Skip to content

Commit

Permalink
Merge pull request git-for-windows#514 from ldennington/sign-macos
Browse files Browse the repository at this point in the history
Sign and notarize macOS binaries
  • Loading branch information
ldennington authored Jul 18, 2022
2 parents 8b82df2 + 4c38f19 commit c4a88d6
Show file tree
Hide file tree
Showing 11 changed files with 682 additions and 197 deletions.
116 changes: 116 additions & 0 deletions .github/macos-installer/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
SHELL := /bin/bash
SUDO := sudo
C_INCLUDE_PATH := /usr/include
CPLUS_INCLUDE_PATH := /usr/include
LD_LIBRARY_PATH := /usr/lib

OSX_VERSION := $(shell sw_vers -productVersion)
TARGET_FLAGS := -mmacosx-version-min=$(OSX_VERSION) -DMACOSX_DEPLOYMENT_TARGET=$(OSX_VERSION)

ARCH := x86_64
ARCH_CODE := x86_64
ARCH_FLAGS_x86_64 := -arch x86_64

CFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE})
LDFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE})

PREFIX := /usr/local
GIT_PREFIX := $(PREFIX)/git

BUILD_CODE := intel-$(ARCH_CODE)
BUILD_DIR := $(GITHUB_WORKSPACE)/payload
DESTDIR := $(PWD)/stage/git-$(BUILD_CODE)-$(VERSION)
ARTIFACTDIR := build_artifacts
SUBMAKE := $(MAKE) C_INCLUDE_PATH="$(C_INCLUDE_PATH)" CPLUS_INCLUDE_PATH="$(CPLUS_INCLUDE_PATH)" LD_LIBRARY_PATH="$(LD_LIBRARY_PATH)" TARGET_FLAGS="$(TARGET_FLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" NO_GETTEXT=1 NO_DARWIN_PORTS=1 prefix=$(GIT_PREFIX) GIT_BUILT_FROM_COMMIT="$(GIT_BUILT_FROM_COMMIT)" DESTDIR=$(DESTDIR)
CORES := $(shell bash -c "sysctl hw.ncpu | awk '{print \$$2}'")

.PHONY: image pkg payload

.SECONDARY:

$(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE):
rm -f $(BUILD_DIR)/git-$(VERSION)/osx-installed*
mkdir -p $(DESTDIR)$(GIT_PREFIX)
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-built-keychain:
cd $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain; $(SUBMAKE) CFLAGS="$(CFLAGS) -g -O2 -Wall"
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-built:
[ -d $(DESTDIR)$(GIT_PREFIX) ] && $(SUDO) rm -rf $(DESTDIR) || echo ok
cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) -j $(CORES) all strip
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-installed-bin: $(BUILD_DIR)/git-$(VERSION)/osx-built $(BUILD_DIR)/git-$(VERSION)/osx-built-keychain
cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) install
cp $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain $(DESTDIR)$(GIT_PREFIX)/bin/git-credential-osxkeychain
mkdir -p $(DESTDIR)$(GIT_PREFIX)/contrib/completion
cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.bash $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.zsh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-prompt.sh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
# This is needed for Git-Gui, GitK
mkdir -p $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl
[ ! -f $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm ] && cp $(BUILD_DIR)/git-$(VERSION)/perl/private-Error.pm $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm || echo done
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-installed-man: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin
mkdir -p $(DESTDIR)$(GIT_PREFIX)/share/man
cp -R $(GITHUB_WORKSPACE)/manpages/ $(DESTDIR)$(GIT_PREFIX)/share/man
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-built-subtree:
cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" all git-subtree.1
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree: $(BUILD_DIR)/git-$(VERSION)/osx-built-subtree
mkdir -p $(DESTDIR)
cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" install install-man
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-installed-assets: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin
mkdir -p $(DESTDIR)$(GIT_PREFIX)/etc
cat assets/etc/gitconfig.osxkeychain >> $(DESTDIR)$(GIT_PREFIX)/etc/gitconfig
cp assets/uninstall.sh $(DESTDIR)$(GIT_PREFIX)/uninstall.sh
sh -c "echo .DS_Store >> $(DESTDIR)$(GIT_PREFIX)/share/git-core/templates/info/exclude"

