mirrors/keepassxc
1
0
Fork 0
mirror of https://github.com/keepassxreboot/keepassxc.git synced 2025-04-05 13:37:43 +03:00
Code Issues Projects Releases Packages Wiki Activity

Prepare release-tool for Apple Silicon builds

Browse source 
Changes:

- Set correct target architecture when building on ARM64.
- Split signing and notarization into separate commands. This eases the
  workflow when notarization fails because changes to Apple's ToS have
  not yet been accepted on iTunes Connect.
- Sign all binaries and frameworks individually instead of using --deep.
  This is the correct way of signing apps and it avoids weird problems
  during signature verification.
- Fix signing of AppDirs, which was supposed to work, but never did.
This commit is contained in:
Janek Bevendorff 2021-01-30 00:39:36 +01:00 committed by Jonathan White
parent 3b30855855
commit 2e6c22d44d
1 changed files with 163 additions and 90 deletions
Download patch file Download diff file Expand all files Collapse all files

231
release-tool
View file

@ -37,7 +37,7 @@ DOCKER_CONTAINER_NAME="keepassxc-build-container"
CMAKE_OPTIONS="" CMAKE_OPTIONS=""
CPACK_GENERATORS="WIX;ZIP" CPACK_GENERATORS="WIX;ZIP"
COMPILER="g++" COMPILER="g++"
MAKE_OPTIONS="-j8" MAKE_OPTIONS="-j$(getconf _NPROCESSORS_ONLN)"
BUILD_PLUGINS="all" BUILD_PLUGINS="all"
INSTALL_PREFIX="/usr/local" INSTALL_PREFIX="/usr/local"
ORIG_BRANCH="" ORIG_BRANCH=""
@ -53,7 +53,7 @@ printUsage() {
if [ "" == "$1" ] || [ "help" == "$1" ]; then if [ "" == "$1" ] || [ "help" == "$1" ]; then
cmd="COMMAND" cmd="COMMAND"
elif [ "check" == "$1" ] || [ "merge" == "$1" ] || [ "build" == "$1" ] \ elif [ "check" == "$1" ] || [ "merge" == "$1" ] || [ "build" == "$1" ] \
|| [ "gpgsign" == "$1" ] || [ "appsign" == "$1" ] || [ "appimage" == "$1" ]; then || [ "gpgsign" == "$1" ] || [ "appsign" == "$1" ] || [ "notarize" == "$1" ] || [ "appimage" == "$1" ]; then
cmd="$1" cmd="$1"
else else
logError "Unknown command: '$1'\n" logError "Unknown command: '$1'\n"
@ -71,6 +71,7 @@ Commands:
build Build and package binary release from sources build Build and package binary release from sources
gpgsign Sign previously compiled release packages with GPG gpgsign Sign previously compiled release packages with GPG
appsign Sign binaries with code signing certificates on Windows and macOS appsign Sign binaries with code signing certificates on Windows and macOS
notarize Submit macOS application DMG for notarization
help Show help for the given command help Show help for the given command
EOF EOF
elif [ "merge" == "$cmd" ]; then elif [ "merge" == "$cmd" ]; then
@ -144,7 +145,16 @@ Options:
-f, --files Files to sign (required) -f, --files Files to sign (required)
-k, --key, -i, --identity -k, --key, -i, --identity
Signing Key or Apple Developer ID (required) Signing Key or Apple Developer ID (required)
-u, --username Apple username for notarization (required on macOS) -h, --help Show this help
EOF
elif [ "notarize" == "$cmd" ]; then
cat << EOF
Submit macOS application DMG for notarization
Options:
-f, --files Files to notarize (required)
-u, --username Apple username for notarization (required)
-c, --keychain Apple keychain entry name storing the notarization -c, --keychain Apple keychain entry name storing the notarization
app password (default: 'AC_PASSWORD') app password (default: 'AC_PASSWORD')
-h, --help Show this help -h, --help Show this help
@ -401,7 +411,7 @@ performChecks() {
checkTargetBranchExists checkTargetBranchExists
logInfo "Checking out '${SOURCE_BRANCH}'..." logInfo "Checking out '${SOURCE_BRANCH}'..."
git checkout "$SOURCE_BRANCH" git checkout "$SOURCE_BRANCH" > /dev/null 2>&1
logInfo "Attempting to find '${RELEASE_NAME}' in various files..." logInfo "Attempting to find '${RELEASE_NAME}' in various files..."
