From 5f3c042b25eed86aa302ab177ca250e79f846cc9 Mon Sep 17 00:00:00 2001 From: Lessley Dennington Date: Fri, 24 Jun 2022 10:25:40 -0700 Subject: [PATCH 1/3] fixup! contrib: add credential helper for OS X Keychain --- contrib/credential/osxkeychain/git-credential-osxkeychain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c index 0b44a9b7cc6f2b..bf77748d602fec 100644 --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c @@ -168,7 +168,7 @@ int main(int argc, const char **argv) "usage: git credential-osxkeychain "; if (!argv[1]) - die(usage); + die("%s", usage); read_credential(); From 225d94eaec630c76b0a64ec27957d5033d888778 Mon Sep 17 00:00:00 2001 From: Lessley Dennington Date: Fri, 24 Jun 2022 10:21:54 -0700 Subject: [PATCH 2/3] fixup! release: add Mac OSX installer build --- .github/macos-installer/Makefile | 116 +++++++ .../assets/etc/gitconfig.osxkeychain | 2 + .../assets/git-components.plist | 18 + .../assets/scripts/postinstall | 62 ++++ .github/macos-installer/assets/uninstall.sh | 34 ++ .github/scripts/run-esrp-signing.py | 138 ++++++++ .github/scripts/set-up-esrp.ps1 | 12 + .github/scripts/symlink-git-hardlinks.rb | 19 + .github/workflows/build-git-installers.yml | 324 ++++++++++++++---- 9 files changed, 662 insertions(+), 63 deletions(-) create mode 100644 .github/macos-installer/Makefile create mode 100644 .github/macos-installer/assets/etc/gitconfig.osxkeychain create mode 100644 .github/macos-installer/assets/git-components.plist create mode 100755 .github/macos-installer/assets/scripts/postinstall create mode 100755 .github/macos-installer/assets/uninstall.sh create mode 100644 .github/scripts/run-esrp-signing.py create mode 100644 .github/scripts/set-up-esrp.ps1 create mode 100644 .github/scripts/symlink-git-hardlinks.rb diff --git a/.github/macos-installer/Makefile b/.github/macos-installer/Makefile new file mode 100644 index 00000000000000..df339bd921df23 --- /dev/null +++ b/.github/macos-installer/Makefile @@ -0,0 +1,116 @@ +SHELL := /bin/bash +SUDO := sudo +C_INCLUDE_PATH := /usr/include +CPLUS_INCLUDE_PATH := /usr/include +LD_LIBRARY_PATH := /usr/lib + +OSX_VERSION := $(shell sw_vers -productVersion) +TARGET_FLAGS := -mmacosx-version-min=$(OSX_VERSION) -DMACOSX_DEPLOYMENT_TARGET=$(OSX_VERSION) + +ARCH := x86_64 +ARCH_CODE := x86_64 +ARCH_FLAGS_x86_64 := -arch x86_64 + +CFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE}) +LDFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE}) + +PREFIX := /usr/local +GIT_PREFIX := $(PREFIX)/git + +BUILD_CODE := intel-$(ARCH_CODE) +BUILD_DIR := $(GITHUB_WORKSPACE)/payload +DESTDIR := $(PWD)/stage/git-$(BUILD_CODE)-$(VERSION) +ARTIFACTDIR := build_artifacts +SUBMAKE := $(MAKE) C_INCLUDE_PATH="$(C_INCLUDE_PATH)" CPLUS_INCLUDE_PATH="$(CPLUS_INCLUDE_PATH)" LD_LIBRARY_PATH="$(LD_LIBRARY_PATH)" TARGET_FLAGS="$(TARGET_FLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" NO_GETTEXT=1 NO_DARWIN_PORTS=1 prefix=$(GIT_PREFIX) GIT_BUILT_FROM_COMMIT="$(GIT_BUILT_FROM_COMMIT)" DESTDIR=$(DESTDIR) +CORES := $(shell bash -c "sysctl hw.ncpu | awk '{print \$$2}'") + +.PHONY: image pkg payload + +.SECONDARY: + +$(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE): + rm -f $(BUILD_DIR)/git-$(VERSION)/osx-installed* + mkdir -p $(DESTDIR)$(GIT_PREFIX) + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-built-keychain: + cd $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain; $(SUBMAKE) CFLAGS="$(CFLAGS) -g -O2 -Wall" + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-built: + [ -d $(DESTDIR)$(GIT_PREFIX) ] && $(SUDO) rm -rf $(DESTDIR) || echo ok + cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) -j $(CORES) all strip + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-installed-bin: $(BUILD_DIR)/git-$(VERSION)/osx-built $(BUILD_DIR)/git-$(VERSION)/osx-built-keychain + cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) install + cp $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain $(DESTDIR)$(GIT_PREFIX)/bin/git-credential-osxkeychain + mkdir -p $(DESTDIR)$(GIT_PREFIX)/contrib/completion + cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.bash $(DESTDIR)$(GIT_PREFIX)/contrib/completion/ + cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.zsh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/ + cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-prompt.sh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/ + # This is needed for Git-Gui, GitK + mkdir -p $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl + [ ! -f $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm ] && cp $(BUILD_DIR)/git-$(VERSION)/perl/private-Error.pm $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm || echo done + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-installed-man: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin + mkdir -p $(DESTDIR)$(GIT_PREFIX)/share/man + cp -R $(GITHUB_WORKSPACE)/manpages/ $(DESTDIR)$(GIT_PREFIX)/share/man + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-built-subtree: + cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" all git-subtree.1 + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree: $(BUILD_DIR)/git-$(VERSION)/osx-built-subtree + mkdir -p $(DESTDIR) + cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" install install-man + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-installed-assets: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin + mkdir -p $(DESTDIR)$(GIT_PREFIX)/etc + cat assets/etc/gitconfig.osxkeychain >> $(DESTDIR)$(GIT_PREFIX)/etc/gitconfig + cp assets/uninstall.sh $(DESTDIR)$(GIT_PREFIX)/uninstall.sh + sh -c "echo .DS_Store >> $(DESTDIR)$(GIT_PREFIX)/share/git-core/templates/info/exclude" + +symlinks: + mkdir -p $(ARTIFACTDIR)$(PREFIX)/bin + cd $(ARTIFACTDIR)$(PREFIX)/bin; find ../git/bin -type f -exec ln -sf {} \; + for man in man1 man3 man5 man7; do mkdir -p $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; (cd $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; ln -sf ../../../git/share/man/$$man/* ./); done + ruby ../scripts/symlink-git-hardlinks.rb $(ARTIFACTDIR) + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-installed: $(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE) $(BUILD_DIR)/git-$(VERSION)/osx-installed-man $(BUILD_DIR)/git-$(VERSION)/osx-installed-assets $(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree + find $(DESTDIR)$(GIT_PREFIX) -type d -exec chmod ugo+rx {} \; + find $(DESTDIR)$(GIT_PREFIX) -type f -exec chmod ugo+r {} \; + touch $@ + +$(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE): $(BUILD_DIR)/git-$(VERSION)/osx-built +ifeq ("$(ARCH_CODE)", "universal") + File $(BUILD_DIR)/git-$(VERSION)/git + File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain +else + [ "$$(File $(BUILD_DIR)/git-$(VERSION)/git | cut -f 5 -d' ')" == "$(ARCH_CODE)" ] + [ "$$(File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain | cut -f 5 -d' ')" == "$(ARCH_CODE)" ] +endif + touch $@ + +disk-image/VERSION-$(VERSION)-$(ARCH_CODE): + rm -f disk-image/*.pkg disk-image/VERSION-* disk-image/.DS_Store + mkdir disk-image + touch "$@" + +disk-image/git-$(VERSION)-$(BUILD_CODE).pkg: disk-image/VERSION-$(VERSION)-$(ARCH_CODE) symlinks + pkgbuild --identifier com.git.pkg --version $(VERSION) --root $(ARTIFACTDIR)$(PREFIX) --scripts assets/scripts --install-location $(PREFIX) --component-plist ./assets/git-components.plist disk-image/git-$(VERSION)-$(BUILD_CODE).pkg + +git-%-$(BUILD_CODE).dmg: + hdiutil create git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg -fs