Certify mac os binary (#75)

* Add mac os signing of mac os
eclipse-esmf · May 24, 2024 · 17b1c95 · 17b1c95
1 parent 8ce4aaa
commit 17b1c95
Show file tree

Hide file tree

Showing 4 changed files with 170 additions and 51 deletions.
diff --git a/.github/workflows/pull_request_check.yml b/.github/workflows/pull_request_check.yml
@@ -91,7 +91,7 @@ jobs:
  if: matrix.os == 'windows-latest'
  uses: actions/upload-artifact@v4
  with:
- name: aspect-model-editor-vDEV-SNAPSHOT-win
+ name: ame-backend-win
  path: |
  aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-win.exe
  aspect-model-editor-runtime/target/*.dll
@@ -102,7 +102,7 @@ jobs:
  if: matrix.os == 'ubuntu-20.04'
  uses: actions/upload-artifact@v4
  with:
- name: ame-backend-${{ matrix.os }}
+ name: ame-backend-linux
  path: |
  aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-linux
  aspect-model-editor-runtime/target/*.so
@@ -111,5 +111,5 @@ jobs:
  if: matrix.os == 'macos-12'
  uses: actions/upload-artifact@v4
  with:
- name: ame-backend-${{ matrix.os }}
+ name: ame-backend-mac
  path: aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-mac
diff --git a/.github/workflows/tagged_release.yml b/.github/workflows/tagged_release.yml
@@ -8,7 +8,7 @@ on:
  required: true
 
 jobs:
- gh_tagged_release:
+ build:
  name: Create tagged release
  runs-on: ${{ matrix.os }}
  strategy:
@@ -126,29 +126,21 @@ jobs:
  aspect-model-editor-runtime/target/*.bat
  aspect-model-editor-runtime/target/lib/
 
- # Release Mac and Linux executables
- - name: Create GitHub release (Mac)
- if: ${{ (matrix.os == 'macos-12') && (!contains( github.ref, '-M' )) }}
- uses: svenstaro/upload-release-action@latest
+ - name: Upload binary (Mac)
+ if: matrix.os == 'macos-12'
+ uses: actions/upload-artifact@v4
  with:
- file_glob: true
- overwrite: true
- prerelease: false
- repo_token: ${{ secrets.GITHUB_TOKEN }}
- file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-mac
- tag: v${{ github.event.inputs.release_version }}
+ name: ame-backend-v${{ github.event.inputs.release_version }}-mac
+ path: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-mac
 
- - name: Create GitHub pre-release (Mac)
- if: ${{ (matrix.os == 'macos-12') && (contains( github.ref, '-M' )) }}
- uses: svenstaro/upload-release-action@latest
+ - name: Upload binary (Linux)
+ if: matrix.os == 'ubuntu-20.04'
+ uses: actions/upload-artifact@v4
  with:
- file_glob: true
- overwrite: true
- prerelease: true
- repo_token: ${{ secrets.GITHUB_TOKEN }}
- file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-mac
- tag: v${{ github.event.inputs.release_version }}
+ name: ame-backend-v${{ github.event.inputs.release_version }}-linux
+ path: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux
 
+ # Release Linux executables
  - name: Create GitHub release (Linux)
  if: ${{ (matrix.os == 'ubuntu-20.04') && (!contains( github.ref, '-M' )) }}
  uses: svenstaro/upload-release-action@latest
@@ -157,7 +149,7 @@ jobs:
  overwrite: true
  prerelease: false
  repo_token: ${{ secrets.GITHUB_TOKEN }}
- file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-linux
+ file: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux
  tag: v${{ github.event.inputs.release_version }}
 
  - name: Create GitHub pre-release (Linux)
@@ -168,54 +160,56 @@ jobs:
  overwrite: true
  prerelease: true
  repo_token: ${{ secrets.GITHUB_TOKEN }}
- file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-linux
+ file: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux
  tag: v${{ github.event.inputs.release_version }}
 
- - name: Setup Git
- run: |
- git config user.name github-actions
- git config user.email github-actions@github.com
+ release:
+ needs: build
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout project
+ uses: actions/checkout@v3
 
- # Sign Windows executable
- - name: Get Artifact ID (Windows)
- if: matrix.os == 'windows-latest'
+ # Sign (Windows & Mac) executable
+ - name: Get Artifact ID (Windows & Mac)
  shell: bash
  run: |
  # Get the list of artifacts for the specified workflow run
  response=$(curl -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository_owner }}/$(echo '${{ github.repository }}' | cut -d'/' -f2)/actions/runs/${{ github.run_id }}/artifacts")
 
- # Filter out the ID of the artifact with a name that contains "windows"
- artifact_id=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("win")) | .id')
+ # Filter out the ID of the artifacts
+ artifact_id_win=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("win")) | .id')
+ artifact_id_mac=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("mac")) | .id')
 
