i c2paexample | head -1 || true)
-          fi
+          # Find Coverage.profdata - search in common locations
+          PROFDATA_PATH=$(find ~/Library/Developer/Xcode/DerivedData -path "*/Build/ProfileData/*/Coverage.profdata" -type f 2>/dev/null | grep -i c2paexample | head -1 || true)
 
           echo "Coverage.profdata path: $PROFDATA_PATH"
 
           # Find the test binary
-          TEST_BINARY_PATH=""
-          if [ -n "$DERIVED_DATA" ]; then
-            TEST_BINARY_PATH=$(find "$DERIVED_DATA/Build/Products" -path "*/C2PAExampleTests.xctest/C2PAExampleTests" -type f 2>/dev/null | head -1 || true)
-          fi
-
-          # If not found, search more broadly
-          if [ -z "$TEST_BINARY_PATH" ]; then
-            TEST_BINARY_PATH=$(find ~/Library/Developer/Xcode/DerivedData -path "*/C2PAExampleTests.xctest/C2PAExampleTests" -type f 2>/dev/null | grep -i c2paexample | head -1 || true)
-          fi
+          TEST_BINARY_PATH=$(find ~/Library/Developer/Xcode/DerivedData -path "*/C2PAExampleTests.xctest/C2PAExampleTests" -type f 2>/dev/null | grep -i c2paexample | head -1 || true)
 
           echo "Test binary path: $TEST_BINARY_PATH"
 
@@ -135,3 +195,20 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: contentauth/c2pa-ios
+
+      - name: Stop Signing Server
+        if: always()
+        run: |
+          if [ -f server.pid ]; then
+            SERVER_PID=$(cat server.pid)
+            echo "Stopping signing server (PID: $SERVER_PID)..."
+            kill $SERVER_PID || true
+            rm server.pid
+          fi
+
+      - name: Upload Server Logs
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: server-logs-${{ matrix.xcode }}-${{ matrix.device }}
+          path: signing-server/.build/debug/*.log

.gitignore

@@ -42,4 +42,8 @@ Package.resolved
 # Editor temporary files
 *~
 *.swp
-*.swo
+*.swo
+
+# Signing server
+signing-server/Resources/*
+signing-server/Sources/C2PA/*

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all clean setup download-binaries ios-framework
+.PHONY: all clean setup download-binaries ios-framework setup-server server clean-server
 
 # GitHub Release Configuration
 GITHUB_ORG := contentauth
@@ -56,6 +56,7 @@ download-binaries: setup
 	# Patch the header file
 	@echo "Patching c2pa.h header..."
 	@sed 's/typedef struct C2paSigner C2paSigner;/typedef struct C2paSigner { } C2paSigner;/g' $(BUILD_DIR)/patched_headers/c2pa.h.orig > $(BUILD_DIR)/patched_headers/c2pa.h
+	@rm -f $(BUILD_DIR)/patched_headers/c2pa.h.orig
 
 	@echo "Pre-built binaries downloaded successfully."
 
@@ -110,8 +111,9 @@ define setup_swift_package
 	@mkdir -p $(1)/Sources/C2PA
 	@mkdir -p $(1)/Frameworks
 
-	# Copy Swift wrapper and patch c2pa.h
+	# Copy Swift wrapper files
 	@cp $(APPLE_DIR)/src/C2PA.swift $(1)/Sources/C2PA/
+	@cp $(APPLE_DIR)/src/CertificateManager.swift $(1)/Sources/C2PA/
 	@cp $(APPLE_DIR)/template/Package.swift $(1)/
 