HFS+ -srcfolder disk-image -volname "Git $(VERSION) Intel $(ARCH)" -ov + hdiutil convert -format UDZO -o $@ git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg + rm -f git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg + +payload: $(BUILD_DIR)/git-$(VERSION)/osx-installed $(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE) + +pkg: disk-image/git-$(VERSION)-$(BUILD_CODE).pkg + +image: git-$(VERSION)-$(BUILD_CODE).dmg diff --git a/.github/macos-installer/assets/etc/gitconfig.osxkeychain b/.github/macos-installer/assets/etc/gitconfig.osxkeychain new file mode 100644 index 00000000000000..788266b3a40a9d --- /dev/null +++ b/.github/macos-installer/assets/etc/gitconfig.osxkeychain @@ -0,0 +1,2 @@ +[credential] + helper = osxkeychain diff --git a/.github/macos-installer/assets/git-components.plist b/.github/macos-installer/assets/git-components.plist new file mode 100644 index 00000000000000..78db36777df3ed --- /dev/null +++ b/.github/macos-installer/assets/git-components.plist @@ -0,0 +1,18 @@ + + + + + + BundleHasStrictIdentifier + + BundleIsRelocatable + + BundleIsVersionChecked + + BundleOverwriteAction + upgrade + RootRelativeBundlePath + git/share/git-gui/lib/Git Gui.app + + + diff --git a/.github/macos-installer/assets/scripts/postinstall b/.github/macos-installer/assets/scripts/postinstall new file mode 100755 index 00000000000000..94056db9b7b864 --- /dev/null +++ b/.github/macos-installer/assets/scripts/postinstall @@ -0,0 +1,62 @@ +#!/bin/bash +INSTALL_DST="$2" +SCALAR_C_CMD="$INSTALL_DST/git/bin/scalar" +SCALAR_DOTNET_CMD="/usr/local/scalar/scalar" +SCALAR_UNINSTALL_SCRIPT="/usr/local/scalar/uninstall_scalar.sh" + +function cleanupScalar() +{ + echo "checking whether Scalar was installed" + if [ ! -f "$SCALAR_C_CMD" ]; then + echo "Scalar not installed; exiting..." + return 0 + fi + echo "Scalar is installed!" + + echo "looking for Scalar.NET" + if [ ! -f "$SCALAR_DOTNET_CMD" ]; then + echo "Scalar.NET not found; exiting..." + return 0 + fi + echo "Scalar.NET found!" + + currentUser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }') + + # Re-register Scalar.NET repositories with the newly-installed Scalar + for repo in $($SCALAR_DOTNET_CMD list); do + ( + PATH="$INSTALL_DST/git/bin:$PATH" + sudo -u "$currentUser" scalar register $repo || \ + echo "warning: skipping re-registration of $repo" + ) + done + + # Uninstall Scalar.NET + echo "removing Scalar.NET" + + # Add /usr/local/bin to path - default install location of Homebrew + PATH="/usr/local/bin:$PATH" + if (sudo -u "$currentUser" brew list --cask scalar); then + # Remove from Homebrew + sudo -u "$currentUser" brew remove --cask scalar || echo "warning: Scalar.NET uninstall via Homebrew completed with code $?" + echo "Scalar.NET uninstalled via Homebrew!" + elif (sudo -u "$currentUser" brew list --cask scalar-azrepos); then + sudo -u "$currentUser" brew remove --cask scalar-azrepos || echo "warning: Scalar.NET with GVFS uninstall via Homebrew completed with code $?" + echo "Scalar.NET with GVFS uninstalled via Homebrew!" + elif [ -f $SCALAR_UNINSTALL_SCRIPT ]; then + # If not installed with Homebrew, manually remove package + sudo -S sh $SCALAR_UNINSTALL_SCRIPT || echo "warning: Scalar.NET uninstall completed with code $?" + echo "Scalar.NET uninstalled!" + else + echo "warning: Scalar.NET uninstall script not found" + fi + + # Re-create the Scalar symlink, in case it was removed by the Scalar.NET uninstall operation + mkdir -p $INSTALL_DST/bin + /bin/ln -Fs "$SCALAR_C_CMD" "$INSTALL_DST/bin/scalar" +} + +# Run Scalar cleanup (will exit if not applicable) +cleanupScalar + +exit 0 \ No newline at end of file diff --git a/.github/macos-installer/assets/uninstall.sh b/.github/macos-installer/assets/uninstall.sh new file mode 100755 index 00000000000000..4fc79fbaa2e652 --- /dev/null +++ b/.github/macos-installer/assets/uninstall.sh @@ -0,0 +1,34 @@ +#!