@ -534,7 +544,7 @@ merge() {
COMMIT_MSG="Release ${RELEASE_NAME}" COMMIT_MSG="Release ${RELEASE_NAME}"
logInfo "Checking out target branch '${TARGET_BRANCH}'..." logInfo "Checking out target branch '${TARGET_BRANCH}'..."
git checkout "$TARGET_BRANCH" git checkout "$TARGET_BRANCH" > /dev/null 2>&1
logInfo "Merging '${SOURCE_BRANCH}' into '${TARGET_BRANCH}'..." logInfo "Merging '${SOURCE_BRANCH}' into '${TARGET_BRANCH}'..."
@ -877,7 +887,7 @@ build() {
CMAKE_OPTIONS="${CMAKE_OPTIONS} -DKEEPASSXC_BUILD_TYPE=Release" CMAKE_OPTIONS="${CMAKE_OPTIONS} -DKEEPASSXC_BUILD_TYPE=Release"
logInfo "Checking out release tag '${TAG_NAME}'..." logInfo "Checking out release tag '${TAG_NAME}'..."
fi fi
git checkout "$TAG_NAME" git checkout "$TAG_NAME" > /dev/null 2>&1
fi fi
logInfo "Creating output directory..." logInfo "Creating output directory..."
@ -949,8 +959,8 @@ build() {
logInfo "Configuring build..." logInfo "Configuring build..."
cmake -DCMAKE_BUILD_TYPE=Release \ cmake -DCMAKE_BUILD_TYPE=Release \
-DCMAKE_OSX_ARCHITECTURES=x86_64 -DCMAKE_INSTALL_PREFIX="${INSTALL_PREFIX}" \ -DCMAKE_OSX_ARCHITECTURES="$(uname -m)" -DCMAKE_INSTALL_PREFIX="${INSTALL_PREFIX}" \
-DCMAKE_PREFIX_PATH="/usr/local/opt/qt/lib/cmake" \ -DCMAKE_PREFIX_PATH="/opt/homebrew/opt/qt/lib/cmake;/usr/local/opt/qt/lib/cmake" \
${CMAKE_OPTIONS} "$SRC_DIR" ${CMAKE_OPTIONS} "$SRC_DIR"
logInfo "Compiling and packaging sources..." logInfo "Compiling and packaging sources..."
@ -962,7 +972,7 @@ build() {
appsign "-f" "./${APP_NAME}-${RELEASE_NAME}.dmg" "-k" "${build_key}" appsign "-f" "./${APP_NAME}-${RELEASE_NAME}.dmg" "-k" "${build_key}"
fi fi
mv "./${APP_NAME}-${RELEASE_NAME}.dmg" ../ mv "./${APP_NAME}-${RELEASE_NAME}.dmg" "../${APP_NAME}-${RELEASE_NAME}-$(uname -m).dmg"
elif [ "$(uname -o)" == "Msys" ]; then elif [ "$(uname -o)" == "Msys" ]; then
# Building on Windows with Msys2 # Building on Windows with Msys2
logInfo "Configuring build..." logInfo "Configuring build..."
@ -1130,8 +1140,6 @@ gpgsign() {
appsign() { appsign() {
local sign_files=() local sign_files=()
local key local key
local ac_username
local ac_keychain="AC_PASSWORD"
while [ $# -ge 1 ]; do while [ $# -ge 1 ]; do
local arg="$1" local arg="$1"
@ -1146,14 +1154,6 @@ appsign() {
key="$2" key="$2"
shift ;; shift ;;
-u|--username)
ac_username="$2"
shift ;;
-c|--keychain)
ac_keychain="$2"
shift ;;
-h|--help) -h|--help)
printUsage "appsign" printUsage "appsign"
exit ;; exit ;;
@ -1179,16 +1179,12 @@ appsign() {
fi fi
for f in "${sign_files[@]}"; do for f in "${sign_files[@]}"; do
if [ ! -f "${f}" ]; then if [ ! -e "${f}" ]; then
exitError "File '${f}' does not exist or is not a file!" exitError "File '${f}' does not exist!"
fi fi
done done
if [ "$(uname -s)" == "Darwin" ]; then if [ "$(uname -s)" == "Darwin" ]; then
if [ "$ac_username" == "" ]; then
exitError "Missing arguments, --username is required!"
fi
checkXcodeSetup checkXcodeSetup
checkGrepCompat checkGrepCompat
@ -1199,30 +1195,45 @@ appsign() {
logInfo "Unpacking disk image '${f}'..." logInfo "Unpacking disk image '${f}'..."
