WIP

Signed-off-by: Joaquim Rocha <[email protected]>
headlamp-k8s · Feb 15, 2024 · 3571b7d · 3571b7d
1 parent 5cf3f0d
commit 3571b7d
Show file tree

Hide file tree

Showing 3 changed files with 242 additions and 9 deletions.
diff --git a/.github/workflows/app-artifacts-mac.yml b/.github/workflows/app-artifacts-mac.yml
@@ -33,24 +33,89 @@ jobs:
     - name: Add MacOS certs
       run: cd ./app/mac/scripts/ && sh ./setup-certificate.sh
       env:
-        APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
-        APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        APPLE_CERTIFICATE: ${{ secrets.TEST_APPLE_DEV_CERT }}
+        APPLE_CERTIFICATE_PASSWORD: ${{ secrets.TEST_APPLE_DEV_CERT_PASS }}
     - name: Build Notarized App Mac
       if: ${{ inputs.signBinaries }}
       run: |
         make app-mac
-      env:
-        APPLEID: ${{ secrets.APPLEID }}
-        APPLEIDPASS: ${{ secrets.APPLEIDPASS }}
-        APPLETEAMID: ${{ secrets.APPLETEAMID }}
+      # env:
+      #   APPLEID: ${{ secrets.APPLEID }}
+      #   APPLEIDPASS: ${{ secrets.APPLEIDPASS }}
+      #   APPLETEAMID: ${{ secrets.APPLETEAMID }}
     - name: Build App Mac
       if: ${{ ! inputs.signBinaries }}
       run: |
         make app-mac
+    - name: CodeSign
+      run: |
+        cd ./app/dist && codesign -s ${{ secrets.TEST_APPLE_TEAM_ID }} --deep --force --options runtime --entitlements ../../mac/entitlements.mac.plist ./Headlamp.app
+    - name: Zip Artifact
+      run: |
+        cd ./app/dist && zip -r -X -y ./Headlamp.zip Headlamp.app
     - name: Upload artifact
       uses: actions/upload-artifact@v4
       with:
-        name: DMGs
-        path: ./app/dist/Headlamp*.*
+        name: zipbuild
+        path: ./app/dist/Headlamp.zip
         if-no-files-found: error
         retention-days: 1
+  notarize:
+    runs-on: windows-latest
+    needs: build-mac
+    if: ${{ inputs.signBinaries }}
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.inputs.buildBranch }}
+    - name: Setup nodejs
+      uses: actions/setup-node@v4
+      with:
+        node-version: 18.x
+    - name: Download artifact
+      uses: actions/download-artifact@v2
+      with:
+        name: zipbuild
+        path: ./app/dist
+    - name: Fetch certificates
+      if: ${{ inputs.signBinaries }}
+      shell: pwsh
+      run: |
+        az login --service-principal -u ${{ secrets.WINDOWS_CLIENT_ID }} -p ${{ secrets.AZ_LOGIN_PASS }}  --tenant 72f988bf-86f1-41af-91ab-2d7cd011db47
+        az keyvault secret download --subscription ${{ secrets.AZ_SUBSCRIPTION_ID }} --vault-name headlamp --name HeadlampAuthCert --file c:\HeadlampAuthCert.pfx --encoding base64
+        az keyvault secret download --subscription ${{ secrets.AZ_SUBSCRIPTION_ID }} --vault-name headlamp --name ESRPHeadlampReqCert --file c:\HeadlampReqCert.pfx --encoding base64
+    - name: Set up certificates
+      if: ${{ inputs.signBinaries }}
+      shell: pwsh
+      run: |
+        Import-PfxCertificate -FilePath c:\HeadlampAuthCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable
+        Import-PfxCertificate -FilePath c:\HeadlampReqCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Exportable
+
+    - name: Download and Set up ESRPClient
+      if: ${{ inputs.signBinaries }}
+      shell: pwsh
+      run: |
+        nuget.exe sources add -name esrp -source ${{ secrets.ESRP_NUGET_INDEX_URL }} -username headlamp -password ${{ secrets.AZ_DEVOPS_TOKEN }}
+        nuget.exe install Microsoft.EsrpClient -Version 1.2.80 -source  ${{ secrets.ESRP_NUGET_INDEX_URL }} | out-null
+
+    - name: App Windows
+      shell: pwsh
+      run: |
+        ls
+        if ("${{ inputs.signBinaries }}" -eq "true") {
+          $env:ESRP_PATH="$(Get-Location)\..\Microsoft.EsrpClient.1.2.80\tools\EsrpClient.exe"
+          $env:HEADLAMP_WINDOWS_CLIENT_ID="${{ secrets.WINDOWS_CLIENT_ID }}"
+          $env:HEADLAMP_WINDOWS_SIGN_EMAIL="${{ secrets.WINDOWS_SIGN_EMAIL }}"
+        } else {
+          echo "Not signing binaries"
+        }
+        cd ./app/mac/scripts
+        node ./esrp-notarize.js ../../dist/Headlamp.zip
+
+    - name: Upload Notarized
+      uses: actions/upload-artifact@v4
+      with:
+        name: Win exes
+        path: ./app/dist/Headlamp*.*
+        if-no-files-found: error
+        retention-days: 2
diff --git a/Makefile b/Makefile
@@ -36,7 +36,7 @@ app-win-msi: app-build
 app-linux: app-build
 	cd app && npm run package -- --linux
 app-mac: app-build
-	cd app && npm run package -- --mac
+	cd app && npm run build
 
