Merge pull request #10645 from NREL/codesigning

Codesigning packages for macOS
NREL · Aug 12, 2024 · 7b298a8 · 7b298a8 · nrel-bot-3 · Aug 12, 2024
2 parents 923c94e + 6a2dc11
commit 7b298a8
Show file tree

Hide file tree

Showing 130 changed files with 3,418 additions and 72 deletions.
diff --git a/.github/workflows/mac_release.yml b/.github/workflows/mac_release.yml
@@ -4,13 +4,15 @@ on:
   push:
     tags:
       - '*'
+  workflow_dispatch:
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   BUILD_TYPE: Release
   FC: gfortran-13
   SDKROOT: /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
   Python_REQUIRED_VERSION: 3.12.2
+  BUILD_DOCS: true  # Installing MacTex takes like 15min, so you can speed things up by disabling it
 
 jobs:
   build_installer_artifact:
@@ -39,6 +41,61 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
+#    - name: Setup QtIFW 4.x
+#      uses: jmarrec/setup-qtifw@v1
+#      with:
+#        qtifw-version: '4.6.1'
+
+    - name: "Configure for codesigning"
+      run: |
+        set -x
+        cd $RUNNER_TEMP
+        mkdir codesigning && cd codesigning
+        # ----- Create certificate files from secrets base64 -----
+        echo "${{ secrets.MACOS_DEVELOPER_ID_APPLICATION_CERTIFICATE_P12_BASE64 }}" | base64 --decode > certificate_application.p12
+        echo "${{ secrets.MACOS_DEVELOPER_ID_INSTALLER_CERTIFICATE_P12_BASE64 }}" | base64 --decode > certificate_installer.p12
+
+        # ----- Configure Keychain -----
+        KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+        security create-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" $KEYCHAIN_PATH
+        # Unlock it for 6 hours
+        security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+        security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" $KEYCHAIN_PATH
+
+        # ----- Import certificates on Keychain -----
+        security import certificate_application.p12 -P '${{ secrets.MACOS_DEVELOPER_ID_APPLICATION_CERTIFICATE_P12_PASSWORD }}' -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+        security import certificate_installer.p12   -P '${{ secrets.MACOS_DEVELOPER_ID_INSTALLER_CERTIFICATE_P12_PASSWORD }}'   -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+        security list-keychain -d user -s $KEYCHAIN_PATH
+        security find-identity -vvvv $KEYCHAIN_PATH
+
+        # Add needed intermediary certificates
+        aria2c https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer
+        aria2c https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
+        security import AppleWWDRCAG2.cer -k $KEYCHAIN_PATH
+        security import DeveloperIDG2CA.cer -k $KEYCHAIN_PATH
+        security find-identity -vvvv $KEYCHAIN_PATH
+        security find-identity -v -p codesigning
+
+        # Store AppConnect credentials
+        echo "${{ secrets.NOTARIZATION_API_KEY }}" > AppConnect_Developer_API_Key.p8
+        xcrun notarytool store-credentials EnergyPlus \
+              --key AppConnect_Developer_API_Key.p8 \
+              --key-id ${{ secrets.NOTARIZATION_API_TEAM_ID }} \
+              --issuer ${{ secrets.NOTARIZATION_API_ISSUER_ID }} \
+              --keychain $KEYCHAIN_PATH
+
+        cd .. && rm -Rf codesigning
+
+        # Download my patched QtIFW
+        mkdir QtIFW && cd QtIFW
+        aria2c https://github.com/jmarrec/QtIFW-fixup/releases/download/v5.0.0-dev-with-fixup/QtIFW-5.0.0-${{ matrix.arch }}.zip
+        xattr -r -d com.apple.quarantine ./QtIFW-5.0.0-${{ matrix.arch }}.zip
+        unzip QtIFW-5.0.0-${{ matrix.arch }}.zip
+        rm -Rf ./*.zip
+        chmod +x *
+        ./installerbase --version
+        echo "$(pwd)" >> $GITHUB_PATH
+
     - name: Remove python ${{ env.Python_REQUIRED_VERSION }} from the toolcache
       run: |
         ls $RUNNER_TOOL_CACHE/Python || true
@@ -52,11 +109,6 @@ jobs:
         python-version: ${{ env.Python_REQUIRED_VERSION }}
         # check-latest: true # Force pick up the python I built instead of the (potential) toolcache one. I could also do `rm -Rf $RUNNER_TOOL_CACHE/Python/3.12.2` before this action
 
