Merge pull request #6361 from ripcurlx/remove-binary-signing

Not use platform specific binary signing and notarization
This commit is contained in:
Christoph Atteneder 2022-09-20 09:26:57 +02:00 committed by GitHub
commit 854c6218b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 181 deletions

View File

@ -1,7 +1,6 @@
import java.time.LocalDateTime
import org.apache.tools.ant.taskdefs.condition.Os
import static groovy.io.FileType.*
import java.time.LocalDateTime
task jpackageSanityChecks {
description 'Interactive sanity checks on the version of the code that will be packaged'
@ -151,15 +150,6 @@ task packageInstallers {
)
executeCmd(jPackageFilePath + commonOpts + windowsOpts + " --type exe")
// Set the necessary permissions before calling signtool
executeCmd("\"attrib -R \"${binariesFolderPath}/Bisq-${appVersion}.exe\"\"")
// In addition to the groovy quotes around the string, the entire Windows command must also be surrounded
// by quotes, plus each path inside the command has to be quoted as well
// Reason for this is that the path to the called executable contains spaces
// See https://stackoverflow.com/questions/6376113/how-do-i-use-spaces-in-the-command-prompt/6378038#6378038
executeCmd("\"\"C:\\Program Files (x86)\\Windows Kits\\10\\App Certification Kit\\signtool.exe\" sign /v /fd SHA256 /a \"${binariesFolderPath}/Bisq-${appVersion}.exe\"\"")
} else if (Os.isFamily(Os.FAMILY_MAC)) {
// See https://docs.oracle.com/en/java/javase/14/jpackage/override-jpackage-resources.html
// for details of "--resource-dir"
@ -168,160 +158,7 @@ task packageInstallers {
" --resource-dir \"${project(':desktop').projectDir}/package/macosx\""
)
// Env variable can be set by calling "export BISQ_PACKAGE_SIGNING_IDENTITY='Some value'"
// See "man codesign" for details about the expected signing identity
String envVariableSigningID = "$System.env.BISQ_PACKAGE_SIGNING_IDENTITY"
println "Environment variable BISQ_PACKAGE_SIGNING_IDENTITY is: ${envVariableSigningID}"
ant.input(message: "Sign the app using the above signing identity? (y=yes, n=no)",
addproperty: "macos-sign-check",
validargs: "y,n")
if (ant.properties['macos-sign-check'] == 'y') {
// Create a temp folder to extract the macos-specific dylibs that need to be signed
File tempDylibFolderPath = new File(tempRootDir, "dylibs-to-sign")
tempDylibFolderPath.mkdirs()
// Dylibs relevant for signing (paths relative to the tempDylibFolderPath)
String dylibsToSign = new String(
" libjavafx_iio.dylib" +
" libglass.dylib" +
" libjavafx_font.dylib" +
" libprism_common.dylib" +
" libprism_es2.dylib" +
" libdecora_sse.dylib" +
" libprism_sw.dylib" +
" META-INF/native/libio_grpc_netty_shaded_netty_tcnative_osx_x86_64.jnilib"
)
// macOS step 1: Sign dylibs and replace them in the shadow jar
// Extract dylibss for signing
executeCmd("cd ${tempDylibFolderPath} &&" +
" jar xf ${fatJarFolderPath}/${mainJarName}" +
dylibsToSign)
// Sign them
executeCmd("cd ${tempDylibFolderPath} &&" +
" codesign -vvv --options runtime --deep --force --sign \"${envVariableSigningID}\"" +
dylibsToSign)
// Verify signature
executeCmd("cd ${tempDylibFolderPath} &&" +
" codesign -vvv --deep --strict " + dylibsToSign)
// Replace unsigned files in jar file
executeCmd("cd ${tempDylibFolderPath} &&" +
" jar uf ${fatJarFolderPath}/${mainJarName}" +
dylibsToSign)
// macOS step 2: Build app-image using the shadow jar above (containing signed dylibs)
// NOTE: licensing file cannot be added at this point only when creating the dmg later
executeCmd(jPackageFilePath +
commonOpts +
macOpts +
" --type app-image")
// macOS step 3: Sign app (hardened runtime)
File bisqAppImageFullPath = new File(binariesFolderPath, "Bisq.app")
executeCmd("codesign" +
" --sign \"${envVariableSigningID}\"" +