local tmp_dir="/tmp/KeePassXC_${RANDOM}" local tmp_dir="/tmp/KeePassXC_${RANDOM}"
mkdir -p ${tmp_dir}/mnt mkdir -p ${tmp_dir}/mnt
hdiutil attach -quiet -noautoopen -mountpoint ${tmp_dir}/mnt "${f}" if ! hdiutil attach -quiet -noautoopen -mountpoint ${tmp_dir}/mnt "${f}"; then
exitError "DMG mount failed!"
fi
cd ${tmp_dir} cd ${tmp_dir}
cp -a ./mnt ./app cp -a ./mnt ./app
hdiutil detach -quiet ${tmp_dir}/mnt hdiutil detach -quiet ${tmp_dir}/mnt
local app_dir_tmp="./app/KeePassXC.app"
if [ ! -d ./app/KeePassXC.app ]; then if [ ! -d "$app_dir_tmp" ]; then
cd "${orig_dir}" cd "${orig_dir}"
exitError "Unpacking failed!" exitError "Unpacking failed!"
fi fi
elif [[ ${f: -4} == '.app' ]]; then
local app_dir_tmp="$f"
else
logWarn "Skipping non-app file '${f}'..."
continue
fi
logInfo "Signing app bundle..." logInfo "Signing libraries and frameworks..."
xcrun codesign --sign "${key}" --verbose --deep --options runtime ./app/KeePassXC.app if ! find "$app_dir_tmp" \( -name '*.dylib' -o -name '*.framework' \) -print0 | xargs -0 \
xcrun codesign --sign "${key}" --verbose --force --options runtime; then
# Sign main binary and libraries independently so we can keep using the convenient --deep cd "${orig_dir}"
# option while avoiding adding entitlements recursively exitError "Signing failed!"
logInfo "Signing main binary..." fi
xcrun codesign --sign "${key}" --verbose --force --options runtime --entitlements \ logInfo "Signing executables..."
"${real_src_dir}/share/macosx/keepassxc.entitlements" ./app/KeePassXC.app/Contents/MacOS/KeePassXC if ! find "${app_dir_tmp}/Contents/MacOS" \( -type f -not -name KeePassXC \) -print0 | xargs -0 \
xcrun codesign --sign "${key}" --verbose --force --options runtime; then
if [ 0 -ne $? ]; then cd "${orig_dir}"
exitError "Signing failed!"
fi
# Sign main executable with additional entitlements
if ! xcrun codesign --sign "${key}" --verbose --force --options runtime --entitlements \
"${real_src_dir}/share/macosx/keepassxc.entitlements" "${app_dir_tmp}/Contents/MacOS/KeePassXC"; then
cd "${orig_dir}" cd "${orig_dir}"
exitError "Signing failed!" exitError "Signing failed!"
fi fi
if [[ ${f: -4} == '.dmg' ]]; then
logInfo "Repacking disk image..." logInfo "Repacking disk image..."
hdiutil create \ hdiutil create \
-volname "KeePassXC" \ -volname "KeePassXC" \
@ -1236,13 +1247,110 @@ appsign() {
cd "${orig_dir}" cd "${orig_dir}"
cp -f "${tmp_dir}/$(basename "${f}")" "${f}" cp -f "${tmp_dir}/$(basename "${f}")" "${f}"
rm -Rf ${tmp_dir} rm -Rf ${tmp_dir}
fi
logInfo "Submitting disk image for notarization..." logInfo "File '${f}' successfully signed."
local status="$(xcrun altool --notarize-app \ done
elif [ "$(uname -o)" == "Msys" ]; then
if [[ ! -f "${key}" ]]; then
exitError "Key file was not found!"
fi
read -s -p "Key password: " password
echo
for f in "${sign_files[@]}"; do
ext=${f: -4}
if [[ $ext == ".msi" || $ext == ".exe" || $ext == ".dll" ]]; then
# Make sure we can find the signtool
checkSigntoolCommandExists
# osslsigncode does not succeed at signing MSI files at this time...
logInfo "Signing file '${f}' using Microsoft signtool..."
if ! signtool sign -f "${key}" -p "${password}" -d "KeePassXC" -td sha256 \
-fd sha256 -tr "http://timestamp.comodoca.com/authenticode" "${f}"; then
exitError "Signing failed!"
fi
else
logInfo "Skipping non-executable file '${f}'..."
fi
done
else
exitError "Unsupported platform for code signing!\n"
fi
logInfo "All done!"