-    - name: Setup QtIFW 4.x
-      uses: jmarrec/setup-qtifw@v1
-      with:
-        qtifw-version: '4.6.1'
-
     - name: Install Python dependencies
       run: |
         python -m pip install --upgrade pip
@@ -66,16 +118,22 @@ jobs:
       shell: bash
       run: |
         set -x
-        echo "Using brew to install mactex and adding it to PATH"
         brew update
-        brew install --cask mactex-no-gui
-        echo "/Library/TeX/texbin" >> $GITHUB_PATH
+        if [[ "$BUILD_DOCS" != "false" ]]; then
+          echo "Using brew to install mactex and adding it to PATH"
+          brew install --cask mactex-no-gui
+          echo "/Library/TeX/texbin" >> $GITHUB_PATH
+          echo "DOCUMENTATION_BUILD=BuildWithAll" >> $GITHUB_ENV
+        else
+          echo "DOCUMENTATION_BUILD=DoNotBuild" >> $GITHUB_ENV
+        fi
         # The MACOSX_DEPLOYMENT_TARGET environment variable sets the default value for the CMAKE_OSX_DEPLOYMENT_TARGET variable.
         # We use cmake commands to build some subprojects, so setting it globally
         echo MACOSX_DEPLOYMENT_TARGET=${{ matrix.macos_dev_target }} >> $GITHUB_ENV
         echo "Installing gcc@13 for gfortran support of -static-libquadmath"
         brew list gcc@13 || brew install gcc@13
         which gfortran-13 || echo "FC=$(brew --prefix gcc@13)/bin/gfortran-13" >> $GITHUB_ENV
+        brew install ninja
 
     - name: Create Build Directory
       run: cmake -E make_directory ./build/
@@ -86,43 +144,99 @@ jobs:
       working-directory: ./build
       shell: bash
       run: |
-        cmake -DCMAKE_BUILD_TYPE:STRING=$BUILD_TYPE \
+        cmake -G Ninja -DCMAKE_BUILD_TYPE:STRING=$BUILD_TYPE \
               -DCMAKE_OSX_DEPLOYMENT_TARGET:STRING=${{ matrix.macos_dev_target }} \
               -DLINK_WITH_PYTHON:BOOL=ON -DPython_REQUIRED_VERSION:STRING=${{ steps.setup-python.outputs.python-version }} \
               -DPython_ROOT_DIR:PATH=$RUNNER_TOOL_CACHE/Python/${{ steps.setup-python.outputs.python-version }}/${{ matrix.python-arch }}/ \
               -DBUILD_FORTRAN:BOOL=ON -DBUILD_PACKAGE:BOOL=ON \
-              -DDOCUMENTATION_BUILD:STRING="BuildWithAll" -DTEX_INTERACTION:STRING="batchmode" \
+              -DDOCUMENTATION_BUILD:STRING=$DOCUMENTATION_BUILD -DTEX_INTERACTION:STRING="batchmode" \
               -DENABLE_OPENMP:BOOL=OFF -DUSE_OpenMP:BOOL=OFF \
+              -DCPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION:STRING="Developer ID Application: National Renewable Energy Laboratory (K7JYVQJL7R)" \
+              -DCPACK_CODESIGNING_NOTARY_PROFILE_NAME:STRING=EnergyPlus \
               ../
 
     - name: Build Package
       working-directory: ./build
       shell: bash
-      run: cmake --build . --target package -j 3
-
-    - name: otool the exes and libs
-      shell: bash
-      working-directory: ./build
       run: |
-        set -x
-        cd _CPack_Packages/Darwin/TGZ/EnergyPlus*/
-        otool -L ExpandObjects || true
-        otool -L ConvertInputFormat || true
-        otool -L energyplus || true
-        otool -L libenergyplusapi.dylib || true
-        otool -L PreProcess/IDFVersionUpdater/Transition-V23-1-0-to-V23-2-0 || true
-        otool -L PostProcess/ReadVarsESO || true
-        otool -L PostProcess/HVAC-Diagram || true
+        ninja package
 
