Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test MacOSX signing staging service #443

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions Jenkinsfile
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@ pipeline {
// installers. It can sometimes be necessary to run these steps, e.g.
// when troubleshooting. Set the variable below to 'true' to do so.
// We will still stop short of publishing anything.
THEIA_IDE_JENKINS_RELEASE_DRYRUN = 'false'
// THEIA_IDE_JENKINS_RELEASE_DRYRUN = 'true'
// THEIA_IDE_JENKINS_RELEASE_DRYRUN = 'false'
THEIA_IDE_JENKINS_RELEASE_DRYRUN = 'true'
msvs_version = '2019'
GYP_MSVS_VERSION = '2019'

Expand Down Expand Up @@ -293,6 +293,7 @@ spec:
// Cleanup
sh "rm -rf \"${extractedFolder}\" \"${mountPoint}\""
}
archiveArtifacts artifacts: "${distFolder}/*.dmg, ${distFolder}/*.zip", allowEmptyArchive: false
stash includes: "${toStash}", name: 'mac3'
}
}
Expand Down Expand Up @@ -489,7 +490,7 @@ def signInstaller(String ext, String os) {

// https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service
if (os == 'mac') {
url = 'https://cbi.eclipse.org/macos/codesign/sign'
url = 'https://cbi-staging.eclipse.org/macos/codesign/sign'
} else if (os == 'windows') {
url = 'https://cbi.eclipse.org/authenticode/sign'
} else {
Expand Down
2 changes: 2 additions & 0 deletions applications/electron/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -126,13 +126,15 @@
"@wdio/mocha-framework": "^6.8.0",
"@wdio/spec-reporter": "^6.8.1",
"app-builder-lib": "24.13.2",
"archiver": "^5.0.0",
"chai": "^4.3.10",
"concurrently": "^3.5.0",
"electron": "30.1.2",
"electron-builder": "24.13.2",
"electron-chromedriver": "^28.2.8",
"electron-mocha": "^12.3.0",
"electron-osx-sign": "^0.6.0",
"extract-zip": "^2.0.0",
"js-yaml": "^3.12.0",
"mocha": "^8.2.1",
"rimraf": "^2.7.1",
Expand Down
83 changes: 58 additions & 25 deletions applications/electron/scripts/after-pack.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ const path = require('path');
const util = require('util');
const child_process = require('child_process');
const rimraf = require('rimraf');
const sign_util = require('electron-osx-sign/util');
const archiver = require('archiver');
const extract = require('extract-zip');
const asyncRimraf = util.promisify(rimraf);

const DELETE_PATHS = [
Expand Down Expand Up @@ -39,6 +40,25 @@ const signFile = file => {
}
};

async function zipDirectory(source, out) {
const archive = archiver('zip', { zlib: { level: 9 } });
const stream = fs.createWriteStream(out);

return new Promise((resolve, reject) => {
archive
.directory(source, false)
.on('error', err => reject(err))
.pipe(stream);

stream.on('close', () => resolve());
archive.finalize();
});
}

async function unzipFile(zipPath, destination) {
return extract(zipPath, { dir: destination });
}

exports.default = async function (context) {
await afterPackHook(context);
const running_ci = process.env.THEIA_IDE_JENKINS_CI === 'true';
Expand All @@ -65,31 +85,44 @@ exports.default = async function (context) {
return;
}

// Use app-builder-lib to find all binaries to sign, at this level it will include the final .app
let childPaths = await sign_util.walkAsync(context.appOutDir);

// Sign deepest first
// From https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/electron-osx-sign/sign.js#L120
childPaths = childPaths.sort((a, b) => {
const aDepth = a.split(path.sep).length;
const bDepth = b.split(path.sep).length;
return bDepth - aDepth;
});

// Sign binaries
childPaths.forEach(file => signFile(file, context.appOutDir));
// Create a zip of the contents at context.appOutDir
const zipPath = path.resolve(context.appOutDir, '..', 'app-to-be-signed.zip');
// const signedZipPath = path.resolve(context.appOutDir, '..', 'signed-app-to-be-signed.zip');
console.log(`Creating zip of ${context.appOutDir} at ${zipPath}...`);
await zipDirectory(context.appOutDir, zipPath);

// Notarize app
child_process.spawnSync(notarizeCommand, [
path.basename(appPath),
context.packager.appInfo.info._configuration.appId
], {
cwd: path.dirname(appPath),
maxBuffer: 1024 * 10000,
env: process.env,
stdio: 'inherit',
encoding: 'utf-8'
});
try {
// Send the zip file to the signing service
console.log('Sending zip file to signing service via sign.sh...');
signFile(zipPath);

console.log(`Expecting signed zip at ${zipPath}...`);

// Replace the contents of context.appOutDir with the signed result
console.log(`Unzipping signed contents from ${zipPath} to ${context.appOutDir}...`);
await asyncRimraf(context.appOutDir); // Clean the output directory
await unzipFile(zipPath, context.appOutDir);

// Notarize app
console.log('Proceeding with notarization...');
child_process.spawnSync(notarizeCommand, [
path.basename(appPath),
context.packager.appInfo.info._configuration.appId
], {
cwd: path.dirname(appPath),
maxBuffer: 1024 * 10000,
env: process.env,
stdio: 'inherit',
encoding: 'utf-8'
});

console.log('Signing and notarization complete.');
} finally {
// Clean up intermediate zip files
console.log('Cleaning up intermediate files...');
await asyncRimraf(zipPath);
console.log('...cleanup done');
}
};

// taken and modified from: https://github.com/gergof/electron-builder-sandbox-fix/blob/a2251d7d8f22be807d2142da0cf768c78d4cfb0a/lib/index.js
Expand Down
2 changes: 1 addition & 1 deletion applications/electron/scripts/sign.sh
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ REMOTE_NAME=${INPUT##*/}

# sign over ssh
# https://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service
ssh -q [email protected] curl -f -o "\"signed-${REMOTE_NAME}\"" -F file=@"\"${REMOTE_NAME}\"" -F [email protected] https://cbi.eclipse.org/macos/codesign/sign
ssh -q [email protected] curl -f -o "\"signed-${REMOTE_NAME}\"" -F file=@"\"${REMOTE_NAME}\"" -F [email protected] https://cbi-staging.eclipse.org/macos/codesign/sign

# copy signed file back from server
scp -T -p [email protected]:"\"./signed-${REMOTE_NAME}\"" "${INPUT}"
Expand Down
Loading