symlinks:
mkdir -p $(ARTIFACTDIR)$(PREFIX)/bin
cd $(ARTIFACTDIR)$(PREFIX)/bin; find ../git/bin -type f -exec ln -sf {} \;
for man in man1 man3 man5 man7; do mkdir -p $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; (cd $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; ln -sf ../../../git/share/man/$$man/* ./); done
ruby ../scripts/symlink-git-hardlinks.rb $(ARTIFACTDIR)
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-installed: $(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE) $(BUILD_DIR)/git-$(VERSION)/osx-installed-man $(BUILD_DIR)/git-$(VERSION)/osx-installed-assets $(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree
find $(DESTDIR)$(GIT_PREFIX) -type d -exec chmod ugo+rx {} \;
find $(DESTDIR)$(GIT_PREFIX) -type f -exec chmod ugo+r {} \;
touch $@

$(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE): $(BUILD_DIR)/git-$(VERSION)/osx-built
ifeq ("$(ARCH_CODE)", "universal")
File $(BUILD_DIR)/git-$(VERSION)/git
File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain
else
[ "$$(File $(BUILD_DIR)/git-$(VERSION)/git | cut -f 5 -d' ')" == "$(ARCH_CODE)" ]
[ "$$(File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain | cut -f 5 -d' ')" == "$(ARCH_CODE)" ]
endif
touch $@

disk-image/VERSION-$(VERSION)-$(ARCH_CODE):
rm -f disk-image/*.pkg disk-image/VERSION-* disk-image/.DS_Store
mkdir disk-image
touch "$@"

disk-image/git-$(VERSION)-$(BUILD_CODE).pkg: disk-image/VERSION-$(VERSION)-$(ARCH_CODE) symlinks
pkgbuild --identifier com.git.pkg --version $(VERSION) --root $(ARTIFACTDIR)$(PREFIX) --scripts assets/scripts --install-location $(PREFIX) --component-plist ./assets/git-components.plist disk-image/git-$(VERSION)-$(BUILD_CODE).pkg

git-%-$(BUILD_CODE).dmg:
hdiutil create git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg -fs HFS+ -srcfolder disk-image -volname "Git $(VERSION) Intel $(ARCH)" -ov
hdiutil convert -format UDZO -o $@ git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg
rm -f git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg

payload: $(BUILD_DIR)/git-$(VERSION)/osx-installed $(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE)

pkg: disk-image/git-$(VERSION)-$(BUILD_CODE).pkg

image: git-$(VERSION)-$(BUILD_CODE).dmg
2 changes: 2 additions & 0 deletions .github/macos-installer/assets/etc/gitconfig.osxkeychain
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[credential]
helper = osxkeychain
18 changes: 18 additions & 0 deletions .github/macos-installer/assets/git-components.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>BundleHasStrictIdentifier</key>
<true/>
<key>BundleIsRelocatable</key>
<false/>
<key>BundleIsVersionChecked</key>
<true/>
<key>BundleOverwriteAction</key>
<string>upgrade</string>
<key>RootRelativeBundlePath</key>
<string>git/share/git-gui/lib/Git Gui.app</string>
</dict>
</array>
</plist>
62 changes: 62 additions & 0 deletions .github/macos-installer/assets/scripts/postinstall
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
#!/bin/bash
INSTALL_DST="$2"
SCALAR_C_CMD="$INSTALL_DST/git/bin/scalar"
SCALAR_DOTNET_CMD="/usr/local/scalar/scalar"
SCALAR_UNINSTALL_SCRIPT="/usr/local/scalar/uninstall_scalar.sh"

function cleanupScalar()
{
echo "checking whether Scalar was installed"
if [ ! -f "$SCALAR_C_CMD" ]; then
echo "Scalar not installed; exiting..."
return 0
fi
echo "Scalar is installed!"

