Skip to content

Commit

Permalink
Add signing capability (#141)
Browse files Browse the repository at this point in the history
  • Loading branch information
@byrnHDF
byrnHDF authored Sep 3, 2024
1 parent 555cb9e commit 250d74c
Show file tree
Hide file tree
Showing 68 changed files with 1,335 additions and 141 deletions.
137 changes: 136 additions & 1 deletion .github/workflows/cmake-ctest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@ on:
required: true
default: snapshots
secrets:
APPLE_CERTS_BASE64:
required: true
APPLE_CERTS_BASE64_PASSWD:
required: true
KEYCHAIN_PASSWD:
required: true
AZURE_TENANT_ID:
required: true
AZURE_CLIENT_ID:
Expand Down Expand Up @@ -164,8 +170,27 @@ jobs:
run: 7z x ${{ steps.set-file-base.outputs.FILE_BASE }}.zip
shell: bash

- name: Install TrustedSigning (Windows)
run: |
Invoke-WebRequest -Uri https://dist.nuget.org/win-x86-commandline/latest/nuget.exe -OutFile .\nuget.exe
.\nuget.exe install Microsoft.Windows.SDK.BuildTools -Version 10.0.22621.3233 -x
.\nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.53 -x
shell: pwsh
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}

- name: create-json
id: create-json
uses: jsdaniell/[email protected]
with:
name: "credentials.json"
dir: 'hdfsrc'
json: '{"Endpoint": "${{ secrets.AZURE_ENDPOINT }}","CodeSigningAccountName": "${{ secrets.AZURE_CODE_SIGNING_NAME }}","CertificateProfileName": "${{ secrets.AZURE_CERT_PROFILE_NAME }}"}'
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}

- name: Run ctest (Windows)
env:
BINSIGN: ${{ needs.check-secret.outputs.sign-state }}
SIGNTOOLDIR: ${{ github.workspace }}/Microsoft.Windows.SDK.BuildTools/bin/10.0.22621.0/x64
HDF5_ROOT: ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}
run: |
cd "${{ runner.workspace }}/hdf5_plugins/${{ steps.set-file-base.outputs.SOURCE_BASE }}"
Expand Down Expand Up @@ -394,6 +419,28 @@ jobs:
- name: Install Dependencies (MacOS_latest)
run: brew install ninja

- name: Install the Apple certificate and provisioning profile
shell: bash
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }}
P12_PASSWORD: ${{ secrets.APPLE_CERTS_BASE64_PASSWD }}
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_FILE=${{ vars.KEYCHAIN_NAME }}.keychain
# import certificate from secrets
echo $BUILD_CERTIFICATE_BASE64 | base64 --decode > $CERTIFICATE_PATH
security -v create-keychain -p $KEYCHAIN_PASSWD $KEYCHAIN_FILE
security -v list-keychain -d user -s $KEYCHAIN_FILE
security -v list-keychains
security -v set-keychain-settings -lut 21600 $KEYCHAIN_FILE
security -v unlock-keychain -p $KEYCHAIN_PASSWD $KEYCHAIN_FILE
# import certificate to keychain
security -v import $CERTIFICATE_PATH -P $P12_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_FILE
security -v set-key-partition-list -S apple-tool:,codesign:,apple: -k $KEYCHAIN_PASSWD $KEYCHAIN_FILE
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}

- name: Set file base name (MacOS_latest)
id: set-file-base
run: |
Expand Down Expand Up @@ -465,11 +512,99 @@ jobs:
- name: Run ctest (MacOS_latest)
id: run-ctest
env:
BINSIGN: ${{ needs.check-secret.outputs.sign-state }}
SIGNER: ${{ vars.SIGNER }}
HDF5_ROOT: ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}
run: |
cd "${{ runner.workspace }}/hdf5_plugins/${{ steps.set-file-base.outputs.SOURCE_BASE }}"
cmake --workflow --preset=${{ inputs.preset_name }}-Clang --fresh
cmake --workflow --preset=${{ inputs.preset_name }}-macos-Clang --fresh
shell: bash

