MIgrate to a python script for signign

This commit is contained in:
David Dworken 2022-05-23 23:25:12 -07:00
parent 7aaeb3723d
commit 8e2785e580
2 changed files with 73 additions and 60 deletions

View File

@ -43,45 +43,10 @@ jobs:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}"
python3 scripts/actions-sign.py
echo $GITHUB_REF
# brew install md5sha1sum
# export TAG_NAME=`curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'| jq -r .tag_name`
# if [ $TAG_NAME == "null" ]; then
# echo "TAG_NAME is null, this shouldn't happen!"
# curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest
# exit 1
# fi
# echo "Signing binaries for $TAG_NAME"
# curl -L -o hishtory-darwin-arm64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-arm64/hishtory-darwin-arm64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
# curl -L -o hishtory-darwin-amd64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-amd64/hishtory-darwin-amd64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
# echo "Signing the binaries:"
# file hishtory-*
# sha1sum hishtory-*
# if [[ `file hishtory-darwin-arm64` == *"ASCII text"* ]]; then
# echo "hishtory-darwin-arm64 is ASCII text???"
# cat hishtory-darwin-arm64
# exit 1
# fi
# if [[ `file hishtory-darwin-amd64` == *"ASCII text"* ]]; then
# echo "hishtory-darwin-amd64 is ASCII text???"
# cat hishtory-darwin-amd64
# exit 1
# fi
# echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
# security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
# security default-keychain -s build.keychain
# security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
# security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
# /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
# /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
# echo "Signed the binaries:"
# sha1sum hishtory-*
# # Move them to the released filenames
# cp hishtory-darwin-arm64 hishtory-darwin-arm64-signed
# cp hishtory-darwin-amd64 hishtory-darwin-amd64-signed
export VERSION=${GITHUB_REF##*/}
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
@ -90,25 +55,25 @@ jobs:
hishtory-darwin-arm64-signed.json
hishtory-darwin-amd64-signed.json
# Upload to GitHub release.
# upload:
# permissions:
# contents: write
# runs-on: ubuntu-latest
# needs:
# - macos_signer
# - build
# steps:
# - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
# with:
# name: ${{ needs.macos_signer.outputs.go-binary-name }}
# - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
# with:
# name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
# - name: Release
# uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
# if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
# with:
# files: |
# ${{ needs.macos_signer.outputs.go-binary-name }}
# ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
Upload to GitHub release.
upload:
permissions:
contents: write
runs-on: ubuntu-latest
needs:
- macos_signer
- build
steps:
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
- name: Release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
with:
files: |
${{ needs.build.outputs.go-binary-name }}
${{ needs.build.outputs.go-binary-name }}.intoto.jsonl

48
scripts/actions-sign.py Normal file
View File

@ -0,0 +1,48 @@
import os
import requests
import time
import subprocess
version = os.environ['GITHUB_REF'].split('/')
print("Downloading binaries (this may pause for a while)")
waitUntilPublished(f"https://github.com/ddworken/hishtory/releases/download/{version}-darwin-arm64/hishtory-darwin-arm64", "hishtory-darwin-arm64")
waitUntilPublished(f"https://github.com/ddworken/hishtory/releases/download/{version}-darwin-amd64/hishtory-darwin-amd64", "hishtory-darwin-amd64")
print("sha1sum:")
os.system("sha1sum hishtory-*")
print("file:")
os.system("file hishtory-*")
assert notAscii("hishtory-darwin-arm64")
assert notAscii("hishtory-darwin-amd64")
print("signing...")
os.system("""
echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
/usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
/usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
""")
def notAscii(fn):
out = subprocess.check_output(["file", fn]).decode('utf-8')
if "ASCII text" in out:
raise Exception(f"fn={fn} is of type {out}")
def waitUntilPublished(url) -> None:
startTime = time.time()
while True:
r = requests.get(url, headers={'authorization': f'bearer {os.environ["GITHUB_TOKEN"]}'})
if r.status_code == 200:
break
if (time.time() - startTime)/60 > 10:
raise Exception("failed to get url, status_code=" + str(r.status_code) + " body=" + str(r.content))
time.sleep(5)
with open(output, 'wb') as f:
f.write(r.content)