forked from msysgit/git
-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request git-for-windows#514 from ldennington/sign-macos
Sign and notarize macOS binaries
- Loading branch information
Showing
11 changed files
with
682 additions
and
197 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
SHELL := /bin/bash | ||
SUDO := sudo | ||
C_INCLUDE_PATH := /usr/include | ||
CPLUS_INCLUDE_PATH := /usr/include | ||
LD_LIBRARY_PATH := /usr/lib | ||
|
||
OSX_VERSION := $(shell sw_vers -productVersion) | ||
TARGET_FLAGS := -mmacosx-version-min=$(OSX_VERSION) -DMACOSX_DEPLOYMENT_TARGET=$(OSX_VERSION) | ||
|
||
ARCH := x86_64 | ||
ARCH_CODE := x86_64 | ||
ARCH_FLAGS_x86_64 := -arch x86_64 | ||
|
||
CFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE}) | ||
LDFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE}) | ||
|
||
PREFIX := /usr/local | ||
GIT_PREFIX := $(PREFIX)/git | ||
|
||
BUILD_CODE := intel-$(ARCH_CODE) | ||
BUILD_DIR := $(GITHUB_WORKSPACE)/payload | ||
DESTDIR := $(PWD)/stage/git-$(BUILD_CODE)-$(VERSION) | ||
ARTIFACTDIR := build_artifacts | ||
SUBMAKE := $(MAKE) C_INCLUDE_PATH="$(C_INCLUDE_PATH)" CPLUS_INCLUDE_PATH="$(CPLUS_INCLUDE_PATH)" LD_LIBRARY_PATH="$(LD_LIBRARY_PATH)" TARGET_FLAGS="$(TARGET_FLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" NO_GETTEXT=1 NO_DARWIN_PORTS=1 prefix=$(GIT_PREFIX) GIT_BUILT_FROM_COMMIT="$(GIT_BUILT_FROM_COMMIT)" DESTDIR=$(DESTDIR) | ||
CORES := $(shell bash -c "sysctl hw.ncpu | awk '{print \$$2}'") | ||
|
||
.PHONY: image pkg payload | ||
|
||
.SECONDARY: | ||
|
||
$(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE): | ||
rm -f $(BUILD_DIR)/git-$(VERSION)/osx-installed* | ||
mkdir -p $(DESTDIR)$(GIT_PREFIX) | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-built-keychain: | ||
cd $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain; $(SUBMAKE) CFLAGS="$(CFLAGS) -g -O2 -Wall" | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-built: | ||
[ -d $(DESTDIR)$(GIT_PREFIX) ] && $(SUDO) rm -rf $(DESTDIR) || echo ok | ||
cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) -j $(CORES) all strip | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-installed-bin: $(BUILD_DIR)/git-$(VERSION)/osx-built $(BUILD_DIR)/git-$(VERSION)/osx-built-keychain | ||
cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) install | ||
cp $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain $(DESTDIR)$(GIT_PREFIX)/bin/git-credential-osxkeychain | ||
mkdir -p $(DESTDIR)$(GIT_PREFIX)/contrib/completion | ||
cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.bash $(DESTDIR)$(GIT_PREFIX)/contrib/completion/ | ||
cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.zsh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/ | ||
cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-prompt.sh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/ | ||
# This is needed for Git-Gui, GitK | ||
mkdir -p $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl | ||
[ ! -f $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm ] && cp $(BUILD_DIR)/git-$(VERSION)/perl/private-Error.pm $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm || echo done | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-installed-man: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin | ||
mkdir -p $(DESTDIR)$(GIT_PREFIX)/share/man | ||
cp -R $(GITHUB_WORKSPACE)/manpages/ $(DESTDIR)$(GIT_PREFIX)/share/man | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-built-subtree: | ||
cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" all git-subtree.1 | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree: $(BUILD_DIR)/git-$(VERSION)/osx-built-subtree | ||
mkdir -p $(DESTDIR) | ||
cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" install install-man | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-installed-assets: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin | ||
mkdir -p $(DESTDIR)$(GIT_PREFIX)/etc | ||
cat assets/etc/gitconfig.osxkeychain >> $(DESTDIR)$(GIT_PREFIX)/etc/gitconfig | ||
cp assets/uninstall.sh $(DESTDIR)$(GIT_PREFIX)/uninstall.sh | ||
sh -c "echo .DS_Store >> $(DESTDIR)$(GIT_PREFIX)/share/git-core/templates/info/exclude" | ||
|
||
symlinks: | ||
mkdir -p $(ARTIFACTDIR)$(PREFIX)/bin | ||
cd $(ARTIFACTDIR)$(PREFIX)/bin; find ../git/bin -type f -exec ln -sf {} \; | ||
for man in man1 man3 man5 man7; do mkdir -p $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; (cd $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; ln -sf ../../../git/share/man/$$man/* ./); done | ||
ruby ../scripts/symlink-git-hardlinks.rb $(ARTIFACTDIR) | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-installed: $(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE) $(BUILD_DIR)/git-$(VERSION)/osx-installed-man $(BUILD_DIR)/git-$(VERSION)/osx-installed-assets $(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree | ||
find $(DESTDIR)$(GIT_PREFIX) -type d -exec chmod ugo+rx {} \; | ||
find $(DESTDIR)$(GIT_PREFIX) -type f -exec chmod ugo+r {} \; | ||
touch $@ | ||
|
||
$(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE): $(BUILD_DIR)/git-$(VERSION)/osx-built | ||
ifeq ("$(ARCH_CODE)", "universal") | ||
File $(BUILD_DIR)/git-$(VERSION)/git | ||
File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain | ||
else | ||
[ "$$(File $(BUILD_DIR)/git-$(VERSION)/git | cut -f 5 -d' ')" == "$(ARCH_CODE)" ] | ||
[ "$$(File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain | cut -f 5 -d' ')" == "$(ARCH_CODE)" ] | ||
endif | ||
touch $@ | ||
|
||
disk-image/VERSION-$(VERSION)-$(ARCH_CODE): | ||
rm -f disk-image/*.pkg disk-image/VERSION-* disk-image/.DS_Store | ||
mkdir disk-image | ||
touch "$@" | ||
|
||
disk-image/git-$(VERSION)-$(BUILD_CODE).pkg: disk-image/VERSION-$(VERSION)-$(ARCH_CODE) symlinks | ||
pkgbuild --identifier com.git.pkg --version $(VERSION) --root $(ARTIFACTDIR)$(PREFIX) --scripts assets/scripts --install-location $(PREFIX) --component-plist ./assets/git-components.plist disk-image/git-$(VERSION)-$(BUILD_CODE).pkg | ||
|
||
git-%-$(BUILD_CODE).dmg: | ||
hdiutil create git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg -fs HFS+ -srcfolder disk-image -volname "Git $(VERSION) Intel $(ARCH)" -ov | ||
hdiutil convert -format UDZO -o $@ git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg | ||
rm -f git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg | ||
|
||
payload: $(BUILD_DIR)/git-$(VERSION)/osx-installed $(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE) | ||
|
||
pkg: disk-image/git-$(VERSION)-$(BUILD_CODE).pkg | ||
|
||
image: git-$(VERSION)-$(BUILD_CODE).dmg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
[credential] | ||
helper = osxkeychain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<array> | ||
<dict> | ||
<key>BundleHasStrictIdentifier</key> | ||
<true/> | ||
<key>BundleIsRelocatable</key> | ||
<false/> | ||
<key>BundleIsVersionChecked</key> | ||
<true/> | ||
<key>BundleOverwriteAction</key> | ||
<string>upgrade</string> | ||
<key>RootRelativeBundlePath</key> | ||
<string>git/share/git-gui/lib/Git Gui.app</string> | ||
</dict> | ||
</array> | ||
</plist> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
#!/bin/bash | ||
INSTALL_DST="$2" | ||
SCALAR_C_CMD="$INSTALL_DST/git/bin/scalar" | ||
SCALAR_DOTNET_CMD="/usr/local/scalar/scalar" | ||
SCALAR_UNINSTALL_SCRIPT="/usr/local/scalar/uninstall_scalar.sh" | ||
|
||
function cleanupScalar() | ||
{ | ||
echo "checking whether Scalar was installed" | ||
if [ ! -f "$SCALAR_C_CMD" ]; then | ||
echo "Scalar not installed; exiting..." | ||
return 0 | ||
fi | ||