" --options runtime" +
" --entitlements '${project(':desktop').projectDir}/package/macosx/macos.entitlements'" +
" --force" +
" --verbose" +
" ${bisqAppImageFullPath}/Contents/runtime/Contents/MacOS/libjli.dylib")
executeCmd("codesign" +
" --sign \"${envVariableSigningID}\"" +
" --options runtime" +
" --entitlements '${project(':desktop').projectDir}/package/macosx/macos.entitlements'" +
" --force" +
" --verbose" +
" ${bisqAppImageFullPath}/Contents/MacOS/Bisq")
executeCmd("codesign" +
" --sign \"${envVariableSigningID}\"" +
" --options runtime" +
" --entitlements '${project(':desktop').projectDir}/package/macosx/macos.entitlements'" +
" --force" +
" --verbose" +
" ${bisqAppImageFullPath}")
// macOS step 4: Package the app-image into a dmg bundle
executeCmd(jPackageFilePath +
" --dest \"${binariesFolderPath}\"" +
" --name ${appNameAndVendor}" +
" --description \"${appDescription}\"" +
" --app-version ${appVersion}" +
" --copyright \"${appCopyright}\"" +
" --vendor ${appNameAndVendor}" +
" --temp \"${jpackageTempDir}\"" +
" --app-image ${bisqAppImageFullPath}" +
" --mac-sign" +
macOpts +
" --type dmg")
// macOS step 5: Delete unused app image
delete(bisqAppImageFullPath)
// macOS step 6: Sign dmg bundle
executeCmd("codesign" +
" --sign \"${envVariableSigningID}\"" +
" --options runtime" +
" --entitlements '${project(':desktop').projectDir}/package/macosx/macos.entitlements'" +
" -vvvv" +
" --deep" +
" '${binariesFolderPath}/Bisq-${appVersion}.dmg'")
// macOS step 7: Upload for notarization
// See https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734
String envVariableAcUsername = "$System.env.BISQ_PACKAGE_NOTARIZATION_AC_USERNAME"
String envVariableAscProvider = "$System.env.BISQ_PACKAGE_NOTARIZATION_ASC_PROVIDER"
// e.g. network.bisq.CAT is used when binaries are built by @ripcurlx
String envVariablePrimaryBundleId = "$System.env.BISQ_PRIMARY_BUNDLE_ID"
def uploadForNotarizationOutput = executeCmd("xcrun altool --notarize-app" +
" --primary-bundle-id '${envVariablePrimaryBundleId}'" +
" --username '${envVariableAcUsername}'" +
" --password '@keychain:AC_PASSWORD'" +
" --asc-provider '${envVariableAscProvider}'" +
" --file '${binariesFolderPath}/Bisq-${appVersion}.dmg'")
// Response:
// No errors uploading '[PATH_TO_BISQ_REPO]/bisq/desktop/build/temp-620637000/binaries/Bisq-1.1.1.dmg'.
// RequestUUID = ea8bba77-97b7-4c15-a53f-8bbccf627190
def requestUUID = uploadForNotarizationOutput.split('RequestUUID = ')[1].trim()
println "Extracted RequestUUID: " + requestUUID
// Every 1 minute, check the status
def notarizationEndedInSuccess = false
def notarizationEndedInFailure = false
while (!(notarizationEndedInSuccess || notarizationEndedInFailure)) {
println "Current time is:"
executeCmd('date')
println "Waiting for 1 minute..."
sleep(1 * 60 * 1000)
println "Checking notarization status"
def checkNotarizationStatusOutput = executeCmd("xcrun altool --notarization-info" +
" '${requestUUID}'" +
" --username '${envVariableAcUsername}'" +
" --password '@keychain:AC_PASSWORD'")
notarizationEndedInSuccess = checkNotarizationStatusOutput.contains('success')
notarizationEndedInFailure = checkNotarizationStatusOutput.contains('invalid')
}
if (notarizationEndedInFailure) {
ant.fail('Notarization failed, aborting')
}
if (notarizationEndedInSuccess) {
println "Notarization was successful"
// macOS step 8: Staple ticket on dmg
executeCmd("xcrun stapler staple" +
" '${binariesFolderPath}/Bisq-${appVersion}.dmg'")
}
} else {
// If user didn't confirm the optional signing step, then generate a plain non-signed dmg
executeCmd(jPackageFilePath + commonOpts + macOpts + " --type dmg")
}
} else {
String linuxOpts = new String(
" --icon ${project(':desktop').projectDir}/package/linux/icon.png" +