- name: Sign dmg (MacOS_latest)
id: sign-dmg
env:
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }}
SIGNER: ${{ vars.SIGNER }}
NOTARY_USER: ${{ vars.NOTARY_USER }}
NOTARY_KEY: ${{ vars.NOTARY_KEY }}
run: |
/usr/bin/codesign --force --timestamp --options runtime --entitlements ${{ runner.workspace }}/hdf5_plugins/${{ steps.set-file-base.outputs.SOURCE_BASE }}/config/cmake/distribution.entitlements --verbose=4 --strict --sign ${{ env.SIGNER }} --deep ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: Check dmg timestamp (MacOS_latest)
run: |
/usr/bin/codesign -dvv ${{ runner.workspace }}/hdf5_plugins/build/${{ inputs.preset_name }}-macos-Clang/*.dmg
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: Verify dmg (MacOS_latest)
run: |
/usr/bin/hdiutil verify ${{ runner.workspace }}/hdf5_plugins/build/${{ inputs.preset_name }}-macos-Clang/*.dmg
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: Notarize dmg (MacOS_latest)
id: notarize-dmg
env:
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }}
SIGNER: ${{ vars.SIGNER }}
NOTARY_USER: ${{ vars.NOTARY_USER }}
NOTARY_KEY: ${{ vars.NOTARY_KEY }}
run: |
jsonout=$(/usr/bin/xcrun notarytool submit --wait --output-format json --apple-id ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ runner.workspace }}/hdf5_plugins/build/${{ inputs.preset_name }}-macos-Clang/*.dmg)
echo "JSONOUT=$jsonout" >> $GITHUB_OUTPUT
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: Get ID token (MacOS_latest)
id: get-id-token
run: |
echo "notary result is ${{ fromJson(steps.notarize-dmg.outputs.JSONOUT) }}"
token=${{ fromJson(steps.notarize-dmg.outputs.JSONOUT).id }}
echo "ID_TOKEN=$token" >> "$GITHUB_OUTPUT"
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: post notary check (MacOS_latest)
id: post-notary
env:
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }}
SIGNER: ${{ vars.SIGNER }}
NOTARY_USER: ${{ vars.NOTARY_USER }}
NOTARY_KEY: ${{ vars.NOTARY_KEY }}
run: |
{
echo 'NOTARYOUT<<EOF'
/usr/bin/xcrun notarytool info --apple-id ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ steps.get-id-token.outputs.ID_TOKEN }}
echo EOF
} >> $GITHUB_OUTPUT
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: Get notary info (MacOS_latest)
id: get-notary-info
run: |
echo "notary info is ${{ steps.post-notary.outputs.NOTARYOUT }}."
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: Staple dmg (MacOS_latest)
id: staple-dmg
env:
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }}
SIGNER: ${{ vars.SIGNER }}
NOTARY_USER: ${{ vars.NOTARY_USER }}
NOTARY_KEY: ${{ vars.NOTARY_KEY }}
run: |
/usr/bin/xcrun stapler staple ${{ runner.workspace }}/hdf5_plugins/build/${{ inputs.preset_name }}-macos-Clang/*.dmg
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash
continue-on-error: true

- name: Publish binary (MacOS_latest)
id: publish-ctest-binary
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/daily-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ jobs:
# use_tag: snapshot
use_environ: snapshots
secrets:
APPLE_CERTS_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }}
APPLE_CERTS_BASE64_PASSWD: ${{ secrets.APPLE_CERTS_BASE64_PASSWD }}
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
Expand Down
43 changes: 35 additions & 8 deletions .github/workflows/release-files.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,50 +77,71 @@ jobs:
# Get files created by tarball script
- name: Get tgz-tarball (Linux)
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: tgz-tarball
path: ${{ github.workspace }}

- name: Get zip-tarball (Windows)
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: zip-tarball
path: ${{ github.workspace }}

# Get files created by cmake-ctest script
- name: Get published binary (Windows)
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: zip-vs2022_cl-binary
path: ${{ github.workspace }}

- name: Get published msi binary (Windows)
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: msi-vs2022_cl-binary
path: ${{ github.workspace }}

- name: Get published binary (MacOS)
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: tgz-macos14_clang-binary
path: ${{ github.workspace }}

- name: Get published dmg binary (MacOS)
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: tgz-macos14_clang-dmg-binary
path: ${{ github.workspace }}

- name: Get published binary (Linux)
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: tgz-ubuntu-2204_gcc-binary
path: ${{ github.workspace }}

- name: Get published deb binary (Linux)
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: deb-ubuntu-2204_gcc-binary
path: ${{ github.workspace }}

- name: Get published rpm binary (Linux)
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: rpm-ubuntu-2204_gcc-binary
path: ${{ github.workspace }}