/bin/bash -e +if [ ! -r "/usr/local/git" ]; then + echo "Git doesn't appear to be installed via this installer. Aborting" + exit 1 +fi + +if [ "$1" != "--yes" ]; then + echo "This will uninstall git by removing /usr/local/git/, and symlinks" + printf "Type 'yes' if you are sure you wish to continue: " + read response +else + response="yes" +fi + +if [ "$response" == "yes" ]; then + # remove all of the symlinks we've created + pkgutil --files com.git.pkg | grep bin | while read f; do + if [ -L /usr/local/$f ]; then + sudo rm /usr/local/$f + fi + done + + # forget receipts. + pkgutil --packages | grep com.git.pkg | xargs -I {} sudo pkgutil --forget {} + echo "Uninstalled" + + # The guts all go here. + sudo rm -rf /usr/local/git/ +else + echo "Aborted" + exit 1 +fi + +exit 0 diff --git a/.github/scripts/run-esrp-signing.py b/.github/scripts/run-esrp-signing.py new file mode 100644 index 00000000000000..f61a97d2582547 --- /dev/null +++ b/.github/scripts/run-esrp-signing.py @@ -0,0 +1,138 @@ +import argparse +import json +import os +import glob +import pprint +import subprocess +import sys +import re + +parser = argparse.ArgumentParser(description='Sign binaries for macOS') +parser.add_argument('path', help='Path to file for signing') +parser.add_argument('keycode', help='Platform-specific key code for signing') +parser.add_argument('opcode', help='Platform-specific operation code for signing') +# Setting nargs=argparse.REMAINDER allows us to pass in params that begin with `--` +parser.add_argument('--params', nargs=argparse.REMAINDER, help='Parameters for signing') +args = parser.parse_args() + +esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe") + +aad_id = os.environ['AZURE_AAD_ID'].strip() +# We temporarily need two AAD IDs, as we're using an SSL certificate associated +# with an older App Registration until we have the required hardware to approve +# the new certificate in SSL Admin. +aad_id_ssl = os.environ['AZURE_AAD_ID_SSL'].strip() +workspace = os.environ['GITHUB_WORKSPACE'].strip() + +source_location = args.path +files = glob.glob(os.path.join(source_location, "*")) + +print("Found files:") +pprint.pp(files) + +auth_json = { + "Version": "1.0.0", + "AuthenticationType": "AAD_CERT", + "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", + "ClientId": f"{aad_id}", + "AuthCert": { + "SubjectName": f"CN={aad_id_ssl}.microsoft.com", + "StoreLocation": "LocalMachine", + "StoreName": "My" + }, + "RequestSigningCert": { + "SubjectName": f"CN={aad_id}", + "StoreLocation": "LocalMachine", + "StoreName": "My" + } +} + +input_json = { + "Version": "1.0.0", + "SignBatches": [ + { + "SourceLocationType": "UNC", + "SourceRootDirectory": source_location, + "DestinationLocationType": "UNC", + "DestinationRootDirectory": workspace, + "SignRequestFiles": [], + "SigningInfo": { + "Operations": [ + { + "KeyCode": f"{args.keycode}", + "OperationCode": f"{args.opcode}", + "Parameters": {}, + "ToolName": "sign", + "ToolVersion": "1.0", + } + ] + } + } + ] +} + +# add files to sign +for f in files: + name = os.path.basename(f) + input_json["SignBatches"][0]["SignRequestFiles"].append( + { + "SourceLocation": name, + "DestinationLocation": os.path.join("signed", name), + } + ) + +# add parameters to input.json (e.g. enabling the hardened runtime for macOS) +if args.params is not None: + i = 0 + while i < len(args.params): + input_json["SignBatches"][0]["SigningInfo"]["Operations"][0]["Parameters"][args.params[i]] = args.params[i + 1] + i += 2 + +policy_json = { + "Version": "1.0.0", + "Intent": "production release", + "ContentType": "binary", +} + +configs = [ + ("auth.json", auth_json), + ("input.json", input_json), + ("policy.json", policy_json), +] + +for filename, data in configs: + with open(filename, 'w') as fp: + json.dump(data, fp) + +# Run ESRP Client +esrp_out = "esrp_out.json" +result = subprocess.run( + [esrp_tool, "sign", + "-a", "auth.json", + "-i", "input.json", + "-p", "policy.json", + "-o", esrp_out, + "-l", "Verbose"], + capture_output=True, + text=True, + cwd=workspace) + +# Scrub log before printing +log = re.sub(r'^.