fix: CI for signing jars #1059
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| name: Sign jars and internal native libraries | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ master ] | ||
| pull_request: | ||
| branches: [ master ] | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: macos-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v3 | ||
| with: | ||
| java-version: '17' | ||
| distribution: 'temurin' | ||
|
|
||
| - name: Codesign JARs and Internal Native Libraries | ||
| env: | ||
| MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | ||
| MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | ||
| run: | | ||
| # Step 1: Decode and import the certificate into a keychain | ||
| echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 | ||
| /usr/bin/security create-keychain -p espressif build.keychain | ||
| /usr/bin/security default-keychain -s build.keychain | ||
| /usr/bin/security unlock-keychain -p espressif build.keychain | ||
| /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign | ||
| /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain | ||
|
|
||
| # Step 2: Define the directory containing the JARs and native libraries and the temp directory for signed JARs | ||
| LIB_DIR="${PWD}/BUNDLES/com.espressif.idf.serial.monitor/lib" | ||
| SIGNED_JARS_DIR="${RUNNER_TEMP}/signed-jars" # Use GitHub's RUNNER_TEMP for storing signed JARs | ||
| mkdir -p "$SIGNED_JARS_DIR" | ||
|
|
||
| # Step 3: Extract, sign native libraries, repackage, and sign the JARs with Apple codesign | ||
| for jar in "${LIB_DIR}"/*.jar; do | ||
| echo "Processing JAR file: ${jar}" | ||
|
|
||
| # Check if the JAR exists | ||
| if [ -f "$jar" ]; then | ||
| echo "JAR file found: ${jar}" | ||
| else | ||
| echo "JAR file not found: ${jar}" | ||
| continue | ||
| fi | ||
|
|
||
| # Create a temporary directory to extract the JAR contents | ||
| TEMP_DIR=$(mktemp -d) | ||
| unzip -q "$jar" -d "$TEMP_DIR" | ||
|
|
||
| # Find and sign all .jnilib and .dylib files in the extracted JAR directory | ||
| find "$TEMP_DIR" -name "*.jnilib" -o -name "*.dylib" | while read lib; do | ||
| echo "Signing native library: ${lib}" | ||
| /usr/bin/codesign -vvvv --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" --timestamp --deep "$lib" | ||
| done | ||
|
|
||
| # Repackage the signed JAR | ||
| pushd "$TEMP_DIR" | ||
| zip -r "${SIGNED_JARS_DIR}/$(basename "$jar")" * # Save signed JAR to the temporary signed directory | ||
| popd | ||
|
|
||
| # Sign the entire JAR with Apple codesign, using the same entitlements | ||
| echo "Signing repackaged JAR: ${SIGNED_JARS_DIR}/$(basename "$jar")" | ||
| /usr/bin/codesign -vvvv --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --force --deep --options runtime --timestamp -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "${SIGNED_JARS_DIR}/$(basename "$jar")" | ||
|
|
||
| # Verify the signed JAR | ||
| echo "Verifying signed JAR: ${SIGNED_JARS_DIR}/$(basename "$jar")" | ||
| /usr/bin/codesign -dvv "${SIGNED_JARS_DIR}/$(basename "$jar")" | ||
|
|
||
| # Clean up extracted directory (but leave the signed JAR in SIGNED_JARS_DIR) | ||
| rm -rf "$TEMP_DIR" | ||
| done | ||
|
Comment on lines
+42
to
+78
There was a problem hiding this comment. 🛠️ Refactor suggestion Improve bash script for better error handling and security. Consider the following improvements to the JAR signing process:
Here's an example of how to improve the script: set -euo pipefail
for jar in "${LIB_DIR}"/*.jar; do
if [ ! -f "$jar" ]; then
echo "JAR file not found: ${jar}"
continue
fi
TEMP_DIR=$(mktemp -d)
trap 'rm -rf "$TEMP_DIR"' EXIT
unzip -q "$jar" -d "$TEMP_DIR"
find "$TEMP_DIR" \( -name "*.jnilib" -o -name "*.dylib" \) -print0 |
xargs -0 -I {} /usr/bin/codesign -vvvv --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" --timestamp --deep "{}"
(
cd "$TEMP_DIR" &&
zip -r "${SIGNED_JARS_DIR}/$(basename "$jar")" .
)
/usr/bin/codesign -vvvv --entitlements "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement" --force --deep --options runtime --timestamp -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "${SIGNED_JARS_DIR}/$(basename "$jar")"
/usr/bin/codesign -dvv "${SIGNED_JARS_DIR}/$(basename "$jar")"
doneThese changes will make the script more robust and secure. 🧰 Tools🪛 yamllint
Comment on lines
+36
to
+78
There was a problem hiding this comment. 🛠️ Refactor suggestion Optimize JAR processing and signing. The current implementation works, but it can be improved for better performance, reliability, and security:
Here's an optimized version of the JAR processing logic: export -f codesign_and_verify
find "$LIB_DIR" -name "*.jar" -print0 | parallel -0 process_jar {}
process_jar() {
local jar_file="$1"
echo "Processing JAR file: $jar_file"
local temp_dir
temp_dir=$(mktemp -d) || { echo "Failed to create temp directory"; return 1; }
if ! unzip -q "$jar_file" -d "$temp_dir"; then
echo "Error extracting $jar_file"
rm -rf "$temp_dir"
return 1
fi
find "$temp_dir" \( -name "*.jnilib" -o -name "*.dylib" \) -print0 |
xargs -0 -I {} bash -c 'codesign_and_verify "$@"' _ {} "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement"
if ! (cd "$temp_dir" && zip -qr "$jar_file" .); then
echo "Error repackaging $jar_file"
rm -rf "$temp_dir"
return 1
fi
if ! codesign_and_verify "$jar_file" "$PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement"; then
echo "Error signing JAR $jar_file"
rm -rf "$temp_dir"
return 1
fi
rm -rf "$temp_dir"
echo "Successfully processed $jar_file"
}
codesign_and_verify() {
local file="$1"
local entitlements="$2"
echo "Signing file: $file"
if ! /usr/bin/codesign --entitlements "$entitlements" --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" --timestamp --deep "$file"; then
echo "Error signing $file"
return 1
fi
if ! /usr/bin/codesign --verify --deep --strict --verbose=2 "$file"; then
echo "Verification failed for $file"
return 1
fi
echo "Successfully signed and verified $file"
}This version uses GNU Parallel for concurrent processing, adds error checking, uses |
||
|
|
||
| - name: Check if signed JAR files exist | ||
| run: | | ||
| echo "Checking signed JAR files in ${SIGNED_JARS_DIR}:" | ||
| ls -al ${SIGNED_JARS_DIR} | ||
|
|
||
| - name: Upload Signed JAR Files | ||
| if: ${{ !cancelled() }} | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: signed-jar-files | ||
| path: ${{ runner.temp }}/signed-jars/* | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Optimize JAR processing and signing
Consider the following improvements to enhance performance, reliability, and security:
read -rto prevent backslash mangling in filenames.Here's an optimized version:
This version uses GNU Parallel for concurrent processing, adds error checking, uses
read -r, and quotes variables for improved security and reliability.