}
# -----------------------------------------------------------------------
# notarize command
# -----------------------------------------------------------------------
notarize() {
local notarize_files=()
local ac_username
local ac_keychain="AC_PASSWORD"
while [ $# -ge 1 ]; do
local arg="$1"
case "$arg" in
-f|--files)
while [ "${2:0:1}" != "-" ] && [ $# -ge 2 ]; do
notarize_files+=("$2")
shift
done ;;
-u|--username)
ac_username="$2"
shift ;;
-c|--keychain)
ac_keychain="$2"
shift ;;
-h|--help)
printUsage "notarize"
exit ;;
*)
logError "Unknown option '$arg'\n"
printUsage "notarize"
exit 1 ;;
esac
shift
done
if [ "$(uname -s)" != "Darwin" ]; then
exitError "Notarization is only supported on macOS!"
fi
if [ -z "${notarize_files}" ]; then
logError "Missing arguments, --files is required!\n"
printUsage "notarize"
exit 1
fi
if [ "$ac_username" == "" ]; then
logError "Missing arguments, --username is required!"
printUsage "notarize"
exit 1
fi
for f in "${notarize_files[@]}"; do
if [[ ${f: -4} != '.dmg' ]]; then
logWarn "Skipping non-DMG file '${f}'..."
continue
fi
logInfo "Submitting disk image '${f}' for notarization..."
local status
status="$(xcrun altool --notarize-app \
--primary-bundle-id "org.keepassxc.keepassxc" \ --primary-bundle-id "org.keepassxc.keepassxc" \
--username "${ac_username}" \ --username "${ac_username}" \
--password "@keychain:${ac_keychain}" \ --password "@keychain:${ac_keychain}" \
--file "${f}")" --file "${f}" 2> /dev/null)"
if [ 0 -ne $? ]; then if [ 0 -ne $? ]; then
logError "Submission failed!" logError "Submission failed!"
@ -1258,7 +1366,7 @@ appsign() {
status="$(xcrun altool --notarization-info "${ticket}" \ status="$(xcrun altool --notarization-info "${ticket}" \
--username "${ac_username}" \ --username "${ac_username}" \
--password "@keychain:${ac_keychain}")" --password "@keychain:${ac_keychain}" 2> /dev/null)"
if echo "$status" | $GREP -q "Status Code: 0"; then if echo "$status" | $GREP -q "Status Code: 0"; then
logInfo "\nNotarization successful." logInfo "\nNotarization successful."
@ -1278,44 +1386,8 @@ appsign() {
exitError "Stapling failed!" exitError "Stapling failed!"
fi fi
logInfo "Disk image successfully signed and notarized." logInfo "Disk image successfully notarized."
else
logWarn "Skipping non-DMG file '${f}'..."
fi
done done
elif [ "$(uname -o)" == "Msys" ]; then
if [[ ! -f "${key}" ]]; then
exitError "Key file was not found!"
fi
read -s -p "Key password: " password
echo
for f in "${sign_files[@]}"; do
ext=${f: -4}
if [[ $ext == ".msi" || $ext == ".exe" || $ext == ".dll" ]]; then
# Make sure we can find the signtool
checkSigntoolCommandExists
# osslsigncode does not succeed at signing MSI files at this time...
logInfo "Signing file '${f}' using Microsoft signtool..."
signtool sign -f "${key}" -p "${password}" -d "KeePassXC" -td sha256 \
-fd sha256 -tr "http://timestamp.comodoca.com/authenticode" "${f}"
if [ 0 -ne $? ]; then
exitError "Signing failed!"
fi
else
logInfo "Skipping non-executable file '${f}'..."
fi
done
else
exitError "Unsupported platform for code signing!\n"
fi
logInfo "All done!"
} }
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
@ -1331,7 +1403,8 @@ elif [ "help" == "$MODE" ]; then
printUsage "$1" printUsage "$1"
exit exit
elif [ "check" == "$MODE" ] || [ "merge" == "$MODE" ] || [ "build" == "$MODE" ] \ elif [ "check" == "$MODE" ] || [ "merge" == "$MODE" ] || [ "build" == "$MODE" ] \
|| [ "gpgsign" == "$MODE" ] || [ "appsign" == "$MODE" ] || [ "appimage" == "$MODE" ]; then || [ "gpgsign" == "$MODE" ] || [ "appsign" == "$MODE" ]|| [ "notarize" == "$MODE" ] \
|| [ "appimage" == "$MODE" ]; then
${MODE} "$@" ${MODE} "$@"
else else
printUsage "$MODE" printUsage "$MODE"