MIgrate to a python script for signign

2025-06-24 14:01:46 +02:00 · 2022-05-23 23:25:12 -07:00 · 2022-05-23 23:25:12 -07:00 · 8e2785e580
commit 8e2785e580
parent 7aaeb3723d
2 changed files with 73 additions and 60 deletions
--- a/.github/workflows/slsa-releaser.yml
+++ b/.github/workflows/slsa-releaser.yml
@ -43,45 +43,10 @@ jobs:
          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
        run: |
+          export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}"
+          python3 scripts/actions-sign.py
          echo $GITHUB_REF
-
-          # brew install md5sha1sum
-          # export TAG_NAME=`curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest  --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'| jq -r .tag_name`
-          # if [ $TAG_NAME == "null" ]; then
-          #   echo "TAG_NAME is null, this shouldn't happen!"
-          #   curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest
-          #   exit 1 
-          # fi
-          # echo "Signing binaries for $TAG_NAME"
-          # curl -L -o hishtory-darwin-arm64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-arm64/hishtory-darwin-arm64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
-          # curl -L -o hishtory-darwin-amd64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-amd64/hishtory-darwin-amd64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
-          # echo "Signing the binaries:"
-          # file hishtory-*
-          # sha1sum hishtory-*
-          # if [[ `file hishtory-darwin-arm64` == *"ASCII text"* ]]; then
-          #   echo "hishtory-darwin-arm64 is ASCII text???"
-          #   cat hishtory-darwin-arm64
-          #   exit 1
-          # fi
-          # if [[ `file hishtory-darwin-amd64` == *"ASCII text"* ]]; then
-          #   echo "hishtory-darwin-amd64 is ASCII text???"
-          #   cat hishtory-darwin-amd64
-          #   exit 1
-          # fi
-
-          # echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
-          # security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
-          # security default-keychain -s build.keychain
-          # security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
-          # security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
-          # security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
-          # /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
-          # /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
-          # echo "Signed the binaries:"
-          # sha1sum hishtory-*
-          # # Move them to the released filenames
-          # cp hishtory-darwin-arm64 hishtory-darwin-arm64-signed
-          # cp hishtory-darwin-amd64 hishtory-darwin-amd64-signed
+          export VERSION=${GITHUB_REF##*/}
      - name: Release
        uses: softprops/action-gh-release@v1
        if: startsWith(github.ref, 'refs/tags/')
@ -90,25 +55,25 @@ jobs:
            hishtory-darwin-arm64-signed.json
            hishtory-darwin-amd64-signed.json

-  # Upload to GitHub release.
-  # upload:
-  #   permissions:
-  #     contents: write
-  #   runs-on: ubuntu-latest
-  #   needs: 
-  #     - macos_signer
-  #     - build 
-  #   steps:
-  #     - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
-  #       with:
-  #         name: ${{ needs.macos_signer.outputs.go-binary-name }}
-  #     - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
-  #       with:
-  #         name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
-  #     - name: Release
-  #       uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
-  #       if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
-  #       with:
-  #         files: |
-  #           ${{ needs.macos_signer.outputs.go-binary-name }}
-  #           ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
+  Upload to GitHub release.
+  upload:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    needs: 
+      - macos_signer
+      - build 
+    steps:
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
+      - name: Release
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+        if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
+        with:
+          files: |
+            ${{ needs.build.outputs.go-binary-name }}
+            ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
--- a/scripts/actions-sign.py
+++ b/scripts/actions-sign.py
@ -0,0 +1,48 @@
+import os 
+import requests
+import time 
+import subprocess
+
+version = os.environ['GITHUB_REF'].split('/')
+print("Downloading binaries (this may pause for a while)")
+waitUntilPublished(f"https://github.com/ddworken/hishtory/releases/download/{version}-darwin-arm64/hishtory-darwin-arm64", "hishtory-darwin-arm64")
+waitUntilPublished(f"https://github.com/ddworken/hishtory/releases/download/{version}-darwin-amd64/hishtory-darwin-amd64", "hishtory-darwin-amd64")
+
+print("sha1sum:")
+os.system("sha1sum hishtory-*")
+
+print("file:")
+os.system("file hishtory-*")
+
+assert notAscii("hishtory-darwin-arm64")
+assert notAscii("hishtory-darwin-amd64")
+
+print("signing...")
+os.system("""
+echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
+security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
+security default-keychain -s build.keychain
+security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
+security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
+/usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
+/usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
+""")
+
+def notAscii(fn):
+    out = subprocess.check_output(["file", fn]).decode('utf-8')
+    if "ASCII text" in out:
+        raise Exception(f"fn={fn} is of type {out}")
+
+def waitUntilPublished(url) -> None:
+    startTime = time.time()
+    while True:
+        r = requests.get(url, headers={'authorization': f'bearer {os.environ["GITHUB_TOKEN"]}'})
+        if r.status_code == 200:
+            break 
+        if (time.time() - startTime)/60 > 10:
+            raise Exception("failed to get url, status_code=" + str(r.status_code) + " body=" + str(r.content))
+        time.sleep(5)
+    with open(output, 'wb') as f:
+        f.write(r.content)
+