View File

@ -85,9 +85,6 @@ Use VirtualBox > 6.1 with following configuration:
#### macOS
To be able to generate a signed and notarized binary you have to have an Apple developer account and create the required
certificate and provisioning file before running the build.
1. Make sure all version numbers are updated (update version variables and
run [replace_version_number.sh](https://github.com/bisq-network/bisq/blob/master/desktop/package/macosx/replace_version_number.sh))
.
@ -96,16 +93,12 @@ certificate and provisioning file before running the build.
* `BISQ_GPG_USER`: e.g. export BISQ_GPG_USER=manfred@bitsquare.io
* `BISQ_SHARED_FOLDER`: shared folder that is used between your VM host and client system
* `BISQ_PACKAGE_SIGNING_IDENTITY`: e.g. "Developer ID Application: Christoph Atteneder (WQT93T6D6C)"
* `BISQ_PRIMARY_BUNDLE_ID`: e.g. "network.bisq.CAT"
* `BISQ_PACKAGE_NOTARIZATION_AC_USERNAME`: your Apple developer email address
* `BISQ_PACKAGE_NOTARIZATION_ASC_PROVIDER`: Your developer ID (e.g. WQT93T6D6C)
3. Run `./gradlew packageInstallers`
Build output expected in shared folder:
1. `Bisq-${NEW_VERSION}.dmg` macOS notarized and signed installer
1. `Bisq-${NEW_VERSION}.dmg` macOS installer
2. `desktop-${NEW_VERSION}-all-mac.jar.SHA-256` sha256 sum of fat jar
3. `jar-lib-for-raspberry-pi-${NEW_VERSION}.zip` Jar libraries for Raspberry Pi
@ -131,8 +124,6 @@ Build output expected:
#### Windows
To be able to generate a signed binary you have to apply and install a developer certificate before running the build.
1. Checkout the release tag in your VM
2. Set environment variables to ~/.profile file or the like... (one time effort)
@ -142,7 +133,7 @@ To be able to generate a signed binary you have to apply and install a developer
Build output expected:
1. `Bisq-${NEW_VERSION}.exe` Windows signed installer
1. `Bisq-${NEW_VERSION}.exe` Windows installer
2. `desktop-${NEW_VERSION}-all-windows.jar.SHA-256` sha256 sum of fat jar
* Install and run generated package
@ -166,11 +157,11 @@ Build output expected:
11. `Bisq-64bit-${NEW_VERSION}.exe` Windows installer
12. `Bisq-64bit-${NEW_VERSION}.exe.asc` Signature for Windows installer
* Run a AV scan over all files on the Windows VM where the files got copied over.
* Run an AV scan over all files on the Windows VM where the files got copied over.
### Final test
* Make at least one mainnet test trade with some exotic currency to not interfere with real traders.
* Make at least one Mainnet test trade with some exotic currency to not interfere with real traders.
### Tag and push release to master
@ -242,7 +233,4 @@ If all was successful:
* Optionally reddit /r/Bisq
* Notify @freimair so that he can start
updating [the Arch User Repository](https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=bisq-git)
* Celebrate