 	# Copy XCFramework
@@ -136,13 +138,83 @@ clean:
 	@rm -rf $(OUTPUT_DIR)
 	@echo "Clean completed."
 
+# Function to download and extract macOS library for server
+# Args: 1=architecture name for display, 2=release filename suffix, 3=target directory name
+define download_macos_library
+	@echo "Downloading macOS $(1) library..."
+	@mkdir -p $(DOWNLOAD_DIR)
+	@curl -sL https://github.com/$(GITHUB_ORG)/c2pa-rs/releases/download/c2pa-$(C2PA_VERSION)/c2pa-$(C2PA_VERSION)-$(2).zip -o $(DOWNLOAD_DIR)/$(3).zip
+	@unzip -q -o $(DOWNLOAD_DIR)/$(3).zip -d $(DOWNLOAD_DIR)/$(3)
+endef
+
+# Server targets
+setup-server:
+	@echo "Setting up C2PA signing server..."
+	@command -v swift >/dev/null 2>&1 || { echo "Error: Swift is required but not installed."; exit 1; }
+	
+	# Create server directories
+	@mkdir -p signing-server/libs
+	@mkdir -p signing-server/Sources/C2PA/include
+	@mkdir -p signing-server/Resources
+	
+	# Download universal macOS binary
+	$(call download_macos_library,universal,universal-apple-darwin,macos-universal)
+	
+	# Copy dylib to server
+	@cp $(DOWNLOAD_DIR)/macos-universal/lib/libc2pa_c.dylib signing-server/libs/
+	
+	# Get header file from macOS download
+	@cp $(DOWNLOAD_DIR)/macos-universal/include/c2pa.h signing-server/Sources/C2PA/include/c2pa.h.orig
+	
+	# Patch the header file
+	@echo "Patching c2pa.h header for server..."
+	@sed 's/typedef struct C2paSigner C2paSigner;/typedef struct C2paSigner { } C2paSigner;/g' signing-server/Sources/C2PA/include/c2pa.h.orig > signing-server/Sources/C2PA/include/c2pa.h
+	@rm -f signing-server/Sources/C2PA/include/c2pa.h.orig
+	
+	# Copy Swift files and module map
+	@cp src/C2PA.swift signing-server/Sources/C2PA/
+	@cp src/CertificateManager.swift signing-server/Sources/C2PA/
+	@cp template/module.modulemap signing-server/Sources/C2PA/
+	# Update header path in module map for server structure
+	@sed -i '' 's|header "c2pa.h"|header "include/c2pa.h"|' signing-server/Sources/C2PA/module.modulemap
+	
+	# Copy test certificates
+	@cp example/C2PAExample/es256_certs.pem signing-server/Resources/
+	@cp example/C2PAExample/es256_private.key signing-server/Resources/
+	
+	@cd signing-server && swift package resolve
+	@echo "Server setup complete!"
+
+server: setup-server
+	@echo "Building server..."
+	@cd signing-server && swift build
+	@echo "Starting C2PA signing server in development mode..."
+	@cd signing-server && DYLD_LIBRARY_PATH=libs:$$DYLD_LIBRARY_PATH .build/debug/Run serve --env development --hostname 127.0.0.1 --port 8080
+
+clean-server:
+	@echo "Cleaning server build artifacts and copied files..."
+	@cd signing-server && swift package clean
+	@cd signing-server && rm -rf .build
+	@rm -rf signing-server/libs
+	@rm -rf signing-server/Sources/C2PA
+	@rm -rf signing-server/Resources
+	@echo "Server clean completed."
+
 # Helper to show available targets
 help:
 	@echo "Available targets:"
+	@echo ""
+	@echo "iOS Framework:"
 	@echo "  setup                 - Create necessary directories"
 	@echo "  download-binaries     - Download pre-built binaries from GitHub releases"
 	@echo "  ios-dev               - Build iOS library for arm64 simulator only (optimized for Apple Silicon)"
 	@echo "  ios-framework         - Create iOS XCFramework"
 	@echo "  all                   - Build iOS framework (default)"
 	@echo "  clean                 - Remove build artifacts"
+	@echo ""
+	@echo "Test Server:"
+	@echo "  setup-server          - Set up the C2PA signing server (downloads libs, copies files)"
+	@echo "  server                - Build and run the signing server (port 8080)"
+	@echo "  clean-server          - Clean server build artifacts"
+	@echo ""
 	@echo "  help                  - Show this help message"

Package.swift

@@ -1,18 +1,23 @@
-// swift-tools-version:5.7
+// swift-tools-version:5.9
 import PackageDescription
 
 let package = Package(
     name: "C2PA",
     platforms: [
-        .iOS(.v15),
-        .macOS(.v11)
+        .iOS(.v16),
+        .macOS(.v14),
     ],
     products: [
         .library(
             name: "C2PA",
-            targets: ["C2PA"]),
+            targets: ["C2PA"])
+    ],
+    dependencies: [
+        .package(
+            url: "https://github.com/apple/swift-certificates.git", .upToNextMajor(from: "1.0.0")),
+        .package(url: "https://github.com/apple/swift-asn1.git", .upToNextMajor(from: "1.0.0")),
+        .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMajor(from: "3.0.0")),
     ],
-    dependencies: [],
     targets: [
         .binaryTarget(
             name: "C2PAC",
@@ -21,7 +26,12 @@ let package = Package(
         ),
         .target(
             name: "C2PA",
-            dependencies: ["C2PAC"],
+            dependencies: [
+                "C2PAC",
+                .product(name: "X509", package: "swift-certificates"),
+                .product(name: "SwiftASN1", package: "swift-asn1"),
+                .product(name: "Crypto", package: "swift-crypto"),
+            ],
             path: "src"
         ),
     ]

README.md

@@ -21,7 +21,7 @@ C2PA iOS offers:
 
 - `/src` - Swift wrapper source code
 - `/template` - Swift package template
-- `/example` - Example iOS application  
+- `/example` - Example iOS application
 - `/output` - Build output artifacts
 - `/build` - Temporary build files and external dependencies
 - `/Makefile` - Build system commands
@@ -153,7 +153,7 @@ let manifestData = try builder.sign(
    ```bash
    # iOS framework (device + simulator)
    make ios-framework
-   
+
    # For faster development on Apple Silicon Macs
    make ios-dev          # Only builds for arm64 simulator
    ```
@@ -163,7 +163,7 @@ let manifestData = try builder.sign(
    ```bash
    # iOS Swift Package
    open output/C2PA-iOS
-   
+
    # Example App
    open example
    ```
@@ -198,6 +198,29 @@ The example iOS application in the `example` directory demonstrates comprehensiv
 
 The app includes 19 comprehensive tests covering all major C2PA operations. Run the app and tap "Run All Tests" to see the library in action.
 
+## Test Signing Server
+
+For testing certificate enrollment and C2PA signing, a simple Swift-based signing server is included:
+
+```bash
+# Start the test server
+make server
+```
+
+The server runs on `http://localhost:8080` and provides:
+
+- **Certificate Authority**: Signs Certificate Signing Requests (CSRs) for testing
+- **C2PA Signing**: Server-side C2PA manifest signing
+- **No Authentication**: Simplified for development/testing only
+
+### Key Endpoints
+
+- `GET /health` - Health check
+- `POST /api/v1/certificates/sign` - Sign a CSR
+- `POST /api/v1/c2pa/sign` - Sign image with C2PA manifest
+
+**⚠️ Testing Only**: This server has no authentication and is intended for development and testing only. For production use, implement proper authentication and security measures.
+
 ## License
 
 This project is licensed under the Apache License, Version 2.0 and MIT - see the LICENSE-APACHE and LICENSE-MIT files for details.