echo "looking for Scalar.NET"
if [ ! -f "$SCALAR_DOTNET_CMD" ]; then
echo "Scalar.NET not found; exiting..."
return 0
fi
echo "Scalar.NET found!"

currentUser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }')

# Re-register Scalar.NET repositories with the newly-installed Scalar
for repo in $($SCALAR_DOTNET_CMD list); do
(
PATH="$INSTALL_DST/git/bin:$PATH"
sudo -u "$currentUser" scalar register $repo || \
echo "warning: skipping re-registration of $repo"
)
done

# Uninstall Scalar.NET
echo "removing Scalar.NET"

# Add /usr/local/bin to path - default install location of Homebrew
PATH="/usr/local/bin:$PATH"
if (sudo -u "$currentUser" brew list --cask scalar); then
# Remove from Homebrew
sudo -u "$currentUser" brew remove --cask scalar || echo "warning: Scalar.NET uninstall via Homebrew completed with code $?"
echo "Scalar.NET uninstalled via Homebrew!"
elif (sudo -u "$currentUser" brew list --cask scalar-azrepos); then
sudo -u "$currentUser" brew remove --cask scalar-azrepos || echo "warning: Scalar.NET with GVFS uninstall via Homebrew completed with code $?"
echo "Scalar.NET with GVFS uninstalled via Homebrew!"
elif [ -f $SCALAR_UNINSTALL_SCRIPT ]; then
# If not installed with Homebrew, manually remove package
sudo -S sh $SCALAR_UNINSTALL_SCRIPT || echo "warning: Scalar.NET uninstall completed with code $?"
echo "Scalar.NET uninstalled!"
else
echo "warning: Scalar.NET uninstall script not found"
fi

# Re-create the Scalar symlink, in case it was removed by the Scalar.NET uninstall operation
mkdir -p $INSTALL_DST/bin
/bin/ln -Fs "$SCALAR_C_CMD" "$INSTALL_DST/bin/scalar"
}

# Run Scalar cleanup (will exit if not applicable)
cleanupScalar

exit 0
34 changes: 34 additions & 0 deletions .github/macos-installer/assets/uninstall.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#!/bin/bash -e
if [ ! -r "/usr/local/git" ]; then
echo "Git doesn't appear to be installed via this installer. Aborting"
exit 1
fi

if [ "$1" != "--yes" ]; then
echo "This will uninstall git by removing /usr/local/git/, and symlinks"
printf "Type 'yes' if you are sure you wish to continue: "
read response
else
response="yes"
fi

if [ "$response" == "yes" ]; then
# remove all of the symlinks we've created
pkgutil --files com.git.pkg | grep bin | while read f; do
if [ -L /usr/local/$f ]; then
sudo rm /usr/local/$f
fi
done

# forget receipts.
pkgutil --packages | grep com.git.pkg | xargs -I {} sudo pkgutil --forget {}
echo "Uninstalled"

# The guts all go here.
sudo rm -rf /usr/local/git/
else
echo "Aborted"
exit 1
fi

exit 0
138 changes: 138 additions & 0 deletions .github/scripts/run-esrp-signing.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
import argparse
import json
import os
import glob
import pprint
import subprocess
import sys
import re

parser = argparse.ArgumentParser(description='Sign binaries for macOS')
parser.add_argument('path', help='Path to file for signing')
parser.add_argument('keycode', help='Platform-specific key code for signing')
parser.add_argument('opcode', help='Platform-specific operation code for signing')
# Setting nargs=argparse.REMAINDER allows us to pass in params that begin with `--`
parser.add_argument('--params', nargs=argparse.REMAINDER, help='Parameters for signing')
args = parser.parse_args()

esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe")

