Sign package files (#139)

* added some tests for codesigning * implemented FileSigner and KeyProvider classes for signing files. * added more config options for setting up package signing * fixed build errors. Now run integration tests on jdk 8, 11, and 17 * partial check-in with package sign * fixed file signer unit test * added support for providing trusted certificates in app bundle separate from the signing certificate. Added support for certificate chains which allow more complex signing workflows involving a root certificate with a long lifespan and a signing certificate with a short lifespan. * updated keystore providers to handle root certs * added support for environment variable JDEPLOY_DEVELOPER_CA_ID which can be the alias for a root certificate that is used in signed bundles to verify package signatures. The difference between this and the signing certificate, is that the root certificate does not need to have the accompanying private key on the deployment machine - it is used solely to allow the app bundle to validate the signature of packages. The root certificate will typically have a very long lifespan (e.g. 10 years), whereas the signing certificate will have a shorter expiry. * added certificate fingerprints to package.json and app.xml for mac builds so that we can easily see at runtime if a version can be verified by the bundle. the app.xml will have a fingerprint of the root certificate, and the package.json will have fingerprints for the full signing certificate chain. if the root certificate of the bundle is in the signing certificate chain of the package, then it can be verified. * added certificate pinning support * added verify-package cli command. untested yet * added unit test for VerifyPackageService * added ability to pass app.xml as --keystore parameter to the verify-package command in this case it will use the trusted-certificates attribute * added integration test or verify-package cli command * added dmg command * added support for JDEPLOY_SOURCE environemnt variable in dmg command to set the source in the app.xml * fix compile error * fixed another compile error * removed noise in maven logs * fixed issue with version in dmg command * fix compile error * fixed versioning for dmg * fixed compile error * updated launchers --------- Co-authored-by: Steve Hannah <[email protected]>
shannah · Oct 5, 2024 · c16f581 · c16f581
1 parent 0002f93
commit c16f581
Show file tree

Hide file tree

Showing 69 changed files with 3,525 additions and 114 deletions.
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
@@ -10,54 +10,59 @@ jobs:
 
   test-linux-amd64:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java-version: [ '8', '11', '17' ]
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up JDK 11
-      uses: actions/setup-java@v2
-      with:
-        java-version: '11'
-        distribution: 'adopt'
-        cache: maven
-    - name: Test Linux
-      env:
-        JDEPLOY_TEST_JVM_DOWNLOADS: true
-      run: bash build_and_test.sh
-     
-        
+      - uses: actions/checkout@v2
+      - name: Set up JDK ${{ matrix.java-version }}
+        uses: actions/setup-java@v2
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: 'adopt'
+          cache: maven
+      - name: Test Linux
+        env:
+          JDEPLOY_TEST_JVM_DOWNLOADS: true
+        run: bash build_and_test.sh
+
+
   build-mac-x64:
     runs-on: macos-latest
+    strategy:
+      matrix:
+        java-version: [ '8', '11', '17' ]
     steps:
-    - uses: actions/checkout@v2
-
-    - name: Set up JDK 11
-      uses: actions/setup-java@v2
-      with:
-        java-version: '11'
-        distribution: 'adopt'
-        cache: maven
-
-    - name: Test Mac
-      env:
-        JDEPLOY_TEST_JVM_DOWNLOADS: true
-      run: bash build_and_test.sh
-
-
+      - uses: actions/checkout@v2
+      - name: Set up JDK ${{ matrix.java-version }}
+        uses: actions/setup-java@v2
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: 'adopt'
+          cache: maven
+
+      - name: Test Mac
+        env:
+          JDEPLOY_TEST_JVM_DOWNLOADS: true
+        run: bash build_and_test.sh
+
+
   build-win-x64:
     runs-on: windows-latest
+    strategy:
+      matrix:
+        java-version: [ '8', '11', '17' ]
     steps:
-    - uses: actions/checkout@v2
-
-    - name: Set up JDK 11
-      uses: actions/setup-java@v2
-      with:
-        java-version: '11'
-        distribution: 'adopt'
-        cache: maven
-
-    - name: Build Windows
-      env:
-        JDEPLOY_TEST_JVM_DOWNLOADS: true
-      run: bash build_and_test.sh
-      shell: bash
-
-
+      - uses: actions/checkout@v2
+      - name: Set up JDK ${{ matrix.java-version }}
+        uses: actions/setup-java@v2
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: 'adopt'
+          cache: maven
+
+      - name: Build Windows
+        env:
+          JDEPLOY_TEST_JVM_DOWNLOADS: true
+        run: bash build_and_test.sh
+        shell: bash
diff --git a/.github/workflows/mac_codesign_tests.yml b/.github/workflows/mac_codesign_tests.yml
@@ -30,4 +30,5 @@ jobs:
         JDEPLOY_MAC_DEVELOPER_ID: ${{ secrets.APPLE_ID }}
         JDEPLOY_MAC_DEVELOPER_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
         JDEPLOY_MAC_DEVELOPER_CERTIFICATE_NAME: ${{ secrets.DEVELOPER_ID_CERTIFICATE_NAME }}
+        JDEPLOY_TEST_CERTIFICATE_NAME: ${{ secrets.DEVELOPER_ID_CERTIFICATE_NAME }}
       run: bash build_and_test.sh
diff --git a/.gitignore b/.gitignore
@@ -12,4 +12,7 @@ installer/jdeploy-bundle
 cli/bin
 tests/projects/*/jdeploy
 ./jdeploy
+./.idea
+./.idea/jarRepositories.xml
+./.idea/vcs.xml
 #./installer/tests/*/mock_launcher*
diff --git a/action.yml b/action.yml
@@ -111,9 +111,9 @@ runs:
         export PATH="$JAVA_HOME/bin:$PATH"
         echo "Building jDeploy from source..."
         cd jdeploy-source/shared
-        mvn clean install -DskipTests
+        mvn clean install -DskipTests --batch-mode --no-transfer-progress
         cd ../cli
-        mvn clean package -DskipTests
+        mvn clean package -DskipTests --batch-mode --no-transfer-progress
         npm install
         npm link
         echo "jdeploy_exec=$(which jdeploy)" >> $GITHUB_ENV

diff --git a/cli/pom.xml b/cli/pom.xml
@@ -271,13 +271,7 @@
 
         <dependency>
             <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
-            <version>3.12.4</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
+            <artifactId>mockito-inline</artifactId>
             <version>3.12.4</version>
             <scope>test</scope>
         </dependency>