echo "Scalar is installed!" | ||
|
||
echo "looking for Scalar.NET" | ||
if [ ! -f "$SCALAR_DOTNET_CMD" ]; then | ||
echo "Scalar.NET not found; exiting..." | ||
return 0 | ||
fi | ||
echo "Scalar.NET found!" | ||
|
||
currentUser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }') | ||
|
||
# Re-register Scalar.NET repositories with the newly-installed Scalar | ||
for repo in $($SCALAR_DOTNET_CMD list); do | ||
( | ||
PATH="$INSTALL_DST/git/bin:$PATH" | ||
sudo -u "$currentUser" scalar register $repo || \ | ||
echo "warning: skipping re-registration of $repo" | ||
) | ||
done | ||
|
||
# Uninstall Scalar.NET | ||
echo "removing Scalar.NET" | ||
|
||
# Add /usr/local/bin to path - default install location of Homebrew | ||
PATH="/usr/local/bin:$PATH" | ||
if (sudo -u "$currentUser" brew list --cask scalar); then | ||
# Remove from Homebrew | ||
sudo -u "$currentUser" brew remove --cask scalar || echo "warning: Scalar.NET uninstall via Homebrew completed with code $?" | ||
echo "Scalar.NET uninstalled via Homebrew!" | ||
elif (sudo -u "$currentUser" brew list --cask scalar-azrepos); then | ||
sudo -u "$currentUser" brew remove --cask scalar-azrepos || echo "warning: Scalar.NET with GVFS uninstall via Homebrew completed with code $?" | ||
echo "Scalar.NET with GVFS uninstalled via Homebrew!" | ||
elif [ -f $SCALAR_UNINSTALL_SCRIPT ]; then | ||
# If not installed with Homebrew, manually remove package | ||
sudo -S sh $SCALAR_UNINSTALL_SCRIPT || echo "warning: Scalar.NET uninstall completed with code $?" | ||
echo "Scalar.NET uninstalled!" | ||
else | ||
echo "warning: Scalar.NET uninstall script not found" | ||
fi | ||
|
||
# Re-create the Scalar symlink, in case it was removed by the Scalar.NET uninstall operation | ||
mkdir -p $INSTALL_DST/bin | ||
/bin/ln -Fs "$SCALAR_C_CMD" "$INSTALL_DST/bin/scalar" | ||
} | ||
|
||
# Run Scalar cleanup (will exit if not applicable) | ||
cleanupScalar | ||
|
||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
#!/bin/bash -e | ||
if [ ! -r "/usr/local/git" ]; then | ||
echo "Git doesn't appear to be installed via this installer. Aborting" | ||
exit 1 | ||
fi | ||
|
||
if [ "$1" != "--yes" ]; then | ||
echo "This will uninstall git by removing /usr/local/git/, and symlinks" | ||
printf "Type 'yes' if you are sure you wish to continue: " | ||
read response | ||
else | ||
response="yes" | ||
fi | ||
|
||
if [ "$response" == "yes" ]; then | ||
# remove all of the symlinks we've created | ||
pkgutil --files com.git.pkg | grep bin | while read f; do | ||
if [ -L /usr/local/$f ]; then | ||
sudo rm /usr/local/$f | ||
fi | ||
done | ||
|
||
# forget receipts. | ||
pkgutil --packages | grep com.git.pkg | xargs -I {} sudo pkgutil --forget {} | ||
echo "Uninstalled" | ||
|
||
# The guts all go here. | ||
sudo rm -rf /usr/local/git/ | ||
else | ||
echo "Aborted" | ||
exit 1 | ||
fi | ||
|
||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,138 @@ | ||
import argparse | ||
import json | ||
import os | ||
import glob | ||
import pprint | ||
import subprocess | ||
import sys | ||
import re | ||
|
||
parser = argparse.ArgumentParser(description='Sign binaries for macOS') | ||
parser.add_argument('path', help='Path to file for signing') | ||
parser.add_argument('keycode', help='Platform-specific key code for signing') | ||
parser.add_argument('opcode', help='Platform-specific operation code for signing') | ||
# Setting nargs=argparse.REMAINDER allows us to pass in params that begin with `--` | ||
parser.add_argument('--params', nargs=argparse.REMAINDER, help='Parameters for signing') | ||
args = parser.parse_args() | ||
|
||
esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe") | ||
|
||
aad_id = os.environ['AZURE_AAD_ID'].strip() | ||