+Uploading.*to\s*destinationUrl\s*(.+?),.+$', + '***', + result.stdout, + flags=re.IGNORECASE|re.MULTILINE) +print(log) + +if result.returncode != 0: + print("Failed to run ESRPClient.exe") + sys.exit(1) + +if os.path.isfile(esrp_out): + print("ESRP output json:") + with open(esrp_out, 'r') as fp: + pprint.pp(json.load(fp)) + +for file in files: + if os.path.isfile(os.path.join("signed", file)): + print(f"Success!\nSigned {file}") \ No newline at end of file diff --git a/.github/scripts/set-up-esrp.ps1 b/.github/scripts/set-up-esrp.ps1 new file mode 100644 index 00000000000000..9bc9699ae8b332 --- /dev/null +++ b/.github/scripts/set-up-esrp.ps1 @@ -0,0 +1,12 @@ +# Install ESRP client +az storage blob download --file esrp.zip --account-key "$env:AZURE_STORAGE_KEY" --account-name msftgitesrp --container microsoft-esrp-client --name microsoft.esrpclient.1.2.76.nupkg +Expand-Archive -Path esrp.zip -DestinationPath .\esrp + +# Install certificates +az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx +certutil -f -importpfx out.pfx +Remove-Item out.pfx + +az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:REQUEST_SIGNING_CERT" --file out.pfx +certutil -f -importpfx out.pfx +Remove-Item out.pfx \ No newline at end of file diff --git a/.github/scripts/symlink-git-hardlinks.rb b/.github/scripts/symlink-git-hardlinks.rb new file mode 100644 index 00000000000000..174802ccc85d93 --- /dev/null +++ b/.github/scripts/symlink-git-hardlinks.rb @@ -0,0 +1,19 @@ +#!/usr/bin/env ruby + +install_prefix = ARGV[0] +puts install_prefix +git_binary = File.join(install_prefix, '/usr/local/git/bin/git') + +[ + ['git' , File.join(install_prefix, '/usr/local/git/bin')], + ['../../bin/git', File.join(install_prefix, '/usr/local/git/libexec/git-core')] +].each do |link, path| + Dir.glob(File.join(path, '*')).each do |file| + next if file == git_binary + puts "#{file} #{File.size(file)} == #{File.size(git_binary)}" + next unless File.size(file) == File.size(git_binary) + puts "Symlinking #{file}" + puts `ln -sf #{link} #{file}` + exit $?.exitstatus if $?.exitstatus != 0 + end +end \ No newline at end of file diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index f264af0efa9ff0..1b24accf990e05 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -292,8 +292,8 @@ jobs: path: artifacts # End build Windows installers - # Build Mac OSX installers & upload artifacts - mac_artifacts: + # Build and sign Mac OSX installers & upload artifacts + osx_build: runs-on: macos-latest needs: prereqs env: @@ -302,88 +302,286 @@ jobs: CFLAGS: -I/usr/local/opt/gettext/include # To make use of the catalogs... XML_CATALOG_FILES: /usr/local/etc/xml/catalog - # Enable a bit stricter compile flags - DEVELOPER: 1 - # For the osx-installer build - OSX_VERSION: 10.15 - V: 1 + VERSION: "${{ needs.prereqs.outputs.tag_version }}" steps: - - name: Install git dependencies + - name: Check out repository + uses: actions/checkout@v3 + with: + path: 'git' + + - name: Install Git dependencies run: | set -x - brew install automake asciidoc xmlto + brew install automake asciidoc xmlto docbook brew link --force gettext - - name: Clone git - uses: actions/checkout@v2 - with: - path: 'git' - - name: Build GIT-VERSION-FILE and .tar.gz files + + - name: Build payload run: | + # Configure the environment