Certify mac os binary (#75)

* Add mac os signing of mac os

Author: michelu89

.github/workflows/pull_request_check.yml

@@ -91,7 +91,7 @@ jobs:
         if: matrix.os == 'windows-latest'
         uses: actions/upload-artifact@v4
         with:
-          name: aspect-model-editor-vDEV-SNAPSHOT-win
+          name: ame-backend-win
           path: |
             aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-win.exe
             aspect-model-editor-runtime/target/*.dll
@@ -102,7 +102,7 @@ jobs:
         if: matrix.os == 'ubuntu-20.04'
         uses: actions/upload-artifact@v4
         with:
-          name: ame-backend-${{ matrix.os }}
+          name: ame-backend-linux
           path: |
             aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-linux
             aspect-model-editor-runtime/target/*.so
@@ -111,5 +111,5 @@ jobs:
         if: matrix.os == 'macos-12'
         uses: actions/upload-artifact@v4
         with:
-          name: ame-backend-${{ matrix.os }}
+          name: ame-backend-mac
           path: aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-mac

.github/workflows/tagged_release.yml

@@ -8,7 +8,7 @@ on:
         required: true
 
 jobs:
-  gh_tagged_release:
+  build:
     name: Create tagged release
     runs-on: ${{ matrix.os }}
     strategy:
@@ -126,29 +126,21 @@ jobs:
             aspect-model-editor-runtime/target/*.bat
             aspect-model-editor-runtime/target/lib/
 
-      # Release Mac and Linux executables
-      - name: Create GitHub release (Mac)
-        if: ${{ (matrix.os == 'macos-12') &&  (!contains( github.ref, '-M' )) }}
-        uses: svenstaro/upload-release-action@latest
+      - name: Upload binary (Mac)
+        if: matrix.os == 'macos-12'
+        uses: actions/upload-artifact@v4
         with:
-          file_glob: true
-          overwrite: true
-          prerelease: false
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-mac
-          tag: v${{ github.event.inputs.release_version }}
+          name: ame-backend-v${{ github.event.inputs.release_version }}-mac
+          path: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-mac
 
-      - name: Create GitHub pre-release (Mac)
-        if: ${{ (matrix.os == 'macos-12') &&  (contains( github.ref, '-M' )) }}
-        uses: svenstaro/upload-release-action@latest
+      - name: Upload binary (Linux)
+        if: matrix.os == 'ubuntu-20.04'
+        uses: actions/upload-artifact@v4
         with:
-          file_glob: true
-          overwrite: true
-          prerelease: true
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-mac
-          tag: v${{ github.event.inputs.release_version }}
+          name: ame-backend-v${{ github.event.inputs.release_version }}-linux
+          path: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux
 
+      # Release Linux executables
       - name: Create GitHub release (Linux)
         if: ${{ (matrix.os == 'ubuntu-20.04') &&  (!contains( github.ref, '-M' )) }}
         uses: svenstaro/upload-release-action@latest
@@ -157,7 +149,7 @@ jobs:
           overwrite: true
           prerelease: false
           repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-linux
+          file: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux
           tag: v${{ github.event.inputs.release_version }}
 
       - name: Create GitHub pre-release (Linux)
@@ -168,54 +160,56 @@ jobs:
           overwrite: true
           prerelease: true
           repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-linux
+          file: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux
           tag: v${{ github.event.inputs.release_version }}
 
-      - name: Setup Git
-        run: |
-          git config user.name github-actions
-          git config user.email [email protected]
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@v3
 
-      # Sign Windows executable
-      - name: Get Artifact ID (Windows)
-        if: matrix.os == 'windows-latest'
+      # Sign (Windows & Mac) executable
+      - name: Get Artifact ID (Windows & Mac)
         shell: bash
         run: |
           # Get the list of artifacts for the specified workflow run
           response=$(curl -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository_owner }}/$(echo '${{ github.repository }}' | cut -d'/' -f2)/actions/runs/${{ github.run_id }}/artifacts")
 
-          # Filter out the ID of the artifact with a name that contains "windows"
-          artifact_id=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("win")) | .id')
+          # Filter out the ID of the artifacts
+          artifact_id_win=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("win")) | .id')
+          artifact_id_mac=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("mac")) | .id')
 