- name: Create sha256 sums for files
run: |
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}.tar.gz >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}.zip >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}-macos14_clang.tar.gz >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}-macos14_clang.dmg.tar.gz >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.tar.gz >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.deb.tar.gz >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.rpm.tar.gz >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}-win-vs2022_cl.zip >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
sha256sum ${{ steps.get-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip >> ${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
- name: Store snapshot name
run: |
Expand All @@ -129,7 +150,7 @@ jobs:
- name: PreRelease tag
id: create_prerelease
if: ${{ (inputs.use_environ == 'snapshots') }}
uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with:
tag_name: "${{ inputs.use_tag }}"
prerelease: true
Expand All @@ -140,14 +161,17 @@ jobs:
${{ steps.get-file-base.outputs.FILE_BASE }}-macos14_clang.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-macos14_clang.dmg.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.deb.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.rpm.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-win-vs2022_cl.zip
${{ steps.get-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip
${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`
- name: Release tag
id: create_release
if: ${{ (inputs.use_environ == 'release') }}
uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with:
tag_name: "${{ inputs.use_tag }}"
prerelease: false
Expand All @@ -157,7 +181,10 @@ jobs:
${{ steps.get-file-base.outputs.FILE_BASE }}-macos14_clang.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-macos14_clang.dmg.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.deb.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.rpm.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-win-vs2022_cl.zip
${{ steps.get-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip
${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ jobs:
snap_name: hdf5_plugins-${{ needs.call-workflow-tarball.outputs.source_base }}
use_environ: release
secrets:
APPLE_CERTS_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }}
APPLE_CERTS_BASE64_PASSWD: ${{ secrets.APPLE_CERTS_BASE64_PASSWD }}
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/remove-files.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ jobs:
${{ steps.get-file-base.outputs.FILE_BASE }}-macos14_clang.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-macos14_clang.dmg.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.deb.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.rpm.tar.gz
${{ steps.get-file-base.outputs.FILE_BASE }}-win-vs2022_cl.zip
${{ steps.get-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip
${{ steps.get-file-base.outputs.FILE_BASE }}.sha256sums.txt
1 change: 1 addition & 0 deletions .github/workflows/tarball.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ jobs:
uses: actions/[email protected]
with:
path: hdfsrc
ref: '${{needs.check_commits.outputs.branch_ref }}'

- name: Retrieve version
id: version
Expand Down
7 changes: 5 additions & 2 deletions BLOSC/config/cmake/HDFMacros.cmake
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,6 +301,7 @@ macro (PLUGIN_README_PROPERTIES pkg_name)
if (WIN32)
set (BINARY_EXAMPLE_ENDING "zip")
set (BINARY_INSTALL_ENDING "msi")
set (BINARY_COMPRESS_ENDING "zip")
if (CMAKE_CL_64)
set (BINARY_SYSTEM_NAME "win64")
else ()
Expand Down Expand Up @@ -346,20 +347,22 @@ macro (PLUGIN_README_PROPERTIES pkg_name)
elseif (${CMAKE_C_COMPILER_VERSION} MATCHES "^19.4.*")
set (BINARY_PLATFORM "${BINARY_PLATFORM}, using VISUAL STUDIO 2022")
else ()
set (BINARY_PLATFORM "${BINARY_PLATFORM}, using VISUAL STUDIO ???")
set (BINARY_PLATFORM "${BINARY_PLATFORM}, using VISUAL STUDIO ????")
endif ()
else ()
set (BINARY_PLATFORM "${BINARY_PLATFORM}, using VISUAL STUDIO ${CMAKE_C_COMPILER_VERSION}")
endif ()
endif ()
elseif (APPLE)
set (BINARY_EXAMPLE_ENDING "tar.gz")
set (BINARY_COMPRESS_ENDING "tar.gz")
set (BINARY_INSTALL_ENDING "sh") # if packaging changes - use dmg
set (BINARY_PLATFORM "${BINARY_PLATFORM} ${CMAKE_SYSTEM_VERSION} ${CMAKE_SYSTEM_PROCESSOR}")
set (BINARY_PLATFORM "${BINARY_PLATFORM}, using ${CMAKE_C_COMPILER_ID} C ${CMAKE_C_COMPILER_VERSION}")
else ()
set (BINARY_EXAMPLE_ENDING "tar.gz")
set (BINARY_INSTALL_ENDING "sh")
set (BINARY_COMPRESS_ENDING "tar.gz")
set (BINARY_INSTALL_ENDING "sh/deb/rpm")
set (BINARY_PLATFORM "${BINARY_PLATFORM} ${CMAKE_SYSTEM_VERSION} ${CMAKE_SYSTEM_PROCESSOR}")
set (BINARY_PLATFORM "${BINARY_PLATFORM}, using ${CMAKE_C_COMPILER_ID} C ${CMAKE_C_COMPILER_VERSION}")
endif ()
Expand Down
5 changes: 5 additions & 0 deletions BLOSC/config/cmake/HDFPluginMacros.cmake
View file
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,11 @@ macro (INSTALL_SUPPORT varname)
set (CPACK_PACKAGE_INSTALL_DIRECTORY "${CPACK_PACKAGE_VENDOR}/${CPACK_PACKAGE_NAME}/${CPACK_PACKAGE_VERSION}")
endif ()

set (CPACK_EXPORT_LIBRARIES ${${PLUGIN_PACKAGE_NAME}_LIBRARIES_TO_EXPORT})
if ("$ENV{BINSIGN}" STREQUAL "exists")
set (CPACK_PRE_BUILD_SCRIPTS ${CMAKE_SOURCE_DIR}/config/cmake/SignPackageFiles.cmake)
endif ()

set (CPACK_GENERATOR "TGZ")
if (WIN32)
set (CPACK_GENERATOR "ZIP")
Expand Down
Loading

0 comments on commit 250d74c

Please sign in to comment.