set -x PATH=/usr/local/bin:$PATH + export CURL_LDFLAGS=$(curl-config --libs) # Write to "version" file to force match with trigger payload version echo "${{ needs.prereqs.outputs.tag_version }}" >>git/version make -C git -j$(sysctl -n hw.physicalcpu) GIT-VERSION-FILE dist dist-doc - - name: Clone installer repository - uses: actions/checkout@v2 - with: - path: 'git_osx_installer' - repository: 'derrickstolee/git_osx_installer' - - name: Bundle .dmg - run: | - die () { - echo "$*" >&2 - exit 1 - } - # Configure the environment - export CURL_LDFLAGS=$(curl-config --libs) - export VERSION="${{ needs.prereqs.outputs.tag_version }}" + export GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) || + die "Could not determine commit for build" - dir=git_osx_installer/git-$VERSION - test ! -e $dir || - rm $dir || - die "Could not remove $dir" - ln -s .. $dir + # Extract tarballs + mkdir payload manpages + tar -xvf git/git-$VERSION.tar.gz -C payload + tar -xvf git/git-manpages-$VERSION.tar.gz -C manpages - mkdir -p git_osx_installer/build && - cp git/git-$VERSION.tar.gz git/git-manpages-$VERSION.tar.gz git_osx_installer/build/ || - die "Could not copy .tar.gz files" + # Lay out payload + make -C git/.github/macos-installer V=1 payload - GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) || - die "Could not determine commit for build" + # This step is necessary because we cannot use the $VERSION + # environment variable or the tag_version output from the prereqs + # job in the upload-artifact task. + mkdir -p build_artifacts + cp -R stage/git-intel-x86_64-$VERSION/ build_artifacts - # drop the -isysroot `GIT_SDK` hack - sed -i .bak -e 's/ -isysroot .(SDK_PATH)//' git_osx_installer/Makefile || die "Could not drop the -isysroot hack" + # We keep a list of executable files because their executable bits are + # removed when they are zipped, and we need to re-add. + find build_artifacts -type f -a -perm -u=x >executable-files.txt - # make sure that .../usr/local/git/share/man/ exists - sed -i .bak -e 's/\(tar .*-C \)\(.*\/share\/man\)$/mkdir -p \2 \&\& &/' git_osx_installer/Makefile || die "Could not edit git_osx_installer/Makefile" - cat git_osx_installer/Makefile + - name: Upload macOS artifacts + uses: actions/upload-artifact@v3 + with: + name: tmp.osx-build + path: | + build_artifacts - make -C git_osx_installer vars + - name: Upload list of executable files + uses: actions/upload-artifact@v3 + with: + name: tmp.executable-files + path: | + executable-files.txt + + osx_sign_payload: + # ESRP service requires signing to run on Windows + runs-on: windows-latest + needs: osx_build + steps: + - name: Check out repository + uses: actions/checkout@v3 + with: + path: 'git' + + - name: Download unsigned build artifiacts + uses: actions/download-artifact@v3 + with: + name: tmp.osx-build + path: build_artifacts + + - name: Zip unsigned build artifacts + shell: pwsh + run: | + Compress-Archive -Path build_artifacts build_artifacts/build_artifacts.zip + cd build_artifacts + Get-ChildItem -Exclude build_artifacts.zip | Remove-Item -Recurse -Force + + - uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Set up ESRP client + shell: pwsh + env: + AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }} + AZURE_VAULT: ${{ secrets.AZURE_VAULT }} + AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} + REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} + run: | + git\.github\scripts\set-up-esrp.ps1 + + - name: Run ESRP client + shell: pwsh + env: + AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} + # We temporarily need two AAD IDs, as we're using an SSL certificate associated + # with an older App Registration until we have the required hardware to approve + # the new certificate in SSL Admin. + AZURE_AAD_ID_SSL: ${{ secrets.AZURE_AAD_ID_SSL }} + APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }} + APPLE_SIGNING_OP_CODE: ${{ secrets.APPLE_SIGNING_OPERATION_CODE }} + run: | + python git\.github\scripts\run-esrp-signing.py build_artifacts ` + $env:APPLE_KEY_CODE $env:APPLE_SIGNING_OP_CODE ` + --params 'Hardening' '--options=runtime' + + - name: Unzip signed build artifacts + shell: pwsh + run: | + Expand-Archive signed/build_artifacts.zip -DestinationPath signed + Remove-Item signed/build_artifacts.zip + + - name: Upload signed payload + uses: actions/upload-artifact@v3 + with: + name: osx-signed-payload + path: | + signed + + osx_pack: + runs-on: macos-latest + needs: [prereqs, osx_sign_payload] + steps: + - name: Check out repository + uses: actions/checkout@v3 + with: + path: 'git' - PATH=/usr/local/bin:/System/Library/Frameworks:$PATH \ - make -C git_osx_installer \ - OSX_VERSION=10.15 C_INCLUDE_PATH="$C_INCLUDE_PATH" V=1 \ - build/intel-x86_64-catalina/git-$VERSION/osx-built-keychain || - die "Build failed" + - name: Download signed artifacts + uses: actions/download-artifact@v3 + with: + name: osx-signed-payload + + - name: Download list of executable files + uses: actions/download-artifact@v3 + with: + name: tmp.executable-files + + - name: Build macOS pkg + env: + VERSION: "${{ needs.prereqs.outputs.tag_version }}" + run: | + # Install findutils to use gxargs below + brew install findutils + # Configure the environment + export CURL_LDFLAGS=$(curl-config --libs) + + # Add executable bits and move build_artifacts into + # the same directory as Makefile (so that executable bits + # will be recognized). + gxargs -r -d '\n' chmod a+x Date: Mon, 27 Jun 2022 14:41:32 -0700 Subject: [PATCH 3/3] fixup! release: add signing step for .deb package --- .github/scripts/sign-debian-packages.py | 118 --------------------- .github/workflows/build-git-installers.yml | 34 +++--- 2 files changed, 19 insertions(+), 133 deletions(-) delete mode 100644 .github/scripts/sign-debian-packages.py diff --git a/.github/scripts/sign-debian-packages.py b/.github/scripts/sign-debian-packages.py deleted file mode 100644 index d0025fb14b9a7a..00000000000000 --- a/.github/scripts/sign-debian-packages.py +++ /dev/null @@ -1,118 +0,0 @@ -import json -import os -import glob -import pprint -import subprocess -import sys - -esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe") - -AAD_ID = os.environ['AZURE_AAD_ID'].strip() -AAD_ID_TEMP = os.environ['AZURE_AAD_ID_TEMP'].strip() -WORKSPACE = os.environ['GITHUB_WORKSPACE'].strip() -ARTIFACTS_DIR = os.environ['ARTIFACTS_DIR'].strip() - -def main(): - source_root_location = os.path.join(WORKSPACE, ARTIFACTS_DIR, "unsigned") - destination_location = os.path.join(WORKSPACE, ARTIFACTS_DIR) - - files = glob.glob(os.path.join(source_root_location, "*.deb")) - - print("Found files:") - pprint.pp(files) - - if len(files) < 1 or not files[0].endswith(".deb"): - print("Error: cannot find .deb to sign") - exit(1) - - file_to_sign = os.path.basename(files[0]) - - auth_json = { - "Version": "1.0.0", - "AuthenticationType": "AAD_CERT", - "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", - "ClientId": AAD_ID, - "AuthCert": { - "SubjectName": f"CN={AAD_ID_TEMP}.microsoft.com", - "StoreLocation": "LocalMachine", - "StoreName": "My", - }, - "RequestSigningCert": { - "SubjectName": f"CN={AAD_ID}", - "StoreLocation": "LocalMachine", - "StoreName": "My", - } - } - - input_json = { - "Version": "1.0.0", - "SignBatches": [ - { - "SourceLocationType": "UNC", - "SourceRootDirectory": source_root_location, - "DestinationLocationType": "UNC", - "DestinationRootDirectory": destination_location, - "SignRequestFiles": [ - { - "CustomerCorrelationId": "01A7F55F-6CDD-4123-B255-77E6F212CDAD", - "SourceLocation": file_to_sign, - "DestinationLocation": os.path.join("signed", file_to_sign), - } - ], - "SigningInfo": { - "Operations": [ - { - "KeyCode": "CP-450779-Pgp", - "OperationCode": "LinuxSign", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0", - } - ] - } - } - ] - } - - policy_json = { - "Version": "1.0.0", - "Intent": "production release", - "ContentType": "Debian package", - } - - configs = [ - ("auth.json", auth_json), - ("input.json", input_json), - ("policy.json", policy_json), - ] - - for filename, data in configs: - with open(filename, 'w') as fp: - json.dump(data, fp) - - # Run ESRP Client - esrp_out = "esrp_out.json" - result = subprocess.run( - [esrp_tool, "sign", - "-a", "auth.json", - "-i", "input.json", - "-p", "policy.json", - "-o", esrp_out, - "-l", "Verbose"], - cwd=WORKSPACE) - - if result.returncode != 0: - print("Failed to run ESRPClient.exe") - sys.exit(1) - - if os.path.isfile(esrp_out): - print("ESRP output json:") - with open(esrp_out, 'r') as fp: - pprint.pp(json.load(fp)) - - signed_file = os.path.join(destination_location, "signed", file_to_sign) - if os.path.isfile(signed_file): - print(f"Success!\nSigned {signed_file}") - -if __name__ == "__main__": - main() \ No newline at end of file diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 1b24accf990e05..3150ebacb34602 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -668,38 +668,42 @@ jobs: steps: - name: Clone repository uses: actions/checkout@v2 + with: + path: 'git' - name: Download unsigned packages uses: actions/download-artifact@v2 with: name: deb-package-unsigned - path: ${{ env.ARTIFACTS_DIR }}/unsigned + path: unsigned - uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Download ESRP client - run: | - az storage blob download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --account-name msftgitesrp -c microsoft-esrp-client -n microsoft.esrpclient.1.2.76.nupkg -f esrp.zip - Expand-Archive -Path esrp.zip -DestinationPath .\esrp - - name: Install ESRP certificates + - name: Set up ESRP client + shell: pwsh + env: + AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }} + AZURE_VAULT: ${{ secrets.AZURE_VAULT }} + AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} + REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} run: | - az keyvault secret download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --vault-name "msft-git-esrp" --name "microsoft-git-esrp-auth-cert" -f auth_cert.pfx - Import-PfxCertificate auth_cert.pfx -CertStoreLocation Cert:\LocalMachine\My - az keyvault secret download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --vault-name "msft-git-esrp" --name "microsoft-git-request-signing-cert" -f request_signing_cert.pfx - Import-PfxCertificate request_signing_cert.pfx -CertStoreLocation Cert:\LocalMachine\My - - uses: actions/setup-python@v2 - - name: Run ESRP client + git\.github\scripts\set-up-esrp.ps1 + - name: Sign package + shell: pwsh env: AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} # We temporarily need two AAD IDs, as we're using an SSL certificate associated # with an older App Registration until we have the required hardware to approve # the new certificate in SSL Admin. - AZURE_AAD_ID_TEMP: ${{ secrets.AAD_ID_TEMP }} - run: python .github/scripts/sign-debian-packages.py + AZURE_AAD_ID_SSL: ${{ secrets.AZURE_AAD_ID_SSL }} + LINUX_KEY_CODE: ${{ secrets.LINUX_KEY_CODE }} + LINUX_OP_CODE: ${{ secrets.LINUX_OPERATION_CODE }} + run: | + python git\.github\scripts\run-esrp-signing.py unsigned $env:LINUX_KEY_CODE $env:LINUX_OP_CODE - name: Upload signed artifact uses: actions/upload-artifact@v2 with: name: deb-package-signed - path: ${{ env.ARTIFACTS_DIR }}/signed + path: signed # End build & sign Ubuntu package create-github-release: