From 729c4ebb3814daac830c000dcfad3e5e2cd62de0 Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Fri, 4 Oct 2024 18:50:20 +0530 Subject: [PATCH 1/5] fix: sign jars to avoid notorization issues --- .github/workflows/signjars.yml | 56 ++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/signjars.yml diff --git a/.github/workflows/signjars.yml b/.github/workflows/signjars.yml new file mode 100644 index 000000000..9d225e12a --- /dev/null +++ b/.github/workflows/signjars.yml @@ -0,0 +1,56 @@ +name: Java CI with Maven + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: macos-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + java-version: '17' + distribution: 'temurin' + + - name: Sign JARs + run: | + # Export secrets as environment variables + export JARSIGNER_KEYSTORE_B64=${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }} + export JARSIGNER_STOREPASS=${{ secrets.JARSIGNER_REL_STOREPASS }} + export JARSIGNER_ALIAS=${{ secrets.JARSIGNER_REL_ALIAS }} + + # Set up the keystore file path + KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}" + echo "Keystore file: ${KEYSTORE_FILE}" + + # Decode and save the base64-encoded keystore to the file + printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}" + + # Sign all JAR files located in the specified directory + LIB_DIR="${PWD}/BUNDLES/com.espressif.idf.serial.monitor/lib" + echo "Signing JAR files in ${LIB_DIR}" + for jar in "${LIB_DIR}"/*.jar; do + echo "Signing JAR file: ${jar}" + jarsigner -keystore "${KEYSTORE_FILE}" \ + -storepass "${JARSIGNER_STOREPASS}" \ + -signedjar "${jar}" \ + "${jar}" "${JARSIGNER_ALIAS}" + done + + # Clean up the keystore file + rm -v "${KEYSTORE_FILE}" + + - name: Upload Signed JAR Files + if: ${{ !cancelled() }} + uses: actions/upload-artifact@v4 + with: + name: signed-jar-files + path: BUNDLES/com.espressif.idf.serial.monitor/lib/*.jar \ No newline at end of file From 777aef2626a15c8f5e2401ab0e64857473f10295 Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Sat, 5 Oct 2024 08:34:27 +0530 Subject: [PATCH 2/5] Update signjars.yml --- .github/workflows/signjars.yml | 86 ++++++++++++++++++++++++---------- 1 file changed, 60 insertions(+), 26 deletions(-) diff --git a/.github/workflows/signjars.yml b/.github/workflows/signjars.yml index 9d225e12a..26d7a1b3c 100644 --- a/.github/workflows/signjars.yml +++ b/.github/workflows/signjars.yml @@ -1,4 +1,4 @@ -name: Java CI with Maven +name: Sign jars and internal native libraries on: push: @@ -8,49 +8,83 @@ on: jobs: build: - runs-on: macos-latest steps: - - uses: actions/checkout@v3 - + - name: Checkout code + uses: actions/checkout@v3 + - name: Set up JDK 17 uses: actions/setup-java@v3 with: java-version: '17' distribution: 'temurin' - - name: Sign JARs + - name: Codesign JARs and Internal Native Libraries + env: + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} + MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} run: | - # Export secrets as environment variables - export JARSIGNER_KEYSTORE_B64=${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }} - export JARSIGNER_STOREPASS=${{ secrets.JARSIGNER_REL_STOREPASS }} - export JARSIGNER_ALIAS=${{ secrets.JARSIGNER_REL_ALIAS }} - - # Set up the keystore file path - KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}" - echo "Keystore file: ${KEYSTORE_FILE}" - - # Decode and save the base64-encoded keystore to the file - printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}" + # Step 1: Decode and import the certificate into a keychain + echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + /usr/bin/security create-keychain -p espressif build.keychain + /usr/bin/security default-keychain -s build.keychain + /usr/bin/security unlock-keychain -p espressif build.keychain + /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign + /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain - # Sign all JAR files located in the specified directory + # Step 2: Define the directory containing the JARs and native libraries and the temp directory for signed JARs LIB_DIR="${PWD}/BUNDLES/com.espressif.idf.serial.monitor/lib" - echo "Signing JAR files in ${LIB_DIR}" + SIGNED_JARS_DIR="${RUNNER_TEMP}/signed-jars" # Use GitHub's RUNNER_TEMP for storing signed JARs + mkdir -p "$SIGNED_JARS_DIR" + + # Step 3: Extract, sign native libraries, repackage, and sign the JARs with Apple codesign for jar in "${LIB_DIR}"/*.jar; do - echo "Signing JAR file: ${jar}" - jarsigner -keystore "${KEYSTORE_FILE}" \ - -storepass "${JARSIGNER_STOREPASS}" \ - -signedjar "${jar}" \ - "${jar}" "${JARSIGNER_ALIAS}" + echo "Processing JAR file: ${jar}" + + # Check if the JAR exists + if [ -f "$jar" ]; then + echo "JAR file found: ${jar}" + else + echo "JAR file not found: ${jar}" + continue + fi + + # Create a temporary directory to extract the JAR contents + TEMP_DIR=$(mktemp -d) + unzip -q "$jar" -d "$TEMP_DIR" + + # Find and sign all .jnilib and .dylib files in the extracted JAR directory + find "$TEMP_DIR" -name "*.jnilib" -o -name "*.dylib" | while read lib; do + echo "Signing native library: ${lib}" + /usr/bin/codesign -vvvv --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" --timestamp --deep "$lib" + done + + # Repackage the signed JAR + pushd "$TEMP_DIR" + zip -r "${SIGNED_JARS_DIR}/$(basename "$jar")" * # Save signed JAR to the temporary signed directory + popd + + # Sign the entire JAR with Apple codesign, using the same entitlements + echo "Signing repackaged JAR: ${SIGNED_JARS_DIR}/$(basename "$jar")" + /usr/bin/codesign -vvvv --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --force --deep --options runtime --timestamp -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" "${SIGNED_JARS_DIR}/$(basename "$jar")" + + # Verify the signed JAR + echo "Verifying signed JAR: ${SIGNED_JARS_DIR}/$(basename "$jar")" + /usr/bin/codesign -dvv "${SIGNED_JARS_DIR}/$(basename "$jar")" + + # Clean up extracted directory (but leave the signed JAR in SIGNED_JARS_DIR) + rm -rf "$TEMP_DIR" done - # Clean up the keystore file - rm -v "${KEYSTORE_FILE}" + - name: Check if signed JAR files exist + run: | + echo "Checking signed JAR files in ${SIGNED_JARS_DIR}:" + ls -al ${SIGNED_JARS_DIR} - name: Upload Signed JAR Files if: ${{ !cancelled() }} uses: actions/upload-artifact@v4 with: name: signed-jar-files - path: BUNDLES/com.espressif.idf.serial.monitor/lib/*.jar \ No newline at end of file + path: ${{ runner.temp }}/signed-jars/* \ No newline at end of file From b971bd58f67778259d67517280e564e16045c5d2 Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Mon, 7 Oct 2024 10:48:19 +0530 Subject: [PATCH 3/5] Update signjars.yml --- .github/workflows/signjars.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/signjars.yml b/.github/workflows/signjars.yml index 26d7a1b3c..e78fbb5f0 100644 --- a/.github/workflows/signjars.yml +++ b/.github/workflows/signjars.yml @@ -76,11 +76,20 @@ jobs: # Clean up extracted directory (but leave the signed JAR in SIGNED_JARS_DIR) rm -rf "$TEMP_DIR" done + + - name: Verify Signed JAR Files Before Upload + run: | + for jar in ${{ runner.temp }}/signed-jars/*; do + echo "Verifying signed JAR: ${jar}" + /usr/bin/codesign -dvv "${jar}" + done - - name: Check if signed JAR files exist + - name: Display Signed JAR Files run: | - echo "Checking signed JAR files in ${SIGNED_JARS_DIR}:" - ls -al ${SIGNED_JARS_DIR} + echo "Displaying the signed JAR directory:" + ls -al ${{ runner.temp }}/signed-jars/ + echo "Listing all files in the signed JAR directory:" + find ${{ runner.temp }}/signed-jars/ -type f - name: Upload Signed JAR Files if: ${{ !cancelled() }} From 45eea3168fa7524d89b491f15cde5bb66ed16119 Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Mon, 7 Oct 2024 11:03:14 +0530 Subject: [PATCH 4/5] Update signjars.yml --- .github/workflows/signjars.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/signjars.yml b/.github/workflows/signjars.yml index e78fbb5f0..4661cd697 100644 --- a/.github/workflows/signjars.yml +++ b/.github/workflows/signjars.yml @@ -34,7 +34,7 @@ jobs: /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain # Step 2: Define the directory containing the JARs and native libraries and the temp directory for signed JARs - LIB_DIR="${PWD}/BUNDLES/com.espressif.idf.serial.monitor/lib" + LIB_DIR="${PWD}/BUNDLES/com.espressif.idf.launch.serial.ui/lib" SIGNED_JARS_DIR="${RUNNER_TEMP}/signed-jars" # Use GitHub's RUNNER_TEMP for storing signed JARs mkdir -p "$SIGNED_JARS_DIR" @@ -79,10 +79,10 @@ jobs: - name: Verify Signed JAR Files Before Upload run: | - for jar in ${{ runner.temp }}/signed-jars/*; do - echo "Verifying signed JAR: ${jar}" - /usr/bin/codesign -dvv "${jar}" - done + for jar in ${{ runner.temp }}/signed-jars/*; do + echo "Verifying signed JAR: ${jar}" + /usr/bin/codesign -dvv "${jar}" + done - name: Display Signed JAR Files run: | From cf63e72c5cb3c52dc416c690938ebacc49807b4f Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Mon, 7 Oct 2024 11:05:38 +0530 Subject: [PATCH 5/5] Update signjars.yml --- .github/workflows/signjars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/signjars.yml b/.github/workflows/signjars.yml index 4661cd697..a00d9e88d 100644 --- a/.github/workflows/signjars.yml +++ b/.github/workflows/signjars.yml @@ -34,7 +34,7 @@ jobs: /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain # Step 2: Define the directory containing the JARs and native libraries and the temp directory for signed JARs - LIB_DIR="${PWD}/BUNDLES/com.espressif.idf.launch.serial.ui/lib" + LIB_DIR="${PWD}/BUNDLES/com.espressif.idf.launch.serial.ui/libs" SIGNED_JARS_DIR="${RUNNER_TEMP}/signed-jars" # Use GitHub's RUNNER_TEMP for storing signed JARs mkdir -p "$SIGNED_JARS_DIR"