add code signing for macOS and windows [ci skip]

infeo · infeo · commit c64652756343 · 2024-11-20T16:53:37.000+01:00
diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml
@@ -28,7 +28,11 @@ jobs:
     outputs:
       semVerStr: ${{ steps.determine-version.outputs.version }}
       semVerNum: ${{steps.determine-number.outputs.number}}
+      revisionNum: ${{steps.determine-number.outputs.revision}}
     steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - id: determine-version
         shell: pwsh
         run: |
@@ -45,6 +49,8 @@ jobs:
         run: |
           SEM_VER_NUM=$(echo "${{ steps.determine-version.outputs.version }}" | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
           echo "number=${SEM_VER_NUM}" >> "$GITHUB_OUTPUT"
+          REVISION_NUM=`git rev-list --count HEAD`
+          echo "revision=${REVISION_NUM}" >> "$GITHUB_OUTPUT"
 
   build-binary:
     name: Build java app image
@@ -110,10 +116,76 @@ jobs:
           name: cryptomator-cli-mac-${{ matrix.architecture }}
           path: ./target/cryptomator-cli.app
           if-no-files-found: error
-      - name: TODO sign binaries
-        run: echo "TODO sign it and notarize it"
+      - name: Patch Cryptomator.app
+        run: |
+          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" ./target/Cryptomator.app/Contents/Info.plist
+          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" ./target/Cryptomator.app/Contents/Info.plist
+          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output ./target/Cryptomator.app/Contents/embedded.provisionprofile
+        env:
+          VERSION_NO: ${{ needs.prepare.outputs.semVerNum }}
+          REVISION_NO: ${{ needs.prepare.outputs.revisionNum }}
+          PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
+      - name: Install codesign certificate
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/codesign.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/codesign.keychain-db
+
+          # import certificate and provisioning profile from secrets
+          echo -n "$CODESIGN_P12_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$CODESIGN_TMP_KEYCHAIN_PW" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 900 $KEYCHAIN_PATH
+          security unlock-keychain -p "$CODESIGN_TMP_KEYCHAIN_PW" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$CODESIGN_P12_PW" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+        env:
+          CODESIGN_P12_BASE64: ${{ secrets.MACOS_CODESIGN_P12_BASE64 }}
+          CODESIGN_P12_PW: ${{ secrets.MACOS_CODESIGN_P12_PW }}
+          CODESIGN_TMP_KEYCHAIN_PW: ${{ secrets.MACOS_CODESIGN_TMP_KEYCHAIN_PW }}
+      - name: Codesign
+        run: |
+          echo "Codesigning jdk files..."
+          find ./target/cryptomator-cli.app/Contents/runtime/Contents/Home/lib/ -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
+          find ./target/cryptomator-cli.app/Contents/runtime/Contents/Home/lib/ \( -name 'jspawnhelper' -o -name 'pauseengine' -o -name 'simengine' \) -exec codesign --force -o runtime -s ${CODESIGN_IDENTITY} {} \;
+          echo "Codesigning jar contents..."
+          find ./target/cryptomator-cli.app/Contents/runtime/Contents/MacOS -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
+          for JAR_PATH in `find ./target/cryptomator-cli.app -name "*.jar"`; do
+            if [[ `unzip -l ${JAR_PATH} | grep '.dylib\|.jnilib'` ]]; then
+              JAR_FILENAME=$(basename ${JAR_PATH})
+              OUTPUT_PATH=${JAR_PATH%.*}
+              echo "Codesigning libs in ${JAR_FILENAME}..."
+              unzip -q ${JAR_PATH} -d ${OUTPUT_PATH}
+              find ${OUTPUT_PATH} -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
+              find ${OUTPUT_PATH} -name '*.jnilib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
+              rm ${JAR_PATH}
+              pushd ${OUTPUT_PATH} > /dev/null
+              zip -qr ../${JAR_FILENAME} *
+              popd > /dev/null
+              rm -r ${OUTPUT_PATH}
+            fi
+          done
+          echo "Codesigning Cryptomator.app..."
