diff --git a/.gitignore b/.gitignore index e48347c2..6e68831a 100644 --- a/.gitignore +++ b/.gitignore @@ -35,6 +35,7 @@ CMakeLists.txt.user* .DS_Store ._.DS_Store ._* +*.dmg # tmp files *.*~ diff --git a/.travis.yml b/.travis.yml index 67618ffb..9088cde6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,15 +14,7 @@ jobs: env: - QT_VERSION=5.15.1 - - before_install: - - export CERTIFICATE_P12=deploy/PrivacyTechAppleCert.p12 - - export KEYCHAIN=build.keychain - - security create-keychain -p $MAC_CERT_PW $KEYCHAIN - - security default-keychain -s $KEYCHAIN - - security unlock-keychain -p $MAC_CERT_PW $KEYCHAIN - - security import $CERTIFICATE_P12 -k $KEYCHAIN -P $MAC_CERT_PW -T /usr/bin/codesign - + script: - | if [ ! -f $HOME/Qt/$QT_VERSION/clang_64/bin/qmake ]; then \ @@ -38,7 +30,7 @@ jobs: token: $GH_TOKEN skip_cleanup: true file: - - "AmneziaVPN.dmg" + - "AmneziaVPN_unsigned.dmg" on: tags: true branch: master @@ -93,4 +85,4 @@ cache: directories: - $HOME/Qt - /C/Qt - - $HOME/Library/Caches/Homebrew \ No newline at end of file + - $HOME/Library/Caches/Homebrew diff --git a/deploy/PrivacyTechAppleCert.p12 b/deploy/PrivacyTechAppleCert.p12 deleted file mode 100644 index f8b91957..00000000 Binary files a/deploy/PrivacyTechAppleCert.p12 and /dev/null differ diff --git a/deploy/PrivacyTechAppleCertDeveloperId.p12 b/deploy/PrivacyTechAppleCertDeveloperId.p12 new file mode 100755 index 00000000..a04ec85a Binary files /dev/null and b/deploy/PrivacyTechAppleCertDeveloperId.p12 differ diff --git a/deploy/PrivacyTechAppleCertInstallerId.p12 b/deploy/PrivacyTechAppleCertInstallerId.p12 new file mode 100755 index 00000000..ee9a34e9 Binary files /dev/null and b/deploy/PrivacyTechAppleCertInstallerId.p12 differ diff --git a/deploy/PrivacyTechWindowsCert.pfx b/deploy/PrivacyTechWindowsCert.pfx index 60e139fc..0eb043c4 100644 Binary files a/deploy/PrivacyTechWindowsCert.pfx and b/deploy/PrivacyTechWindowsCert.pfx differ diff --git a/deploy/WWDRCA.cer b/deploy/WWDRCA.cer new file mode 100644 index 00000000..d2bb1da6 Binary files /dev/null and b/deploy/WWDRCA.cer differ diff --git a/deploy/build_macos.sh b/deploy/build_macos.sh old mode 100644 new mode 100755 index ecd31833..2acbb2a3 --- a/deploy/build_macos.sh +++ b/deploy/build_macos.sh @@ -5,46 +5,37 @@ set -o errexit -o nounset # Hold on to current directory PROJECT_DIR=$(pwd) -SCRIPT_DIR=$PROJECT_DIR/deploy +DEPLOY_DIR=$PROJECT_DIR/deploy -mkdir -p $SCRIPT_DIR/build -WORK_DIR=$SCRIPT_DIR/build +mkdir -p $DEPLOY_DIR/build +BUILD_DIR=$DEPLOY_DIR/build echo "Project dir: ${PROJECT_DIR}" -echo "Build dir: ${WORK_DIR}" +echo "Build dir: ${BUILD_DIR}" APP_NAME=AmneziaVPN APP_FILENAME=$APP_NAME.app APP_DOMAIN=org.amneziavpn.package PLIST_NAME=$APP_NAME.plist -RELEASE_DIR=$WORK_DIR -OUT_APP_DIR=$RELEASE_DIR/client +OUT_APP_DIR=$BUILD_DIR/client BUNDLE_DIR=$OUT_APP_DIR/$APP_FILENAME DEPLOY_DATA_DIR=$PROJECT_DIR/deploy/data/macos -INSTALLER_DATA_DIR=$RELEASE_DIR/installer/packages/$APP_DOMAIN/data +INSTALLER_DATA_DIR=$BUILD_DIR/installer/packages/$APP_DOMAIN/data PRO_FILE_PATH=$PROJECT_DIR/$APP_NAME.pro QMAKE_STASH_FILE=$PROJECT_DIR/.qmake_stash -TARGET_FILENAME=$PROJECT_DIR/$APP_NAME.dmg +DMG_FILENAME=$PROJECT_DIR/${APP_NAME}_unsigned.dmg # Seacrh Qt -echo "Brew Qt version $(brew --prefix qt)" - - -#if [ -f $(brew --prefix qt)/clang_64/bin/qmake ]; then QT_BIN_DIR=$(brew --prefix qt)/clang_64/bin; -#else QT_BIN_DIR=$HOME/Qt/5.14.2/clang_64/bin; fi +if [ -z "${QT_VERSION+x}" ]; then export QT_VERSION=5.15.2; fi QT_BIN_DIR=$HOME/Qt/$QT_VERSION/clang_64/bin - -#QIF_BIN_DIR=$HOME/Qt/Tools/QtInstallerFramework/4.0/bin QIF_BIN_DIR=$QT_BIN_DIR/../../../Tools/QtInstallerFramework/4.0/bin echo "Using Qt in $QT_BIN_DIR" echo "Using QIF in $QIF_BIN_DIR" -ls -al $QT_BIN_DIR/../../.. - # Checking env $QT_BIN_DIR/qmake -v @@ -53,7 +44,7 @@ clang -v # Build App echo "Building App..." -cd $WORK_DIR +cd $BUILD_DIR $QT_BIN_DIR/qmake $PROJECT_DIR/AmneziaVPN.pro 'CONFIG+=release CONFIG+=x86_64' make -j `sysctl -n hw.ncpu` @@ -67,15 +58,41 @@ echo "____________________________________" # Package echo "Packaging ..." -#cd $SCRIPT_DIR +#cd $DEPLOY_DIR $QT_BIN_DIR/macdeployqt $OUT_APP_DIR/$APP_FILENAME -always-overwrite -cp -av $RELEASE_DIR/service/server/$APP_NAME-service.app/Contents/macOS/$APP_NAME-service $BUNDLE_DIR/Contents/macOS +cp -av $BUILD_DIR/service/server/$APP_NAME-service.app/Contents/macOS/$APP_NAME-service $BUNDLE_DIR/Contents/macOS cp -Rv $PROJECT_DIR/deploy/data/macos/* $BUNDLE_DIR/Contents/macOS +if [ "${MAC_CERT_PW+x}" ]; then + +CERTIFICATE_P12=$DEPLOY_DIR/PrivacyTechAppleCertDeveloperId.p12 +WWDRCA=$DEPLOY_DIR/WWDRCA.cer +KEYCHAIN=amnezia.build.keychain +TEMP_PASS=tmp_pass + +security create-keychain -p $TEMP_PASS $KEYCHAIN || true +security default-keychain -s $KEYCHAIN +security unlock-keychain -p $TEMP_PASS $KEYCHAIN + +security default-keychain +security list-keychains + +security import $WWDRCA -k $KEYCHAIN -T /usr/bin/codesign || true +security import $CERTIFICATE_P12 -k $KEYCHAIN -P $MAC_CERT_PW -T /usr/bin/codesign || true + +security set-key-partition-list -S apple-tool:,apple: -k $TEMP_PASS $KEYCHAIN +security find-identity -p codesigning + +/usr/bin/codesign --deep --force --verbose --timestamp -o runtime --sign "Developer ID Application: Privacy Technologies OU (X7UJ388FXK)" $BUNDLE_DIR +/usr/bin/codesign --verify -vvvv $BUNDLE_DIR || true +spctl -a -vvvv $BUNDLE_DIR || true + +fi + mkdir -p $INSTALLER_DATA_DIR -cp -av $PROJECT_DIR/deploy/installer $RELEASE_DIR +cp -av $PROJECT_DIR/deploy/installer $BUILD_DIR cp -av $DEPLOY_DATA_DIR/post_install.sh $INSTALLER_DATA_DIR/post_install.sh cp -av $DEPLOY_DATA_DIR/post_uninstall.sh $INSTALLER_DATA_DIR/post_uninstall.sh cp -av $DEPLOY_DATA_DIR/$PLIST_NAME $INSTALLER_DATA_DIR/$PLIST_NAME @@ -86,9 +103,24 @@ chmod a+x $INSTALLER_DATA_DIR/post_install.sh $INSTALLER_DATA_DIR/post_uninstall cd $BUNDLE_DIR tar czf $INSTALLER_DATA_DIR/$APP_NAME.tar.gz ./ -cd $RELEASE_DIR/installer -$QIF_BIN_DIR/binarycreator --offline-only -v -c config/macos.xml -p packages -f $APP_NAME -hdiutil create -volname $APP_NAME -srcfolder $APP_NAME.app -ov -format UDZO $TARGET_FILENAME +cd $BUILD_DIR/installer +$QIF_BIN_DIR/binarycreator --offline-only -v -c config/macos.xml -p packages -f $APP_FILENAME +if [ "${MAC_CERT_PW+x}" ]; then +/usr/bin/codesign --deep --force --verbose --timestamp -o runtime --sign "Developer ID Application: Privacy Technologies OU (X7UJ388FXK)" $APP_FILENAME +fi +hdiutil create -volname $APP_NAME -srcfolder $APP_NAME.app -ov -format UDZO $DMG_FILENAME -echo "Finished, artifact is $PROJECT_DIR/$APP_NAME.dmg" +if [ "${MAC_CERT_PW+x}" ]; then +/usr/bin/codesign --deep --force --verbose --timestamp -o runtime --sign "Developer ID Application: Privacy Technologies OU (X7UJ388FXK)" $DMG_FILENAME +/usr/bin/codesign --verify -vvvv $DMG_FILENAME || true +spctl -a -vvvv $DMG_FILENAME || true +#xcrun altool --notarize-app -f $DMG_FILENAME -t osx --primary-bundle-id $APP_DOMAIN -u $APPLE_DEV_EMAIL +#xcrun stapler staple $DMG_FILENAME +#xcrun stapler validate $DMG_FILENAME +fi + +echo "Finished, artifact is $DMG_FILENAME" + +# restore keychain +security default-keychain -s login.keychain diff --git a/deploy/build_windows.bat b/deploy/build_windows.bat index 9d938f5e..8ee3e74f 100644 --- a/deploy/build_windows.bat +++ b/deploy/build_windows.bat @@ -44,6 +44,12 @@ echo "PRO_FILE_PATH: %PRO_FILE_PATH%" echo "QMAKE_STASH_FILE: %QMAKE_STASH_FILE%" echo "TARGET_FILENAME: %TARGET_FILENAME%" +rem Signing staff +powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine +powershell Get-ExecutionPolicy -List + +powershell Import-PfxCertificate -FilePath %SCRIPT_DIR:"=%\PrivacyTechWindowsCert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $(ConvertTo-SecureString -String $Env:WIN_CERT_PW -AsPlainText -Force) + echo "Cleanup..." Rmdir /Q /S %RELEASE_DIR% Del %QMAKE_STASH_FILE% @@ -59,7 +65,6 @@ cd %PROJECT_DIR% cd %WORK_DIR% set CL=/MP nmake /A /NOLOGO -break nmake clean rem if not exist "%OUT_APP_DIR:"=%\%APP_FILENAME:"=%" break @@ -70,11 +75,11 @@ copy "%WORK_DIR:"=%\platform\post-uninstall\release\post-uninstall.exe" %OUT_APP echo "Signing exe" cd %OUT_APP_DIR% -signtool sign /f "%SCRIPT_DIR:"=%\PrivacyTechWindowsCert.pfx" /p %WIN_CERT_PW% /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 *.exe +signtool sign /v /sm /s My /n "Privacy Technologies OU" /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 *.exe "%QT_BIN_DIR:"=%\windeployqt" --release --force --no-translations "%OUT_APP_DIR:"=%\%APP_FILENAME:"=%" -signtool sign /f "%SCRIPT_DIR:"=%\PrivacyTechWindowsCert.pfx" /p %WIN_CERT_PW% /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 *.dll +signtool sign /v /sm /s My /n "Privacy Technologies OU" /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 *.dll echo "Copying deploy data..." xcopy %DEPLOY_DATA_DIR% %OUT_APP_DIR% /s /e /y /i /f @@ -96,7 +101,7 @@ echo "Creating installer..." "%QIF_BIN_DIR:"=%\binarycreator" --offline-only -v -c config\windows.xml -p packages -f %TARGET_FILENAME% cd %PROJECT_DIR% -signtool sign /f "%SCRIPT_DIR:"=%\PrivacyTechWindowsCert.pfx" /p %WIN_CERT_PW% /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 %TARGET_FILENAME% +signtool sign /v /sm /s My /n "Privacy Technologies OU" /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 %TARGET_FILENAME% echo "Finished, see %TARGET_FILENAME%" exit 0 \ No newline at end of file