aad_id = os.environ['AZURE_AAD_ID'].strip()
# We temporarily need two AAD IDs, as we're using an SSL certificate associated
# with an older App Registration until we have the required hardware to approve
# the new certificate in SSL Admin.
aad_id_ssl = os.environ['AZURE_AAD_ID_SSL'].strip()
workspace = os.environ['GITHUB_WORKSPACE'].strip()

source_location = args.path
files = glob.glob(os.path.join(source_location, "*"))

print("Found files:")
pprint.pp(files)

auth_json = {
"Version": "1.0.0",
"AuthenticationType": "AAD_CERT",
"TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"ClientId": f"{aad_id}",
"AuthCert": {
"SubjectName": f"CN={aad_id_ssl}.microsoft.com",
"StoreLocation": "LocalMachine",
"StoreName": "My"
},
"RequestSigningCert": {
"SubjectName": f"CN={aad_id}",
"StoreLocation": "LocalMachine",
"StoreName": "My"
}
}

input_json = {
"Version": "1.0.0",
"SignBatches": [
{
"SourceLocationType": "UNC",
"SourceRootDirectory": source_location,
"DestinationLocationType": "UNC",
"DestinationRootDirectory": workspace,
"SignRequestFiles": [],
"SigningInfo": {
"Operations": [
{
"KeyCode": f"{args.keycode}",
"OperationCode": f"{args.opcode}",
"Parameters": {},
"ToolName": "sign",
"ToolVersion": "1.0",
}
]
}
}
]
}

# add files to sign
for f in files:
name = os.path.basename(f)
input_json["SignBatches"][0]["SignRequestFiles"].append(
{
"SourceLocation": name,
"DestinationLocation": os.path.join("signed", name),
}
)

# add parameters to input.json (e.g. enabling the hardened runtime for macOS)
if args.params is not None:
i = 0
while i < len(args.params):
input_json["SignBatches"][0]["SigningInfo"]["Operations"][0]["Parameters"][args.params[i]] = args.params[i + 1]
i += 2

policy_json = {
"Version": "1.0.0",
"Intent": "production release",
"ContentType": "binary",
}

configs = [
("auth.json", auth_json),
("input.json", input_json),
("policy.json", policy_json),
]

for filename, data in configs:
with open(filename, 'w') as fp:
json.dump(data, fp)

# Run ESRP Client
esrp_out = "esrp_out.json"
result = subprocess.run(
[esrp_tool, "sign",
"-a", "auth.json",
"-i", "input.json",
"-p", "policy.json",
"-o", esrp_out,
"-l", "Verbose"],
capture_output=True,
text=True,
cwd=workspace)

# Scrub log before printing
log = re.sub(r'^.+Uploading.*to\s*destinationUrl\s*(.+?),.+$',
'***',
result.stdout,
flags=re.IGNORECASE|re.MULTILINE)
print(log)

if result.returncode != 0:
print("Failed to run ESRPClient.exe")
sys.exit(1)

if os.path.isfile(esrp_out):
print("ESRP output json:")
with open(esrp_out, 'r') as fp:
pprint.pp(json.load(fp))

for file in files:
if os.path.isfile(os.path.join("signed", file)):
print(f"Success!\nSigned {file}")
12 changes: 12 additions & 0 deletions .github/scripts/set-up-esrp.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# Install ESRP client
az storage blob download --file esrp.zip --account-key "$env:AZURE_STORAGE_KEY" --account-name msftgitesrp --container microsoft-esrp-client --name microsoft.esrpclient.1.2.76.nupkg
Expand-Archive -Path esrp.zip -DestinationPath .\esrp

# Install certificates
az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx
certutil -f -importpfx out.pfx
Remove-Item out.pfx

az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:REQUEST_SIGNING_CERT" --file out.pfx
certutil -f -importpfx out.pfx
Remove-Item out.pfx
Loading

0 comments on commit c4a88d6

Please sign in to comment.