  # Save the artifact ID in an environment variable
- echo "ARTIFACT_ID=$artifact_id" >> $GITHUB_ENV
+ echo "ARTIFACT_ID_WIN=$artifact_id_win" >> $GITHUB_ENV
+ echo "ARTIFACT_ID_MAC=$artifact_id_mac" >> $GITHUB_ENV
  env:
  TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
- - name: Commit Artifact url and version changes and push to pre release branch for jenkins (Windows)
- if: matrix.os == 'windows-latest'
+ - name: Commit Artifact url and version changes and push to pre release branch for jenkins (Windows & Mac)
  shell: bash
  run: |
- ARTIFACT_URL_WIN="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID/zip"
+ ARTIFACT_URL_WIN="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID_WIN/zip"
+ ARTIFACT_URL_MAC="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID_MAC/zip"
  BRANCH_NAME="pre_release_configuration"
 
  echo "artifact_url_win=$ARTIFACT_URL_WIN" > parameters.txt
+ echo "artifact_url_mac=$ARTIFACT_URL_MAC" >> parameters.txt
  echo "version=${{ github.event.inputs.release_version }}" >> parameters.txt
 
  git config --global user.email "github-actions@github.com"
  git config --global user.name "github-actions"
  git checkout -b $BRANCH_NAME
  git add parameters.txt
- git commit -m "Add parameters.txt with artifact_url_win and version"
+ git commit -m "Add parameters.txt with artifact_url_win, artifact_url_mac and version"
  git push origin $BRANCH_NAME
  env:
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
  - name: Trigger Jenkins Job, for signing executable
- if: matrix.os == 'windows-latest'
  shell: bash
  run: |
  DATA='{"repository": {"url": "https://github.com/eclipse-esmf/esmf-aspect-model-editor-backend", "html_url": "https://github.com/eclipse-esmf/esmf-aspect-model-editor-backend", "owner": { "name": "ESMF"}}, "pusher": { "name": "GitHub Action", "email": "esmf-dev@eclipse.org"}}'
  SHA1="$(echo -n "${DATA}" | openssl dgst -sha1 -hmac "${WEBHOOK_SECRET}" | sed 's/SHA1(stdin)= //')"
  curl -X POST https://ci.eclipse.org/esmf/github-webhook/ -H "Content-Type: application/json" -H "X-GitHub-Event: push" -H "X-Hub-Signature: sha1=${SHA1}" -d "${DATA}"
-
diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile
@@ -1,3 +1,5 @@
+import groovy.json.JsonSlurper;
+
 pipeline {
  agent any
 
@@ -24,7 +26,8 @@ pipeline {
  }
  }
 
- echo "Artifact URL: ${env.artifact_url_win}"
+ echo "Artifact URL Win: ${env.artifact_url_win}"
+ echo "Artifact URL Mac: ${env.artifact_url_mac}"
  echo "Version: ${env.version}"
  } else {
  echo "Error: parameters.txt does not exist."
@@ -33,37 +36,98 @@ pipeline {
  }
  }
 
- stage('Download and unpack artifact') {
+ stage('Download and unpack Windows artifact') {
  steps {
  script {
+ def winOsFile = "ame-backend-v${env.version}-win.zip"
  sh "curl -L -H 'Accept: application/vnd.github.v3+json' \
  -H 'Authorization: Bearer ${GITHUB_BOT_TOKEN}' \
  '${env.artifact_url_win}' \
- --output 'aspect-model-editor-v${env.version}-win.zip'"
+ --output '${winOsFile}'"
  sh "mkdir -p unpack_dir"
- sh "unzip -o aspect-model-editor-v${env.version}-win.zip -d unpack_dir"
+ sh "unzip -o ame-backend-v${env.version}-win.zip -d unpack_dir"
+ sh "rm '${winOsFile}'"
  sh "ls -a unpack_dir"
  }
  }
  }
 