           # Save the artifact ID in an environment variable
-          echo "ARTIFACT_ID=$artifact_id" >> $GITHUB_ENV
+          echo "ARTIFACT_ID_WIN=$artifact_id_win" >> $GITHUB_ENV
+          echo "ARTIFACT_ID_MAC=$artifact_id_mac" >> $GITHUB_ENV
         env:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Commit Artifact url and version changes and push to pre release branch for jenkins (Windows)
-        if: matrix.os == 'windows-latest'
+      - name: Commit Artifact url and version changes and push to pre release branch for jenkins (Windows & Mac)
         shell: bash
         run: |
-          ARTIFACT_URL_WIN="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID/zip"
+          ARTIFACT_URL_WIN="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID_WIN/zip"
+          ARTIFACT_URL_MAC="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID_MAC/zip"
           BRANCH_NAME="pre_release_configuration"
 
           echo "artifact_url_win=$ARTIFACT_URL_WIN" > parameters.txt
+          echo "artifact_url_mac=$ARTIFACT_URL_MAC" >> parameters.txt
           echo "version=${{ github.event.inputs.release_version }}" >> parameters.txt
 
           git config --global user.email "[email protected]"
           git config --global user.name "github-actions"
           git checkout -b $BRANCH_NAME
           git add parameters.txt
-          git commit -m "Add parameters.txt with artifact_url_win and version"
+          git commit -m "Add parameters.txt with artifact_url_win, artifact_url_mac and version"
           git push origin $BRANCH_NAME
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Trigger Jenkins Job, for signing executable
-        if: matrix.os == 'windows-latest'
         shell: bash
         run: |
           DATA='{"repository": {"url": "https://github.com/eclipse-esmf/esmf-aspect-model-editor-backend", "html_url": "https://github.com/eclipse-esmf/esmf-aspect-model-editor-backend", "owner": { "name": "ESMF"}}, "pusher": { "name": "GitHub Action", "email": "[email protected]"}}'
           SHA1="$(echo -n "${DATA}" | openssl dgst -sha1 -hmac "${WEBHOOK_SECRET}" | sed 's/SHA1(stdin)= //')"
           curl -X POST https://ci.eclipse.org/esmf/github-webhook/ -H "Content-Type: application/json" -H "X-GitHub-Event: push" -H "X-Hub-Signature: sha1=${SHA1}" -d "${DATA}"
-

.jenkins/Jenkinsfile

@@ -1,3 +1,5 @@
+import groovy.json.JsonSlurper;
+
 pipeline {
     agent any
 
@@ -24,7 +26,8 @@ pipeline {
                             }
                         }
 
-                        echo "Artifact URL: ${env.artifact_url_win}"
+                        echo "Artifact URL Win: ${env.artifact_url_win}"
+                        echo "Artifact URL Mac: ${env.artifact_url_mac}"
                         echo "Version: ${env.version}"
                     } else {
                         echo "Error: parameters.txt does not exist."
@@ -33,37 +36,98 @@ pipeline {
             }
         }
 
-        stage('Download and unpack artifact') {
+        stage('Download and unpack Windows artifact') {
             steps {
                 script {
+                    def winOsFile = "ame-backend-v${env.version}-win.zip"
                     sh "curl -L -H 'Accept: application/vnd.github.v3+json' \
                         -H 'Authorization: Bearer ${GITHUB_BOT_TOKEN}' \
                         '${env.artifact_url_win}' \
-                        --output 'aspect-model-editor-v${env.version}-win.zip'"
+                        --output '${winOsFile}'"
                     sh "mkdir -p unpack_dir"
-                    sh "unzip -o aspect-model-editor-v${env.version}-win.zip -d unpack_dir"
+                    sh "unzip -o ame-backend-v${env.version}-win.zip -d unpack_dir"
+                    sh "rm '${winOsFile}'"
                     sh "ls -a unpack_dir"
                 }
             }
         }
 
