root: added notarize CI job

Since Microsoft and Apple requires applications to be notarized, we should facilitate Notarize CI job. Hence, let's do this. This pathc adds notarize CI job in root repository. Co-authored-by: Galyna, Cory <[email protected]> Co-authored-by: (Holloway) Chew, Kean Ho <[email protected]> Signed-off-by: (Holloway) Chew, Kean Ho <[email protected]>
ChewKeanHo · Oct 18, 2023 · c3cdb5f · c3cdb5f
1 parent 1ebdc88
commit c3cdb5f
Show file tree

Hide file tree

Showing 20 changed files with 1,163 additions and 9 deletions.
diff --git a/.github/workflows/git-push.yml b/.github/workflows/git-push.yml
@@ -69,6 +69,10 @@ jobs:
         id: native_ci_build
         run: |
           ./ci.cmd build
+      - name: Execute repo's AutomataCI - NOTARIZE
+        id: native_ci_notarize
+        run: |
+          ./ci.cmd notarize
       - name: Execute repo's AutomataCI - PACKAGE
         id: native_ci_package
         run: |

diff --git a/CONFIG.toml b/CONFIG.toml
@@ -142,7 +142,7 @@ PROJECT_C = ''
 #
 # To enable it: simply supply the path (e.g. default is 'srcGO').
 # To disable it: simply supply an empty path (e.g. default is '').
-PROJECT_GO = ''
+PROJECT_GO = 'srcGO'
 
 
 # PROJECT_PATH_GO_ENGINE
@@ -165,7 +165,7 @@ PROJECT_PATH_GO_ENGINE = "go-engine"
 #
 # To enable it: simply supply the path (e.g. default is 'srcPYTHON').
 # To disable it: simply supply an empty path (e.g. default is '').
-PROJECT_PYTHON = 'srcPYTHON'
+PROJECT_PYTHON = ''
 
 
 # PROJECT_PATH_PYTHON_ENGINE
@@ -213,12 +213,6 @@ PROJECT_CONTACT_EMAIL = "[email protected]"
 PROJECT_CONTACT_WEBSITE = "https://your-product.website.here"
 
 
-# PROJECT_GPG_ID
-# Your GPG ID for signing here. Note that this requires GPG to be installed in
-# the system and the secret key is available for performing such transaction.
-PROJECT_GPG_ID = ""
-
-
 # PROJECT_CHANGELOG_TITLE
 # The title of the changelog file.
 PROJECT_CHANGELOG_TITLE = "Changelog | 更新日志 | Endringslogg | Cacatan Perubahan | Ändringslogg | 変更履歴"