- stage('Sign Applications') {
+ stage('Sign Windows Applications') {
  steps {
  script {
  sh "mkdir -p signed_dir"
  sh "find unpack_dir -name '*.dll' -exec mv {} signed_dir \\;"
  sh "curl -o signed_dir/ame-backend-${env.version}-win.exe -F file=@unpack_dir/ame-backend-${env.version}-win.exe https://cbi.eclipse.org/authenticode/sign"
- sh "zip -r aspect-model-editor-v${env.version}-win-signed.zip signed_dir"
+ sh "zip -r ame-backend-v${env.version}-win.zip signed_dir"
+ sh "ls -a signed_dir"
+ }
+ }
+ }
+
+ stage('Download Mac artifact') {
+ steps {
+ script {
+ def macOsFile = "ame-backend-v${env.version}-mac.zip"
+ sh "curl -L -H 'Accept: application/vnd.github.v3+json' \
+ -H 'Authorization: Bearer ${GITHUB_BOT_TOKEN}' \
+ '${env.artifact_url_mac}' \
+ --output '${macOsFile}'"
+ sh "unzip -o ame-backend-v${env.version}-mac.zip -d unpack_dir"
+ sh "rm '${macOsFile}'"
+ sh "ls -a unpack_dir"
+ }
+ }
+ }
+
+ stage('Sign Mac Applications') {
+ steps {
+ script {
+ sh "mkdir -p signed_dir"
+ sh "curl -o signed_dir/ame-backend-${env.version}-mac -F file=@unpack_dir/ame-backend-${env.version}-mac -F entitlements=@entitlements.plist https://cbi.eclipse.org/macos/codesign/sign"
+ sh "ls -a signed_dir"
+ }
+ }
+ }
+
+ stage('MacOS Notarization') {
+ steps {
+ script {
+ sh "zip -j ame-backend-${env.version}-mac.zip signed_dir/ame-backend-${env.version}-mac"
+
+ def macOsFile = "ame-backend-${env.version}-mac.zip"
+
+ def jsonOptions = "options={\"primaryBundleId\": \"org.eclipse.esmf\", \"staple\": true};type=application/json"
+ def response = sh(script: "curl -X POST -F file=@${macOsFile} -F '${jsonOptions}' https://cbi.eclipse.org/macos/xcrun/notarize", returnStdout: true).trim()
+
+ def jsonSlurper = new JsonSlurper()
+ def json = jsonSlurper.parseText(response)
+ String uuid = json.uuid
+
+ while (json.notarizationStatus.status == 'IN_PROGRESS') {
+ sleep(time: 1, unit: 'MINUTES')
+ response = sh(script: "curl https://cbi.eclipse.org/macos/xcrun/${uuid}/status", returnStdout: true).trim()
+ json = jsonSlurper.parseText(response)
+ }
+
+ if (json.notarizationStatus.status != 'COMPLETE') {
+ echo "Notarization failed: ${response}"
+ error("Notarization failed.")
+ }
+
+ sh "rm '${macOsFile}'"
+
+ sh "curl -JO -o ame-backend-v${env.version}-mac.zip https://cbi.eclipse.org/macos/xcrun/${uuid}/download"
  }
  }
  }
 
- stage('Release signed WINDOWS artifact to GitHub Releases') {
+ stage('Release signed Windows and Mac artifact to GitHub Releases') {
  steps {
  script {
  def repo = "eclipse-esmf/esmf-aspect-model-editor-backend"
  def tagName = "v${env.version}"
- def fileName = "aspect-model-editor-v${env.version}-win-signed.zip"
+ def fileNameWin = "ame-backend-v${env.version}-win.zip"
+ def fileNameMac = "ame-backend-v${env.version}-mac.zip"
  def releaseId = ""
 
  def tagExists = sh(script: """
@@ -99,8 +163,18 @@ pipeline {
  -H "Accept: application/vnd.github+json" \\
  -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \
  -H "Content-Type: application/octet-stream" \
- --data-binary @${fileName} \
- "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileName}"
+ --data-binary @${fileNameWin} \
+ "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileNameWin}"
+ """
+
+ sh """
+ curl -L \
+ -X POST \
+ -H "Accept: application/vnd.github+json" \\
+ -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \
+ -H "Content-Type: application/octet-stream" \
+ --data-binary @${fileNameMac} \
+ "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileNameMac}"
  """
 
  sh """

diff --git a/entitlements.plist b/entitlements.plist
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <!-- Allow JIT (Just In Time) compilation -->
+ <key>com.apple.security.cs.allow-jit</key>
+ <true/>
+
+ <!-- Allow unsigned executable memory -->
+ <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+ <true/>
+
+ <!-- Allow DYLD environment variables -->
+ <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+ <true/>
+
+ <!-- Disable Library Validation -->
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+
+ <!-- Debugging entitlements (remove in production) -->
+ <key>com.apple.security.get-task-allow</key>
+ <true/>
+
+ <!-- Networking entitlements -->
+ <key>com.apple.security.network.client</key>
+ <true/>
+ <key>com.apple.security.network.server</key>
+ <true/>
+
+ <!-- File Access entitlements -->
+ <key>com.apple.security.files.user-selected.read-write</key>
+ <true/>
+ <key>com.apple.security.files.downloads.read-write</key>
+ <true/>
+ <key>com.apple.security.files.all.read-write</key>
+ <true/>
+
+ <!-- Enable audio input -->
+ <key>com.apple.security.device.audio-input</key>
+ <false/>
+
+ <!-- Enable camera input -->
+ <key>com.apple.security.device.camera</key>
+ <false/>
+
+ <!-- Access to location services -->
+ <key>com.apple.security.personal-information.location</key>
+ <false/>
+</dict>
+</plist>