mirror of
https://github.com/ddworken/hishtory.git
synced 2025-06-18 19:16:44 +02:00
MIgrate to a python script for signign
This commit is contained in:
parent
7aaeb3723d
commit
8e2785e580
85
.github/workflows/slsa-releaser.yml
vendored
85
.github/workflows/slsa-releaser.yml
vendored
@ -43,45 +43,10 @@ jobs:
|
||||
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
|
||||
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||
run: |
|
||||
export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}"
|
||||
python3 scripts/actions-sign.py
|
||||
echo $GITHUB_REF
|
||||
|
||||
# brew install md5sha1sum
|
||||
# export TAG_NAME=`curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'| jq -r .tag_name`
|
||||
# if [ $TAG_NAME == "null" ]; then
|
||||
# echo "TAG_NAME is null, this shouldn't happen!"
|
||||
# curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest
|
||||
# exit 1
|
||||
# fi
|
||||
# echo "Signing binaries for $TAG_NAME"
|
||||
# curl -L -o hishtory-darwin-arm64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-arm64/hishtory-darwin-arm64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
|
||||
# curl -L -o hishtory-darwin-amd64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-amd64/hishtory-darwin-amd64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
|
||||
# echo "Signing the binaries:"
|
||||
# file hishtory-*
|
||||
# sha1sum hishtory-*
|
||||
# if [[ `file hishtory-darwin-arm64` == *"ASCII text"* ]]; then
|
||||
# echo "hishtory-darwin-arm64 is ASCII text???"
|
||||
# cat hishtory-darwin-arm64
|
||||
# exit 1
|
||||
# fi
|
||||
# if [[ `file hishtory-darwin-amd64` == *"ASCII text"* ]]; then
|
||||
# echo "hishtory-darwin-amd64 is ASCII text???"
|
||||
# cat hishtory-darwin-amd64
|
||||
# exit 1
|
||||
# fi
|
||||
|
||||
# echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
|
||||
# security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
|
||||
# security default-keychain -s build.keychain
|
||||
# security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
|
||||
# security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
|
||||
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
|
||||
# /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
|
||||
# /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
|
||||
# echo "Signed the binaries:"
|
||||
# sha1sum hishtory-*
|
||||
# # Move them to the released filenames
|
||||
# cp hishtory-darwin-arm64 hishtory-darwin-arm64-signed
|
||||
# cp hishtory-darwin-amd64 hishtory-darwin-amd64-signed
|
||||
export VERSION=${GITHUB_REF##*/}
|
||||
- name: Release
|
||||
uses: softprops/action-gh-release@v1
|
||||
if: startsWith(github.ref, 'refs/tags/')
|
||||
@ -90,25 +55,25 @@ jobs:
|
||||
hishtory-darwin-arm64-signed.json
|
||||
hishtory-darwin-amd64-signed.json
|
||||
|
||||
# Upload to GitHub release.
|
||||
# upload:
|
||||
# permissions:
|
||||
# contents: write
|
||||
# runs-on: ubuntu-latest
|
||||
# needs:
|
||||
# - macos_signer
|
||||
# - build
|
||||
# steps:
|
||||
# - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||||
# with:
|
||||
# name: ${{ needs.macos_signer.outputs.go-binary-name }}
|
||||
# - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||||
# with:
|
||||
# name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
|
||||
# - name: Release
|
||||
# uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
|
||||
# if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
|
||||
# with:
|
||||
# files: |
|
||||
# ${{ needs.macos_signer.outputs.go-binary-name }}
|
||||
# ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
|
||||
Upload to GitHub release.
|
||||
upload:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest
|
||||
needs:
|
||||
- macos_signer
|
||||
- build
|
||||
steps:
|
||||
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||||
with:
|
||||
name: ${{ needs.build.outputs.go-binary-name }}
|
||||
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||||
with:
|
||||
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
|
||||
- name: Release
|
||||
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
|
||||
if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
|
||||
with:
|
||||
files: |
|
||||
${{ needs.build.outputs.go-binary-name }}
|
||||
${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
|
||||
|
48
scripts/actions-sign.py
Normal file
48
scripts/actions-sign.py
Normal file
@ -0,0 +1,48 @@
|
||||
import os
|
||||
import requests
|
||||
import time
|
||||
import subprocess
|
||||
|
||||
version = os.environ['GITHUB_REF'].split('/')
|
||||
print("Downloading binaries (this may pause for a while)")
|
||||
waitUntilPublished(f"https://github.com/ddworken/hishtory/releases/download/{version}-darwin-arm64/hishtory-darwin-arm64", "hishtory-darwin-arm64")
|
||||
waitUntilPublished(f"https://github.com/ddworken/hishtory/releases/download/{version}-darwin-amd64/hishtory-darwin-amd64", "hishtory-darwin-amd64")
|
||||
|
||||
print("sha1sum:")
|
||||
os.system("sha1sum hishtory-*")
|
||||
|
||||
print("file:")
|
||||
os.system("file hishtory-*")
|
||||
|
||||
assert notAscii("hishtory-darwin-arm64")
|
||||
assert notAscii("hishtory-darwin-amd64")
|
||||
|
||||
print("signing...")
|
||||
os.system("""
|
||||
echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
|
||||
security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
|
||||
security default-keychain -s build.keychain
|
||||
security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
|
||||
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
|
||||
/usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
|
||||
/usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
|
||||
""")
|
||||
|
||||
def notAscii(fn):
|
||||
out = subprocess.check_output(["file", fn]).decode('utf-8')
|
||||
if "ASCII text" in out:
|
||||
raise Exception(f"fn={fn} is of type {out}")
|
||||
|
||||
def waitUntilPublished(url) -> None:
|
||||
startTime = time.time()
|
||||
while True:
|
||||
r = requests.get(url, headers={'authorization': f'bearer {os.environ["GITHUB_TOKEN"]}'})
|
||||
if r.status_code == 200:
|
||||
break
|
||||
if (time.time() - startTime)/60 > 10:
|
||||
raise Exception("failed to get url, status_code=" + str(r.status_code) + " body=" + str(r.content))
|
||||
time.sleep(5)
|
||||
with open(output, 'wb') as f:
|
||||
f.write(r.content)
|
||||
|
Loading…
x
Reference in New Issue
Block a user