AuthentiCode sign launcher, uninstaller (#614)

* Sign uninstall.exe, qz-tray.exe * Cleanup and organize ant build scripts Co-authored-by: Berenz <[email protected]>
qzind · Apr 8, 2020 · 35ea73f · 35ea73f
1 parent bc3bd7e
commit 35ea73f
Show file tree

Hide file tree

Showing 15 changed files with 654 additions and 489 deletions.
diff --git a/ant/apple/installer.xml b/ant/apple/installer.xml
@@ -0,0 +1,193 @@
+<project name="apple-installer" basedir="../../">
+    <property file="ant/project.properties"/>
+    <import file="${basedir}/ant/version.xml"/>
+
+    <!--
+    ################################################################
+    #                     Apple Installer                          #
+    ################################################################
+    -->
+    <!-- Inform javafx.xml  -->
+    <target name="pkgbuild-preflight">
+        <property name="target.platform.mac" value="true"/>
+    </target>
+    <target name="build-pkg" depends="get-version">
+        <echo level="info">Creating installer using pkgbuild</echo>
+
+        <property file="ant/apple/apple.properties"/>
+
+        <!--
+        ###################################
+        #   Build MacOS Bundle Structure  #
+        ###################################
+        -->
+
+        <mkdir dir="${dist.dir}/Contents/Resources"/>
+        <copy file="assets/branding/apple-icon.icns" tofile="${dist.dir}/Contents/Resources/${project.filename}.icns"/>
+
+        <mkdir dir="${dist.dir}/Contents/MacOS"/>
+        <copy file="ant/unix/unix-launcher.sh.in" tofile="${dist.dir}/Contents/MacOS/${project.name}">
+            <filterchain><expandproperties/></filterchain>
+        </copy>
+
+        <copy file="ant/apple/apple-bundle.plist.in" tofile="${dist.dir}/Contents/Info.plist">
+            <filterchain><expandproperties/></filterchain>
+        </copy>
+
+        <copy file="ant/unix/unix-uninstall.sh.in" tofile="${dist.dir}/uninstall">
+            <filterchain><expandproperties/></filterchain>
+        </copy>
+
+        <mkdir dir="${build.dir}/scripts/payload"/>
+
+        <copy file="ant/apple/apple-preinstall.sh.in" tofile="${build.dir}/scripts/preinstall">
+            <filterchain><expandproperties/></filterchain>
+        </copy>
+
+        <copy file="ant/apple/apple-postinstall.sh.in" tofile="${build.dir}/scripts/postinstall">
+            <filterchain><expandproperties/></filterchain>
+        </copy>
+
+        <!-- Copy of the jar is needed for preinstall tasks -->
+        <copy todir="${build.dir}/scripts/payload">
+            <fileset dir="${dist.dir}"/>
+        </copy>
+
+        <chmod perm="a+x" type="file">
+            <fileset dir="${build.dir}/scripts">
+                <include name="preinstall"/>
+                <include name="postinstall"/>
+            </fileset>
+            <fileset dir="${build.dir}/scripts/payload">
+                <include name="**/${project.name}"/>
+                <include name="**/uninstall"/>
+            </fileset>
+        </chmod>
+
+        <!-- Disable signing and append "-community" if id is missing -->
+        <exec executable="bash" failonerror="false" resultproperty="codesign.qz">
+            <arg value="-c"/>
+            <arg value="security find-identity -v |grep '(${apple.packager.signid})'"/>
+        </exec>
+        <!-- pkgbuild will fail on blank options; use ownership flag as a dummy fallback  -->
+        <condition property="codesign.qz.cmd" value="--sign" else="--ownership">
+            <equals arg1="${codesign.qz}" arg2="0"/>
+        </condition>
+        <condition property="codesign.qz.val" value="${apple.packager.signid}" else="recommended">
+            <equals arg1="${codesign.qz}" arg2="0"/>
+        </condition>
+        <condition property="codesign.qz.suffix" value="" else="-community">
+            <equals arg1="${codesign.qz}" arg2="0"/>
+        </condition>
+
+        <exec executable="pkgbuild" failonerror="true">
+            <arg value="--identifier"/>
+            <arg value="${project.filename}"/>
+
+            <arg value="--nopayload"/>
+
+            <arg value="--install-location"/>
+            <arg value="/Applications/${project.name}.app"/>
+
+            <arg value="--scripts"/>
+            <arg value="${build.dir}/scripts"/>
+
+            <arg value="--version"/>
+            <arg value="${build.version}"/>
+
+            <arg value="${codesign.qz.cmd}"/>
+            <arg value="${codesign.qz.val}"/>
+
+            <arg value="${out.dir}/${project.filename}${build.type}-${build.version}${codesign.qz.suffix}.pkg"/>
+        </exec>
+
+        <!-- Cleanup lingering files (for other OS installers) -->
+        <delete dir="${dist.dir}/Contents/Resources"/>
+        <delete dir="${dist.dir}/Contents/MacOS"/>
+    </target>
+
+    <target name="codesign-jars" if="codesign.mac">
+        <property file="ant/apple/apple.properties"/>
+        <exec executable="security">
+            <arg value="add-certificates"/>
+            <arg value="${basedir}/ant/apple/certs/apple-packager.cer"/>
+            <arg value="${basedir}/ant/apple/certs/apple-intermediate.cer"/>
+            <arg value="${basedir}/ant/apple/certs/apple-codesign.cer"/>