# We temporarily need two AAD IDs, as we're using an SSL certificate associated | ||
# with an older App Registration until we have the required hardware to approve | ||
# the new certificate in SSL Admin. | ||
aad_id_ssl = os.environ['AZURE_AAD_ID_SSL'].strip() | ||
workspace = os.environ['GITHUB_WORKSPACE'].strip() | ||
|
||
source_location = args.path | ||
files = glob.glob(os.path.join(source_location, "*")) | ||
|
||
print("Found files:") | ||
pprint.pp(files) | ||
|
||
auth_json = { | ||
"Version": "1.0.0", | ||
"AuthenticationType": "AAD_CERT", | ||
"TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", | ||
"ClientId": f"{aad_id}", | ||
"AuthCert": { | ||
"SubjectName": f"CN={aad_id_ssl}.microsoft.com", | ||
"StoreLocation": "LocalMachine", | ||
"StoreName": "My" | ||
}, | ||
"RequestSigningCert": { | ||
"SubjectName": f"CN={aad_id}", | ||
"StoreLocation": "LocalMachine", | ||
"StoreName": "My" | ||
} | ||
} | ||
|
||
input_json = { | ||
"Version": "1.0.0", | ||
"SignBatches": [ | ||
{ | ||
"SourceLocationType": "UNC", | ||
"SourceRootDirectory": source_location, | ||
"DestinationLocationType": "UNC", | ||
"DestinationRootDirectory": workspace, | ||
"SignRequestFiles": [], | ||
"SigningInfo": { | ||
"Operations": [ | ||
{ | ||
"KeyCode": f"{args.keycode}", | ||
"OperationCode": f"{args.opcode}", | ||
"Parameters": {}, | ||
"ToolName": "sign", | ||
"ToolVersion": "1.0", | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
|
||
# add files to sign | ||
for f in files: | ||
name = os.path.basename(f) | ||
input_json["SignBatches"][0]["SignRequestFiles"].append( | ||
{ | ||
"SourceLocation": name, | ||
"DestinationLocation": os.path.join("signed", name), | ||
} | ||
) | ||
|
||
# add parameters to input.json (e.g. enabling the hardened runtime for macOS) | ||
if args.params is not None: | ||
i = 0 | ||
while i < len(args.params): | ||
input_json["SignBatches"][0]["SigningInfo"]["Operations"][0]["Parameters"][args.params[i]] = args.params[i + 1] | ||
i += 2 | ||
|
||
policy_json = { | ||
"Version": "1.0.0", | ||
"Intent": "production release", | ||
"ContentType": "binary", | ||
} | ||
|
||
configs = [ | ||
("auth.json", auth_json), | ||
("input.json", input_json), | ||
("policy.json", policy_json), | ||
] | ||
|
||
for filename, data in configs: | ||
with open(filename, 'w') as fp: | ||
json.dump(data, fp) | ||
|
||
# Run ESRP Client | ||
esrp_out = "esrp_out.json" | ||
result = subprocess.run( | ||
[esrp_tool, "sign", | ||
"-a", "auth.json", | ||
"-i", "input.json", | ||
"-p", "policy.json", | ||
"-o", esrp_out, | ||
"-l", "Verbose"], | ||
capture_output=True, | ||
text=True, | ||
cwd=workspace) | ||
|
||
# Scrub log before printing | ||
log = re.sub(r'^.+Uploading.*to\s*destinationUrl\s*(.+?),.+$', | ||
'***', | ||
result.stdout, | ||
flags=re.IGNORECASE|re.MULTILINE) | ||
print(log) | ||
|
||
if result.returncode != 0: | ||
print("Failed to run ESRPClient.exe") | ||
sys.exit(1) | ||
|
||
if os.path.isfile(esrp_out): | ||
print("ESRP output json:") | ||
with open(esrp_out, 'r') as fp: | ||
pprint.pp(json.load(fp)) | ||
|
||
for file in files: | ||
if os.path.isfile(os.path.join("signed", file)): | ||
print(f"Success!\nSigned {file}") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# Install ESRP client | ||
az storage blob download --file esrp.zip --account-key "$env:AZURE_STORAGE_KEY" --account-name msftgitesrp --container microsoft-esrp-client --name microsoft.esrpclient.1.2.76.nupkg | ||
Expand-Archive -Path esrp.zip -DestinationPath .\esrp | ||
|
||
# Install certificates | ||
az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx | ||
certutil -f -importpfx out.pfx | ||
Remove-Item out.pfx | ||
|
||
az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:REQUEST_SIGNING_CERT" --file out.pfx | ||
certutil -f -importpfx out.pfx | ||
Remove-Item out.pfx |
Oops, something went wrong.