 .PHONY: backend
 backend:

diff --git a/app/mac/scripts/esrp-notarize.js b/app/mac/scripts/esrp-notarize.js
@@ -0,0 +1,168 @@
+const { execSync } = require('child_process');
+const path = require('path');
+const os = require('os');
+const fs = require('fs');
+
+const SIGN_JSON_TEMPLATE = {
+  Version: '1.0.0',
+  DriEmail: [`${process.env.HEADLAMP_WINDOWS_SIGN_EMAIL}`],
+  GroupId: null,
+  CorrelationVector: null,
+  SignBatches: [],
+};
+
+const POLICY_JSON = {
+  Version: '1.0.0',
+  Intent: '',
+  ContentType: '',
+  ContentOrigin: '',
+  ProductState: '',
+  Audience: '',
+};
+
+const AUTH_JSON = {
+  Version: '1.0.0',
+  AuthenticationType: 'AAD_CERT',
+  ClientId: `${process.env.HEADLAMP_WINDOWS_CLIENT_ID}`,
+  AuthCert: {
+    SubjectName: `CN=${process.env.HEADLAMP_WINDOWS_CLIENT_ID}.microsoft.com`,
+    StoreLocation: 'LocalMachine',
+    StoreName: 'My',
+    SendX5c: 'true',
+  },
+  RequestSigningCert: {
+    SubjectName: `CN=${process.env.HEADLAMP_WINDOWS_CLIENT_ID}`,
+    StoreLocation: 'LocalMachine',
+    StoreName: 'My',
+  },
+};
+
+function getFileList(rootDir) {
+  let files = {};
+  let dirs = ['.'];
+  while (dirs.length > 0) {
+    const dirName = dirs.shift();
+    const curDir = path.join(rootDir, dirName);
+
+    fs.readdirSync(curDir).forEach(file => {
+      if (['node_modules', '.git'].includes(file)) {
+        return;
+      }
+      const filepath = path.resolve(rootDir, dirName, file);
+      const stat = fs.statSync(filepath);
+      if (stat.isDirectory() && !files[file]) {
+        dirs.push(path.join(dirName, file));
+        files[file] = [];
+      } else {
+        if (!files[dirName]) {
+          files[dirName] = [];
+        }
+
+        files[dirName].push(file);
+      }
+    });
+  }
+  return files;
+}
+
+function createJson(pathToSign, fileName = 'test_SignInput.json') {
+  let rootDir = pathToSign;
+  let files = {};
+
+  // Check if we are signing one single file or all files in a directory
+  const stat = fs.statSync(pathToSign);
+  console.log('>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>', pathToSign, stat);
+  if (stat.isFile()) {
+    rootDir = path.dirname(pathToSign);
+    files = { '.': [path.basename(pathToSign)] };
+  } else {
+    files = getFileList(pathToSign);
+  }
+
+  const filesJson = (dir, files) => {
+    return {
+      SourceLocationType: 'UNC',
+      SourceRootDirectory: path.resolve(rootDir, dir),
+      SignRequestFiles: files.map(f => ({
+        SourceLocation: f,
+        SourceHash: '',
+        HashType: null,
+        Name: f,
+      })),
+      SigningInfo: {
+        Operations: [
+          {
+            KeyCode: 'CP-401337-Apple',
+
+            OperationCode: 'MacAppDeveloperSign',
+
+            Parameters: {
+              Hardening: '--options=runtime', // this parameter enables the hardening flag during signing.
+            },
+
+            ToolName: 'sign',
+
+            ToolVersion: '1.0',
+          },
+        ],
+      },
+    };
+  };
+
+  SIGN_JSON_TEMPLATE.SignBatches = Object.keys(files)
+    .map(dir => filesJson(dir, files[dir]))
+    .filter(f => f.SignRequestFiles.length > 0);
+
+  const filePath = path.join(os.tmpdir(), fileName);
+  fs.writeFileSync(filePath, JSON.stringify(SIGN_JSON_TEMPLATE, undefined, 2));
+
+  return filePath;
+}
+
+/**
+ * Signs the given file, or all files in a given directory if that's what's passed to it.
+ * @param esrpTool - The path to the ESRP tool.
+ * @param pathToSign - A path to a file or directory.
+ */
+async function sign(esrpTool, pathToSign) {
+  if (!process.env.HEADLAMP_WINDOWS_CLIENT_ID) {
+    throw 'No HEADLAMP_WINDOWS_CLIENT_ID env var defined!';
+  }
+
+  const signJsonBase = path.basename(pathToSign).split('.')[0];
+  const signInputJson = createJson(pathToSign, `${signJsonBase}-SignInput.json`);
+  console.log('>>>>>>>>>>>>>>>>>>>>>>>||');
+
+  const policyJson = path.resolve(os.tmpdir(), 'Policy.json');
+  fs.writeFileSync(policyJson, JSON.stringify(POLICY_JSON, undefined, 2));
+  const authJson = path.resolve(os.tmpdir(), 'Auth.json');
+  fs.writeFileSync(authJson, JSON.stringify(AUTH_JSON, undefined, 2));
+  console.log('>>>>', `${esrpTool} Sign -a ${authJson} -p ${policyJson} -i ${signInputJson}`);
+  console.log(
+    'EXEC',
+    execSync(
+      `${esrpTool} Sign -a ${authJson} -p ${policyJson} -i ${signInputJson}`,
+      (error, stdout, stderr) => {
+        if (error) {
+          console.log(`error: ${error.message}`);
+          return;
+        }
+        if (stderr) {
+          console.log(`stderr: ${stderr}`);
+          return;
+        }
+        console.log(`stdout: ${stdout}`);
+      }
+    )
+  );
+}
+
+// module.exports = {
+//   sign,
+// };
+
+if (require.main === module) {
+  console.log('>>>>>>>>>>', process.argv.slice(2));
+  sign(process.env.ESRP_PATH, process.argv[2]);
+  process.exit(0);
+}