diff --git a/automataCI/SECRETS-template.toml b/automataCI/SECRETS-template.toml
@@ -34,3 +34,71 @@ CONTAINER_USERNAME = ""
 # Use to login your container image's registry's service provider (e.g. Docker,
 # GitHub Packages) etc. This is the account password or token value.
 CONTAINER_PASSWORD = ""
+
+
+
+
+##########################
+# MICROSOFT              #
+##########################
+# MICROSOFT_CERT
+# The cert file for Microsoft Windows' code-signing certifcate use. The format
+# can be normal certifcate, SPC, or PKCS12.
+MICROSOFT_CERT = ""
+
+
+# MICROSOFT_CERT_HASH
+# The shasum algorithm of the certificate for Microsoft Windows' code-signing
+# certifcate use. It can be of the following values:
+#   1) 'SHA256'
+#   2) 'MD5'
+#   3) 'SHA1'
+#   4) 'SHA2'
+#   5) 'SHA384'
+#   6) 'SHA512'
+MICROSOFT_CERT_HASH = ""
+
+
+# MICROSOFT_CERT_TYPE
+# The cert type for Microsoft Windows' code-signing certifcate use. It can only
+# be the following values:
+#   1. 'CERT' - conventional cert format
+#   2. 'SPC' - SPC format
+#   3. 'PKCS12' - PKCS12 container format
+MICROSOFT_CERT_TYPE = ""
+
+
+# MICROSOFT_CERT_TIMESTAMP
+# The URL for sourcing the timestamp used in Microsoft Windows' code-signing
+# process. Although specification stated not required, AutomataCI set it as
+# compulsory. Known good cert location are:
+#   1. http://timestamp.digicert.com
+#   2. http://timestamp.sectigo.com
+MICROSOFT_CERT_TIMESTAMP = ""
+
+
+# MICROSOFT_KEYFILE
+# The private keyfile for Microsoft Windows' code-signing certifcate use. It is
+# optional if MICROSOFT_CERT is a PKCS12 format.
+MICROSOFT_CERT_KEYFILE = ""
+
+
+# MICROSOFT_CERT_PASSWORD
+# Private password to unlock the Microsoft Windows' code-signing certifcate and
+# private key for signing. Only used with osslsigncode and equivalent usually
+# in Notary stage.
+MICROSOFT_CERT_PASSWORD = ""
+
+
+
+
+##########################
+# APPLE                  #
+##########################
+# APPLE_DEVELOPER_ID
+# The developer ID used for notarization process.
+APPLE_DEVELOPER_ID = ""
+
+# APPLE_KEYCHAIN_PROFILE
+# The keychain access used for accessing notarization credentials.
+APPLE_KEYCHAIN_PROFILE = ""
diff --git a/automataCI/ci.ps1 b/automataCI/ci.ps1
@@ -167,6 +167,9 @@ switch ($args[0]) {
 } { $_ -in 'build', 'Build', 'BUILD' } {
 	$env:PROJECT_CI_JOB = "build"
 	$__exit = . "${env:PROJECT_PATH_ROOT}\${env:PROJECT_PATH_AUTOMATA}\common_windows-any.ps1"
+} { $_ -in 'notarize', 'Notarize', 'NOTARIZE' } {
+	$env:PROJECT_CI_JOB = "notarize"
+	$__exit = . "${env:PROJECT_PATH_ROOT}\${env:PROJECT_PATH_AUTOMATA}\notarize_windows-any.ps1"
 } { $_ -in 'package', 'Package', 'PACKAGE' } {
 	$env:PROJECT_CI_JOB = "package"
 	$__exit = . "${env:PROJECT_PATH_ROOT}\${env:PROJECT_PATH_AUTOMATA}\package_windows-any.ps1"
@@ -200,6 +203,7 @@ switch ($args[0]) {
 	Write-Host "        To test the repo 🠚              $ ./ci.cmd test"
 	Write-Host "        Like build but only for host 🠚  $ ./ci.cmd materialize"
 	Write-Host "        To build the repo 🠚             $ ./ci.cmd build"
+	Write-Host "        To notarize the builds 🠚        $ ./ci.cmd notarize"
 	Write-Host "        To package the repo product 🠚   $ ./ci.cmd package"
 	Write-Host "        To release the repo product 🠚   $ ./ci.cmd release"
 	Write-Host "        To stop a development 🠚         $ ./ci.cmd stop"

diff --git a/automataCI/ci.sh b/automataCI/ci.sh
@@ -225,6 +225,11 @@ build|Build|BUILD)
         . "${PROJECT_PATH_ROOT}/${PROJECT_PATH_AUTOMATA}/common_unix-any.sh"
         code=$?
         ;;
+notarize|Notarize|NOTARIZE)
+        export PROJECT_CI_JOB="notarize"
+        . "${PROJECT_PATH_ROOT}/${PROJECT_PATH_AUTOMATA}/notarize_unix-any.sh"
+        code=$?
+        ;;
 package|Package|PACKAGE)
         export PROJECT_CI_JOB="package"
         . "${PROJECT_PATH_ROOT}/${PROJECT_PATH_AUTOMATA}/package_unix-any.sh"
@@ -270,6 +275,7 @@ purge|Purge|PURGE)
         printf "        To test the repo 🠚              $ ./ci.cmd test\n"
         printf "        Like build but only for host 🠚  $ ./ci.cmd materialize\n"
         printf "        To build the repo 🠚             $ ./ci.cmd build\n"
+        printf "        To notarize the builds 🠚        $ ./ci.cmd notarize\n"
         printf "        To package the repo product 🠚   $ ./ci.cmd package\n"
         printf "        To release the repo product 🠚   $ ./ci.cmd release\n"
         printf "        To stop a development 🠚         $ ./ci.cmd stop\n"

