Adding generation of signature files

pharo-project · Feb 23, 2024 · 7faa912 · 7faa912
1 parent 8c4b3fb
commit 7faa912
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 13 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -570,6 +570,9 @@ add_subdirectory(ffiTestLibrary ${CMAKE_CURRENT_BINARY_DIR}/build/ffiTestLibrary
 # Handling Third party dependencies
 add_third_party_dependencies_per_platform()
 
+# Signing Setup
+include(cmake/sign.cmake)
+
 # Packaging Setup
 include(cmake/packaging.cmake)
 

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -126,19 +126,23 @@ def runBuild(platformName, configuration, headless = true, someAdditionalParamet
 	}
 
 	stage("Build-${platform}-${configuration}"){
-    if(isWindows()){
-      runInCygwin "mkdir ${buildDirectory}"
-      recordCygwinVersions(buildDirectory)
-      runInCygwin "cd ${buildDirectory} && cmake -DFLAVOUR=${configuration} ${additionalParameters} -DPHARO_DEPENDENCIES_PREFER_DOWNLOAD_BINARIES=TRUE ../repository -DICEBERG_DEFAULT_REMOTE=httpsUrl"
-      runInCygwin "cd ${buildDirectory} && VERBOSE=1 make install package"
-      runInCygwin "mkdir -p artifacts-${platformName} && cp -a ${buildDirectory}/build/packages/* artifacts-${platformName}/"
-    }else{
-      cmakeBuild generator: "Unix Makefiles", cmakeArgs: "-DFLAVOUR=${configuration} ${additionalParameters} -DPHARO_DEPENDENCIES_PREFER_DOWNLOAD_BINARIES=TRUE -DICEBERG_DEFAULT_REMOTE=httpsUrl", sourceDir: "repository", buildDir: "${buildDirectory}", installation: "InSearchPath"
-      dir("${buildDirectory}"){
-        shell "VERBOSE=1 make install package"
-      }
-      shell "mkdir -p artifacts-${platformName} && cp -a ${buildDirectory}/build/packages/* artifacts-${platformName}/"
-    }
+
+		withCredentials([sshUserPrivateKey(credentialsId: 'pharo_signature_key', keyFileVariable: 'SIGN_CERT', passphraseVariable: 'SIGN_CERT_PASSWORD')]) {		
+			if(isWindows()){
+				runInCygwin "mkdir ${buildDirectory}"
+				recordCygwinVersions(buildDirectory)
+				runInCygwin "cd ${buildDirectory} && cmake -DFLAVOUR=${configuration} ${additionalParameters} -DPHARO_DEPENDENCIES_PREFER_DOWNLOAD_BINARIES=TRUE ../repository -DICEBERG_DEFAULT_REMOTE=httpsUrl"
+				runInCygwin "cd ${buildDirectory} && VERBOSE=1 make sign install package"
+				runInCygwin "mkdir -p artifacts-${platformName} && cp -a ${buildDirectory}/build/packages/* artifacts-${platformName}/"
+			}else{
+				cmakeBuild generator: "Unix Makefiles", cmakeArgs: "-DFLAVOUR=${configuration} ${additionalParameters} -DPHARO_DEPENDENCIES_PREFER_DOWNLOAD_BINARIES=TRUE -DICEBERG_DEFAULT_REMOTE=httpsUrl", sourceDir: "repository", buildDir: "${buildDirectory}", installation: "InSearchPath"
+				dir("${buildDirectory}"){
+					shell "VERBOSE=1 make sign install package"
+			}
+		}		
+
+		shell "mkdir -p artifacts-${platformName} && cp -a ${buildDirectory}/build/packages/* artifacts-${platformName}/"
+	}
 
 		stash excludes: '_CPack_Packages', includes: "${buildDirectory}/build/packages/*", name: "packages-${platform}-${configuration}"
         stash includes: "repository/scripts/*", name: "scripts"

diff --git a/cmake/sign.cmake b/cmake/sign.cmake
@@ -0,0 +1,40 @@
+if(OSX)
+    set(EXECUTABLE_DIR_TO_SIGN "${EXECUTABLE_OUTPUT_PATH}/${VM_EXECUTABLE_NAME}.app/Contents/MacOS")
+else()
+    set(EXECUTABLE_DIR_TO_SIGN "${EXECUTABLE_OUTPUT_PATH}")
+endif()
+
+set(SIGNATURE_FILE "${EXECUTABLE_DIR_TO_SIGN}/pharo.signatures")
+set(SIGN_CERT "$ENV{SIGN_CERT}")
+
+set(FIND_ARGS . -type f -maxdepth 1 ! -name 'pharo.signatures' -exec)
+set(OPENSSL_COMMAND openssl dgst -sha256 -sign ${SIGN_CERT} -passin env:SIGN_CERT_PASSWORD -r -hex)
+
+set(EXECUTABLES_SIGNATURE_FILE ${CMAKE_CURRENT_BINARY_DIR}/signatures/executables.signatures)
+set(LIBRARY_SIGNATURE_FILE ${CMAKE_CURRENT_BINARY_DIR}/signatures/libraries.signatures)
+set(LIBRARY_DIR_TO_SIGN "${LIBRARY_OUTPUT_DIRECTORY}")
+
+make_directory(${CMAKE_CURRENT_BINARY_DIR}/signatures)
+
+add_custom_target(sign_libraries
+                  COMMAND echo "Signing Libraries in ${LIBRARY_DIR_TO_SIGN} with in file ${LIBRARY_SIGNATURE_FILE}"
+                  COMMAND rm -f ${LIBRARY_SIGNATURE_FILE}
+                  COMMAND find ${FIND_ARGS} ${OPENSSL_COMMAND} {} "\\;" >> ${LIBRARY_SIGNATURE_FILE}
+                  DEPENDS ${VM_EXECUTABLE_NAME} TestLibrary
+                  BYPRODUCTS ${LIBRARY_SIGNATURE_FILE}
+                  WORKING_DIRECTORY ${LIBRARY_DIR_TO_SIGN})
+
+add_custom_target(sign_executables
+                  COMMAND echo "Signing Executables in ${EXECUTABLE_DIR_TO_SIGN} with in file ${EXECUTABLES_SIGNATURE_FILE}"
+                  COMMAND rm -f ${EXECUTABLES_SIGNATURE_FILE}
+                  COMMAND find ${FIND_ARGS} ${OPENSSL_COMMAND} {} "\\;" >> ${EXECUTABLES_SIGNATURE_FILE}
+                  DEPENDS ${VM_EXECUTABLE_NAME}
+                  BYPRODUCTS ${EXECUTABLES_SIGNATURE_FILE}
+                  WORKING_DIRECTORY ${EXECUTABLE_DIR_TO_SIGN})
+
+add_custom_target(sign
+                  COMMAND echo "Combining Signatures in ${SIGNATURE_FILE}"
+                  COMMAND cat ${EXECUTABLES_SIGNATURE_FILE} ${LIBRARY_SIGNATURE_FILE} > ${SIGNATURE_FILE}
+                  DEPENDS sign_libraries sign_executables
+                  BYPRODUCTS ${SIGNATURE_FILE}
+                  WORKING_DIRECTORY ${EXECUTABLE_DIR_TO_SIGN})