+          sed -i '' "s|###APP_IDENTIFIER_PREFIX###|${TEAM_IDENTIFIER}.|g" dist/mac/cryptomator-cli.entitlements
+          sed -i '' "s|###TEAM_IDENTIFIER###|${TEAM_IDENTIFIER}|g" dist/mac/cryptomator-cli.entitlements
+          codesign --force --deep --entitlements dist/mac/cryptomator-cli.entitlements -o runtime -s ${CODESIGN_IDENTITY} ./target/cryptomator-cli.app
+        env:
+          CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
+          TEAM_IDENTIFIER: ${{ secrets.MACOS_TEAM_IDENTIFIER }}
       - name: Zip binary for release
         run: zip -r ./${{ matrix.artifact-name}} ./target/cryptomator-cli.app
+      - name: Notarize .dmg
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: cocoalibs/xcode-notarization-action@v1
+        with:
+          app-path: ${{ matrix.artifact-name }}
+          apple-id: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          password: ${{ secrets.MACOS_NOTARIZATION_PW }}
+          team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
+          xcode-path: '/Applications/Xcode_16.app'
       - name: Create detached GPG signature with key 615D449FE6E6A235
         run: |
           echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
diff --git a/.github/workflows/build-win.yml b/.github/workflows/build-win.yml
@@ -103,8 +103,50 @@ jobs:
           name: cryptomator-cli-win-x64
           path: ./target/cryptomator-cli
           if-no-files-found: error
-      - name: TODO Sign binaries
-        run: echo TODO
+      - name: Fix permissions
+        run: attrib -r target/cryptomator-cli/cryptomator-cli.exe
+        shell: pwsh
+      - name: Extract jars with DLLs for Codesigning
+        shell: pwsh
+        run: |
+          Add-Type -AssemblyName "System.io.compression.filesystem"
+          $jarFolder = Resolve-Path ".\target\Cryptomator-clie\app\mods"
+          $jarExtractDir = New-Item -Path ".\target\jar-extract" -ItemType Directory
+
+          #for all jars inspect
+          Get-ChildItem -Path $jarFolder -Filter "*.jar" | ForEach-Object {
+              $jar = [Io.compression.zipfile]::OpenRead($_.FullName)
+              if (@($jar.Entries | Where-Object {$_.Name.ToString().EndsWith(".dll")} | Select-Object -First 1).Count -gt 0) {
+                  #jars containing dlls extract
+                  Set-Location $jarExtractDir
+                  Expand-Archive -Path $_.FullName
+              }
+              $jar.Dispose()
+          }
+      - name: Codesign
+        uses: skymatic/code-sign-action@v3
+        with:
+          certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
+          password: ${{ secrets.WIN_CODESIGN_P12_PW }}
+          certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
+          description: Cryptomator
+          timestampUrl: 'http://timestamp.digicert.com'
+          folder: target
+          recursive: true
+      - name: Replace DLLs inside jars with signed ones
+        shell: pwsh
+        run: |
+          $jarExtractDir = Resolve-Path ".\target\jar-extract"
+          $jarFolder = Resolve-Path ".\target\cryptomator-cli\app\mods"
+          Get-ChildItem -Path $jarExtractDir | ForEach-Object {
+              $jarName = $_.Name
+              $jarFile = "${jarFolder}\${jarName}.jar"
+              Set-Location $_
+              Get-ChildItem -Path $_ -Recurse -File "*.dll" | ForEach-Object {
+                  # update jar with signed dll
+                  jar --file="$jarFile" --update $(Resolve-Path -Relative -Path $_)
+              }
+          }
       - name: Zip binary for release
         shell: pwsh
         run: Compress-Archive -Path .\target\cryptomator-cli -DestinationPath .\${{ env.artifact-name}}
diff --git a/dist/mac/cryptomator-cli.entitlements b/dist/mac/cryptomator-cli.entitlements
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>###APP_IDENTIFIER_PREFIX###org.cryptomator</string>
+	<key>com.apple.developer.team-identifier</key>
+	<string>###TEAM_IDENTIFIER###</string>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<!--key>com.apple.security.cs.disable-executable-page-protection</key>
+	<true/-->
+	<!--key>com.apple.security.cs.disable-library-validation</key>
+	<true/-->
+</dict>
+</plist>