diff --git a/automataCI/docs/AutomataCI-Engineering-Specification.odt b/automataCI/docs/AutomataCI-Engineering-Specification.odt
diff --git a/automataCI/env_unix-any.sh b/automataCI/env_unix-any.sh
@@ -59,6 +59,14 @@ if [ $? -ne 0 ]; then
 fi
 
 
+OS::print_status info "Installing osslsigncode...\n"
+INSTALLER::setup_osslsigncode
+if [ $? -ne 0 ]; then
+        OS::print_status error "install failed.\n"
+        return 1
+fi
+
+
 if [ ! -z "$PROJECT_PYTHON" ]; then
         OS::print_status info "Installing python...\n"
         INSTALLER::setup_python

diff --git a/automataCI/notarize_unix-any.sh b/automataCI/notarize_unix-any.sh
@@ -0,0 +1,187 @@
+#!/bin/sh
+# Copyright 2023  (Holloway) Chew, Kean Ho <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at:
+#                 http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+
+
+
+# initialize
+if [ "$PROJECT_PATH_ROOT" = "" ]; then
+        >&2 printf "[ ERROR ] - Please run me from ci.cmd instead!\n"
+        return 1
+fi
+
+. "${PROJECT_PATH_ROOT}/${PROJECT_PATH_AUTOMATA}/services/io/os.sh"
+. "${PROJECT_PATH_ROOT}/${PROJECT_PATH_AUTOMATA}/services/io/fs.sh"
+. "${PROJECT_PATH_ROOT}/${PROJECT_PATH_AUTOMATA}/services/io/strings.sh"
+
+
+
+
+# source locally provided functions
+__recipe="${PROJECT_PATH_ROOT}/${PROJECT_PATH_SOURCE}/${PROJECT_PATH_CI}"
+__recipe="${__recipe}/notarize_unix-any.sh"
+FS::is_file "$__recipe"
+if [ $? -eq 0 ]; then
+        OS::print_status info "sourcing content assembling functions: ${__recipe}\n"
+        . "$__recipe"
+        if [ $? -ne 0 ]; then
+                OS::print_status error "Sourcing failed\n"
+                return 1
+        fi
+fi
+
+
+
+
+# source from Python and overrides existing
+if [ ! -z "$PROJECT_PYTHON" ]; then
+        __recipe="${PROJECT_PATH_ROOT}/${PROJECT_PYTHON}/${PROJECT_PATH_CI}"
+        __recipe="${__recipe}/notarize_unix-any.sh"
+        FS::is_file "$__recipe"
+        if [ $? -eq 0 ]; then
+                OS::print_status info \
+                        "sourcing Python content assembling functions: ${__recipe}\n"
+                . "$__recipe"
+                if [ $? -ne 0 ]; then
+                        OS::print_status error "Sourcing failed\n"
+                        return 1
+                fi
+        fi
+fi
+
+
+
+
+# source from Go and overrides existing
+if [ ! -z "$PROJECT_GO" ]; then
+        __recipe="${PROJECT_PATH_ROOT}/${PROJECT_GO}/${PROJECT_PATH_CI}"
+        __recipe="${__recipe}/notarize_unix-any.sh"
+        FS::is_file "$__recipe"
+        if [ $? -eq 0 ]; then
+                OS::print_status info "sourcing Go content assembling functions: ${__recipe}\n"
+                . "$__recipe"
+                if [ $? -ne 0 ]; then
+                        OS::print_status error "Sourcing failed\n"
+                        return 1
+                fi
+        fi
+fi
+
+
+
+
+# source from C and overrides existing
+if [ ! -z "$PROJECT_C" ]; then
+        __recipe="${PROJECT_PATH_ROOT}/${PROJECT_C}/${PROJECT_PATH_CI}"
+        __recipe="${__recipe}/notarize_unix-any.sh"
+        FS::is_file "$__recipe"
+        if [ $? -eq 0 ]; then
