Skip to content

Commit

Permalink
Sign package files (#139)
Browse files Browse the repository at this point in the history
* added some tests for codesigning

* implemented FileSigner and KeyProvider classes for signing files.

* added more config options for setting up package signing

* fixed build errors.  Now run integration tests on jdk 8, 11, and 17

* partial check-in with package sign

* fixed file signer unit test

* added support for providing trusted certificates in app bundle separate from the signing certificate.
Added support for certificate chains which allow more complex signing workflows involving a root certificate with a long lifespan and a signing certificate with a short lifespan.

* updated keystore providers to handle root certs

* added support for environment variable JDEPLOY_DEVELOPER_CA_ID which can be the alias for a root certificate that is used in signed bundles to verify package signatures.
The difference between this and the signing certificate, is that the root certificate does not need to have the accompanying private key on the deployment machine - it is used solely to allow the app bundle to validate the signature of packages.  The root certificate will typically have a very long lifespan (e.g. 10 years), whereas the signing certificate will have a shorter expiry.

* added certificate fingerprints to package.json and app.xml for mac builds
so that we can easily see at runtime if a version can be verified by the bundle.
the app.xml will have a fingerprint of the root certificate, and the package.json will have fingerprints for the full signing certificate chain.
if the root certificate of the bundle is in the signing certificate chain of the package, then it can be verified.

* added certificate pinning support

* added verify-package cli command.  untested yet

* added unit test for VerifyPackageService

* added ability to pass app.xml as --keystore parameter to the verify-package command

in this case it will use the trusted-certificates attribute

* added integration test or verify-package cli command

* added dmg command

* added support for JDEPLOY_SOURCE environemnt variable in dmg command to set the source in the app.xml

* fix compile error

* fixed another compile error

* removed noise in maven logs

* fixed issue with version in dmg command

* fix compile error

* fixed versioning for dmg

* fixed compile error

* updated launchers

---------

Co-authored-by: Steve Hannah <shannah@weblite.ca>
  • Loading branch information
shannah and Steve Hannah authored Oct 5, 2024
1 parent 0002f93 commit c16f581
Show file tree
Hide file tree
Showing 69 changed files with 3,525 additions and 114 deletions.
93 changes: 49 additions & 44 deletions .github/workflows/integration_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,54 +10,59 @@ jobs:

test-linux-amd64:
runs-on: ubuntu-latest
strategy:
matrix:
java-version: [ '8', '11', '17' ]
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
cache: maven
- name: Test Linux
env:
JDEPLOY_TEST_JVM_DOWNLOADS: true
run: bash build_and_test.sh
- uses: actions/checkout@v2
- name: Set up JDK ${{ matrix.java-version }}
uses: actions/setup-java@v2
with:
java-version: ${{ matrix.java-version }}
distribution: 'adopt'
cache: maven
- name: Test Linux
env:
JDEPLOY_TEST_JVM_DOWNLOADS: true
run: bash build_and_test.sh


build-mac-x64:
runs-on: macos-latest
strategy:
matrix:
java-version: [ '8', '11', '17' ]
steps:
- uses: actions/checkout@v2

- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
cache: maven

- name: Test Mac
env:
JDEPLOY_TEST_JVM_DOWNLOADS: true
run: bash build_and_test.sh


- uses: actions/checkout@v2
- name: Set up JDK ${{ matrix.java-version }}
uses: actions/setup-java@v2
with:
java-version: ${{ matrix.java-version }}
distribution: 'adopt'
cache: maven

- name: Test Mac
env:
JDEPLOY_TEST_JVM_DOWNLOADS: true
run: bash build_and_test.sh


build-win-x64:
runs-on: windows-latest
strategy:
matrix:
java-version: [ '8', '11', '17' ]
steps:
- uses: actions/checkout@v2

- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
cache: maven

- name: Build Windows
env:
JDEPLOY_TEST_JVM_DOWNLOADS: true
run: bash build_and_test.sh
shell: bash


- uses: actions/checkout@v2
- name: Set up JDK ${{ matrix.java-version }}
uses: actions/setup-java@v2
with:
java-version: ${{ matrix.java-version }}
distribution: 'adopt'
cache: maven

- name: Build Windows
env:
JDEPLOY_TEST_JVM_DOWNLOADS: true
run: bash build_and_test.sh
shell: bash
1 change: 1 addition & 0 deletions .github/workflows/mac_codesign_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,5 @@ jobs:
JDEPLOY_MAC_DEVELOPER_ID: ${{ secrets.APPLE_ID }}
JDEPLOY_MAC_DEVELOPER_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
JDEPLOY_MAC_DEVELOPER_CERTIFICATE_NAME: ${{ secrets.DEVELOPER_ID_CERTIFICATE_NAME }}
JDEPLOY_TEST_CERTIFICATE_NAME: ${{ secrets.DEVELOPER_ID_CERTIFICATE_NAME }}
run: bash build_and_test.sh
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,7 @@ installer/jdeploy-bundle
cli/bin
tests/projects/*/jdeploy
./jdeploy
./.idea
./.idea/jarRepositories.xml
./.idea/vcs.xml
#./installer/tests/*/mock_launcher*
4 changes: 2 additions & 2 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -111,9 +111,9 @@ runs:
export PATH="$JAVA_HOME/bin:$PATH"
echo "Building jDeploy from source..."
cd jdeploy-source/shared
mvn clean install -DskipTests
mvn clean install -DskipTests --batch-mode --no-transfer-progress
cd ../cli
mvn clean package -DskipTests
mvn clean package -DskipTests --batch-mode --no-transfer-progress
npm install
npm link
echo "jdeploy_exec=$(which jdeploy)" >> $GITHUB_ENV
Expand Down
8 changes: 1 addition & 7 deletions cli/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -271,13 +271,7 @@

<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>3.12.4</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<artifactId>mockito-inline</artifactId>
<version>3.12.4</version>
<scope>test</scope>
</dependency>
Expand Down
Loading

0 comments on commit c16f581

Please sign in to comment.