     - name: Upload Tarball as artifact for testing
       uses: actions/upload-artifact@v4
       with:
-        name: energyplus-${{ matrix.os }}
+        name: energyplus-${{ matrix.os }}.tar.gz
         path: build/EnergyPlus-*-${{ matrix.arch }}.tar.gz
         if-no-files-found: error
         retention-days: 7
         overwrite: false
 
+    - name: Upload DMG as artifact for testing
+      uses: actions/upload-artifact@v4
+      with:
+        name: energyplus-${{ matrix.os }}.dmg
+        path: build/EnergyPlus-*-${{ matrix.arch }}.dmg
+        if-no-files-found: error
+        retention-days: 7
+        overwrite: false
+
+    - name: Quick Test Package Signing and otool exes and libs
+      shell: bash
+      working-directory: ./build
+      run: |
+        begin_group() { echo -e "::group::\033[93m$1\033[0m"; }
+
+        subheader() { echo -e "\033[95m---- $1\033[0m"; }
+
+        exes=(
+          "energyplus" "libenergyplusapi.dylib"
+          "ExpandObjects" "ConvertInputFormat"
+          "PreProcess/IDFVersionUpdater/Transition-V23-1-0-to-V23-2-0"
+          "PostProcess/ReadVarsESO" "PostProcess/HVAC-Diagram"
+        )
+
+        TGZ_DIR=$(find _CPack_Packages/Darwin/TGZ -name "EnergyPlus*" -type d -maxdepth 1)
+        echo "TGZ_DIR=$TGZ_DIR" >> $GITHUB_ENV
+        echo "Checking TGZ dir at $TGZ_DIR"
+
+        for rel_exe in "${exes[@]}"; do
+          exe="$TGZ_DIR/$rel_exe"
+          begin_group "Checking $exe"
+          subheader "otool"
+          otool -L "${exe}" || true
+          subheader "codesign"
+          siginfo=$(codesign --display -vv "${exe}" 2>&1)
+          if [[ $siginfo == *"K7JYVQJL7R"* ]]; then
+            echo -e "\033[92mSIGNATURE OK\033[0m"
+            echo "$siginfo" | grep Authority
+          else
+            echo -e "\033[91mSignature not ok for ${exe}\033[0m"
+            echo "::error::title=Signature not ok for ${exe}::$siginfo"
+          fi
+          echo "::endgroup::"
+        done
+
+    - name: Full Test Package signing and otool for IFW and TGZ
+      working-directory: ./build
+      shell: bash
+      run: |
+        begin_group() { echo -e "::group::\033[93m$1\033[0m"; }
+
+        begin_group "Full Check signature of _CPack_Packages for both IFW and TGZ and resolve otool libraries"
+        python ../scripts/dev/verify_signature.py --verbose --otool --otool-out-file otool_infos_cpack.json .
+        echo "::endgroup::"
+
+        begin_group "Running a simulation with python"
+        ./$TGZ_DIR/energyplus --help
+        ./$TGZ_DIR/energyplus -w ./$TGZ_DIR/WeatherData/USA_IL_Chicago-OHare.Intl.AP.725300_TMY3.epw -d out ./$TGZ_DIR/ExampleFiles/PythonPluginCustomSchedule.idf
+        echo "::endgroup::"
+
+    - name: Upload otool info as artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: otool_infos_cpack_${{ matrix.os }}_${{ matrix.arch }}
+        path: build/otool*json
+        if-no-files-found: error
+
     - name: Upload Tarball to release
       uses: svenstaro/upload-release-action@v2
       with:
@@ -153,39 +267,96 @@ jobs:
         include:
           - macos_dev_target: 12.1
             os: macos-12
+            arch: x86_64
             python-arch: x64
             test_key: mac12
           - macos_dev_target: 13.0
             os: macos-14
+            arch: arm64
             python-arch: arm64
             test_key: mac13-arm64
 
     steps:
-      - uses: actions/checkout@v4  # Still need E+ checked out to get testing scripts
-        with:
-          path: checkout
-
-      - name: Set up Python ${{ env.Python_REQUIRED_VERSION }}
-        uses: actions/setup-python@v5
-        id: setup-python
-        with:
-          python-version: ${{ env.Python_REQUIRED_VERSION }}
-          architecture: ${{ matrix.python-arch }}
-
-      - name: Gather Test Package from Artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: energyplus-${{ matrix.os }}
-          path: package
-
-      - name: Check Contents
-        shell: bash
-        run: ls
-
-      - name: Check Package contents
-        shell: bash
-        working-directory: package
-        run: ls
-
-      - name: Run Package Tests
-        run: python checkout/scripts/package_tests/runner.py --verbose ${{ matrix.test_key }} package/
+    - uses: actions/checkout@v4  # Still need E+ checked out to get testing scripts
+      with:
+        path: checkout
+
+    - name: Set up Python ${{ env.Python_REQUIRED_VERSION }}
+      uses: actions/setup-python@v5
+      id: setup-python
+      with:
+        python-version: ${{ env.Python_REQUIRED_VERSION }}
+        architecture: ${{ matrix.python-arch }}
+
+    - name: Gather Test Package from Artifacts
+      uses: actions/download-artifact@v4
+      with:
+        name: energyplus-${{ matrix.os }}.tar.gz
+        path: package
+
+    - name: Check Contents
+      shell: bash
+      run: ls
+
+    - name: Check Package contents
+      shell: bash
+      working-directory: package
+      run: ls
+
+    - name: Run Package Tests
+      run: python checkout/scripts/package_tests/runner.py --verbose ${{ matrix.test_key }} package/
+
+    - name: Gather Dmg Package from Artifacts
+      uses: actions/download-artifact@v4
+      with:
+        name: energyplus-${{ matrix.os }}.dmg
+        path: dmg
+
+    - name: Test Dmg Install and Package signing
+      working-directory: ./dmg
+      shell: bash
+      run: |
+        begin_group() { echo -e "::group::\033[93m$1\033[0m"; }
+
+        set -x
+
+        dmg=$(ls EnergyPlus-*.dmg)
+        begin_group "Checking Signature of .dmg"
+        spctl --assess --type open --context context:primary-signature -vvvv $dmg
+        echo "::endgroup::"
+
+        begin_group "Mounting Dmg, and checking signature of installer app"
+        mkdir temp_mount
+        hdiutil attach -mountpoint ./temp_mount/ $dmg
+        filename="${dmg%.*}"
+        spctl --assess --type open --context context:primary-signature -vvvv ./temp_mount/$filename.app
+        echo "::endgroup::"
+
+        begin_group "Installing"
+        sudo ./temp_mount/$filename.app/Contents/MacOS/$filename --accept-licenses --default-answer --confirm-command --root $(pwd)/test_install install
+        hdiutil detach ./temp_mount/
+        echo "::endgroup::"
+
+        begin_group "Quick Check signature of inner executables and binaries"
+        codesign -dvvv ./test_install/energyplus
+        codesign -dvvv ./test_install/libenergyplusapi.dylib
+        codesign -dvvv ./test_install/libpython*.dylib
+        codesign -dvvv ./test_install/ConvertInputFormat
+        codesign -dvvv ./test_install/PostProcess/ReadVarsESO
+        echo "::endgroup::"
+
+        begin_group "Full Check signature of installed DMG for all executables and resolve otool libraries"
+        python ../checkout/scripts/dev/verify_signature.py --otool --otool-out-file otool_info_dmg.json --verbose --install test_install
+        echo "::endgroup::"
+
+        begin_group "Running a simulation with python"
+        ./test_install/energyplus --help
+        ./test_install/energyplus -w ./test_install/WeatherData/USA_IL_Chicago-OHare.Intl.AP.725300_TMY3.epw -d out ./test_install/ExampleFiles/PythonPluginCustomSchedule.idf
+        echo "::endgroup::"
+
+    - name: Upload otool info as artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: otool_info_dmg_${{ matrix.os }}_${{ matrix.arch }}
+        path: dmg/otool*json
+        if-no-files-found: error
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -13,6 +13,8 @@ endif()
 
 cmake_policy(SET CMP0048 NEW) # handling project_version_* variables
 
+cmake_policy(SET CMP0087 NEW) # install(CODE) and install(SCRIPT) support generator expressions.
+
 project(EnergyPlus)
 
 # Raise an error if attempting to compile on macOS older than 10.15 - it does not work