+                OS::print_status info "sourcing C content assembling functions: ${__recipe}\n"
+                . "$__recipe"
+                if [ $? -ne 0 ]; then
+                        OS::print_status error "Sourcing failed\n"
+                        return 1
+                fi
+        fi
+fi
+
+
+
+
+# source from Nim and overrides existing
+if [ ! -z "$PROJECT_NIM" ]; then
+        __recipe="${PROJECT_PATH_ROOT}/${PROJECT_NIM}/${PROJECT_PATH_CI}"
+        __recipe="${__recipe}/notarize_unix-any.sh"
+        FS::is_file "$__recipe"
+        if [ $? -eq 0 ]; then
+                OS::print_status info "sourcing Nim content assembling functions: ${__recipe}\n"
+                . "$__recipe"
+                if [ $? -ne 0 ]; then
+                        OS::print_status error "Sourcing failed\n"
+                        return 1
+                fi
+        fi
+fi
+
+
+
+
+# begin notarize
+for i in "${PROJECT_PATH_ROOT}/${PROJECT_PATH_BUILD}"/*; do
+        if [ -d "$i" ]; then
+                continue
+        fi
+
+        if [ ! -f "$i" ]; then
+                continue
+        fi
+
+
+        # parse build candidate
+        OS::print_status info "detected ${PROJECT_PATH_ROOT}/${PROJECT_PATH_BUILD}/${i}\n"
+        TARGET_FILENAME="${i##*${PROJECT_PATH_ROOT}/${PROJECT_PATH_BUILD}/}"
+        TARGET_FILENAME="${TARGET_FILENAME%.*}"
+        TARGET_OS="${TARGET_FILENAME##*_}"
+        TARGET_FILENAME="${TARGET_FILENAME%%_*}"
+        TARGET_ARCH="${TARGET_OS##*-}"
+        TARGET_OS="${TARGET_OS%%-*}"
+
+        if [ -z "$TARGET_OS" ] || [ -z "$TARGET_ARCH" ] || [ -z "$TARGET_FILENAME" ]; then
+                OS::print_status warning "failed to parse file. Skipping.\n"
+                continue
+        fi
+
+        STRINGS::has_prefix "$PROJECT_SKU" "$TARGET_FILENAME"
+        if [ $? -ne 0 ]; then
+                OS::print_status warning "incompatible file. Skipping.\n"
+                continue
+        fi
+
+
+        # execute
+        OS::is_command_available "NOTARY::certify"
+        if [ $? -eq 0 ]; then
+                NOTARY::certify \
+                        "$i" \
+                        "${PROJECT_PATH_ROOT}/${PROJECT_PATH_BUILD}" \
+                        "$TARGET_FILENAME" \
+                        "$TARGET_OS" \
+                        "$TARGET_ARCH"
+                case $? in
+                12)
+                        OS::print_status warning "simulating successful notarization...\n"
+                        ;;
+                11)
+                        OS::print_status warning "notarization unavailable. Skipping...\n"
+                        ;;
+                10)
+                        OS::print_status warning "notarization is not applicable. Skipping...\n"
+                        ;;
+                0)
+                        OS::print_status success "\n\n"
+                        ;;
+                *)
+                        OS::print_status error "notarization failed.\n"
+                        return 1
+                        ;;
+                esac
+        else
+                OS::print_status warning "NOTARY::certify is unavailable. Skipping...\n"
+        fi
+done
+
+
+
+
+# report status
+return 0