-        stage('Sign Applications') {
+        stage('Sign Windows Applications') {
             steps {
                 script {
                     sh "mkdir -p signed_dir"
                     sh "find unpack_dir -name '*.dll' -exec mv {} signed_dir \\;"
                     sh "curl -o signed_dir/ame-backend-${env.version}-win.exe -F file=@unpack_dir/ame-backend-${env.version}-win.exe https://cbi.eclipse.org/authenticode/sign"
-                    sh "zip -r aspect-model-editor-v${env.version}-win-signed.zip signed_dir"
+                    sh "zip -r ame-backend-v${env.version}-win.zip signed_dir"
+                    sh "ls -a signed_dir"
+                }
+            }
+        }
+
+        stage('Download Mac artifact') {
+            steps {
+                script {
+                    def macOsFile = "ame-backend-v${env.version}-mac.zip"
+                    sh "curl -L -H 'Accept: application/vnd.github.v3+json' \
+                        -H 'Authorization: Bearer ${GITHUB_BOT_TOKEN}' \
+                        '${env.artifact_url_mac}' \
+                        --output '${macOsFile}'"
+                    sh "unzip -o ame-backend-v${env.version}-mac.zip -d unpack_dir"
+                    sh "rm '${macOsFile}'"
+                    sh "ls -a unpack_dir"
+                }
+            }
+        }
+
+        stage('Sign Mac Applications') {
+            steps {
+                script {
+                    sh "mkdir -p signed_dir"
+                    sh "curl -o signed_dir/ame-backend-${env.version}-mac -F file=@unpack_dir/ame-backend-${env.version}-mac -F [email protected] https://cbi.eclipse.org/macos/codesign/sign"
+                    sh "ls -a signed_dir"
+                }
+            }
+        }
+
+        stage('MacOS Notarization') {
+            steps {
+                script {
+                    sh "zip -j ame-backend-${env.version}-mac.zip signed_dir/ame-backend-${env.version}-mac"
+
+                    def macOsFile = "ame-backend-${env.version}-mac.zip"
+
+                    def jsonOptions = "options={\"primaryBundleId\": \"org.eclipse.esmf\", \"staple\": true};type=application/json"
+                    def response = sh(script: "curl -X POST -F file=@${macOsFile} -F '${jsonOptions}' https://cbi.eclipse.org/macos/xcrun/notarize", returnStdout: true).trim()
+
+                    def jsonSlurper = new JsonSlurper()
+                    def json = jsonSlurper.parseText(response)
+                    String uuid = json.uuid
+
+                    while (json.notarizationStatus.status == 'IN_PROGRESS') {
+                        sleep(time: 1, unit: 'MINUTES')
+                        response = sh(script: "curl https://cbi.eclipse.org/macos/xcrun/${uuid}/status", returnStdout: true).trim()
+                        json = jsonSlurper.parseText(response)
+                    }
+
+                    if (json.notarizationStatus.status != 'COMPLETE') {
+                        echo "Notarization failed: ${response}"
+                        error("Notarization failed.")
+                    }
+
+                    sh "rm '${macOsFile}'"
+
+                    sh "curl -JO -o ame-backend-v${env.version}-mac.zip https://cbi.eclipse.org/macos/xcrun/${uuid}/download"
                 }
             }
         }
 
-        stage('Release signed WINDOWS artifact to GitHub Releases') {
+        stage('Release signed Windows and Mac artifact to GitHub Releases') {
             steps {
                 script {
                     def repo = "eclipse-esmf/esmf-aspect-model-editor-backend"
                     def tagName = "v${env.version}"
-                    def fileName = "aspect-model-editor-v${env.version}-win-signed.zip"
+                    def fileNameWin = "ame-backend-v${env.version}-win.zip"
+                    def fileNameMac = "ame-backend-v${env.version}-mac.zip"
                     def releaseId = ""
 
                     def tagExists = sh(script: """
@@ -99,8 +163,18 @@ pipeline {
                          -H "Accept: application/vnd.github+json" \\
                          -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \
                          -H "Content-Type: application/octet-stream" \
-                         --data-binary @${fileName} \
-                         "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileName}"
+                         --data-binary @${fileNameWin} \
+                         "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileNameWin}"
+                    """
+
+                    sh """
+                    curl -L \
+                         -X POST \
+                         -H "Accept: application/vnd.github+json" \\
+                         -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \
+                         -H "Content-Type: application/octet-stream" \
+                         --data-binary @${fileNameMac} \
+                         "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileNameMac}"
                     """
 
                     sh """

entitlements.plist

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- Allow JIT (Just In Time) compilation -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+
+    <!-- Allow unsigned executable memory -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+
+    <!-- Allow DYLD environment variables -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+
+    <!-- Disable Library Validation -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+
+    <!-- Debugging entitlements (remove in production) -->
+    <key>com.apple.security.get-task-allow</key>
+    <true/>
+
+    <!-- Networking entitlements -->
+    <key>com.apple.security.network.client</key>
+    <true/>
+    <key>com.apple.security.network.server</key>
+    <true/>
+
+    <!-- File Access entitlements -->
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+    <key>com.apple.security.files.downloads.read-write</key>
+    <true/>
+    <key>com.apple.security.files.all.read-write</key>
+    <true/>
+
+    <!-- Enable audio input -->
+    <key>com.apple.security.device.audio-input</key>
+    <false/>
+
+    <!-- Enable camera input -->
+    <key>com.apple.security.device.camera</key>
+    <false/>
+
+    <!-- Access to location services -->
+    <key>com.apple.security.personal-information.location</key>
+    <false/>
+</dict>
+</plist>