+        </exec>
+        <antcall target="codesign-libs">
+            <param name="signing.jarname" value="communication/jna-*.jar"/>
+            <param name="signing.excluded" value="communication/jna-platform-*.jar"/>
+            <param name="signing.filetype" value="*.jnilib"/>
+        </antcall>
+        <antcall target="codesign-libs">
+            <param name="signing.jarname" value="communication/jssc-*.jar"/>
+            <param name="signing.filetype" value="*.dylib"/>
+        </antcall>
+        <antcall target="codesign-libs">
+            <param name="signing.jarname" value="communication/hid4java-*.jar"/>
+            <param name="signing.filetype" value="*.dylib"/>
+        </antcall>
+        <antcall target="codesign-libs">
+            <param name="signing.jarname" value="communication/libusb4java-*-osx-x86.jar"/>
+            <param name="signing.filetype" value="*.dylib"/>
+        </antcall>
+        <antcall target="codesign-libs">
+            <param name="signing.jarname" value="communication/libusb4java-*-osx-x86_64.jar"/>
+            <param name="signing.filetype" value="*.dylib"/>
+        </antcall>
+        <!-- Manually sign standalone libs -->
+        <!--use xargs to loop over and codesign all files-->
+        <echo level="info" message="Signing ${dist.dir}/libs/*.dylib using ${apple.packager.signid}"/>
+        <exec executable="bash" failonerror="true">
+            <arg value="-c"/>
+            <arg value="echo &quot;$(find ${dist.dir}/libs/*.dylib)&quot; |tr ':' '\n' |xargs codesign -s &quot;${apple.packager.signid}&quot; -v"/>
+        </exec>
+
+    </target>
+
+    <target name="codesign-libs">
+        <path id="found.jar">
+            <first>
+                <fileset dir="lib">
+                    <include name="**/${signing.jarname}"/>
+                    <exclude name="**/${signing.excluded}" if="signing.excluded"/>
+                </fileset>
+            </first>
+        </path>
+        <pathconvert property="found.jar.path" refid="found.jar"/>
+
+        <unzip src="${found.jar.path}" dest="${out.dir}/jar-signing"/>
+        <path id="found.files">
+            <fileset dir="${out.dir}/jar-signing">
+                <include name="**/${signing.filetype}"/>
+            </fileset>
+        </path>
+        <pathconvert property="found.files.paths" refid="found.files" pathsep=" "/>
+
+        <!-- No-op: makes IntelliJ happy with the undefined "signing.delete" -->
+        <condition description="suppress property warning" property="signing.delete" value="${signing.delete}">
+            <isset property="signing.delete"/>
+        </condition>
+        <delete verbose="true">
+            <fileset dir="${out.dir}/jar-signing">
+                <include name="**/${signing.delete}" if="signing.delete"/>
+            </fileset>
+        </delete>
+
+        <!-- Use xargs to loop over and codesign all files-->
+        <echo message="Signing ${found.jar.path} using ${apple.packager.signid}"/>
+        <exec executable="bash" failonerror="true">
+            <arg value="-c"/>
+            <arg value="echo &quot;${found.files.paths}&quot; |tr ':' '\n' |xargs codesign -s &quot;${apple.packager.signid}&quot; -v"/>
+        </exec>
+
+        <pathconvert property="found.jar.rel">
+            <path refid="found.jar"/>
+            <globmapper from="${basedir}/*" to="*" handledirsep="true"/>
+        </pathconvert>
+        <zip destfile="${sign.lib.dir}/${found.jar.rel}" basedir="${out.dir}/jar-signing" excludes="dont*.*"/>
+
+        <!-- Cleanup temp folder-->
+        <delete dir="${out.dir}/jar-signing"/>
+    </target>
+</project>
diff --git a/ant/javafx.xml b/ant/javafx.xml
@@ -1,29 +1,33 @@
 <project name="javafx" default="download-javafx" basedir="..">
+    <property file="ant/project.properties"/>
+    <import file="${basedir}/ant/version.xml"/>
     <target name="download-javafx" depends="get-current-platform,download-javafx-windows,download-javafx-mac,download-javafx-linux,copy-native-current,copy-native-target,show-javafx-debug">
     </target>
 
     <!-- Show detailed javafx download details, comment-out to disable -->
     <property name="show.javafx.debug" value="true"/>
 
     <target name="show-javafx-debug" if="show.javafx.debug">
-        <echo>Windows:</echo>
-        <echo> current.platform.windows=${current.platform.windows}</echo>
-        <echo> target.platform.windows=${target.platform.windows}</echo>
-        <echo> javafx.windows.needed=${javafx.windows.needed}</echo>
-        <echo> javafx.windows.found=${javafx.windows.found} (before download)</echo>
-        <echo/>
-        <echo>Mac:</echo>
-        <echo> current.platform.mac=${current.platform.mac}</echo>
-        <echo> target.platform.mac=${target.platform.mac}</echo>
-        <echo> javafx.mac.needed=${javafx.mac.needed}</echo>
-        <echo> javafx.mac.found=${javafx.mac.found} (before download)</echo>
-        <echo/>
-        <echo>Linux:</echo>
-        <echo> current.platform.linux=${current.platform.linux}</echo>
-        <echo> target.platform.linux=${target.platform.linux}</echo>
-        <echo> javafx.linux.needed=${javafx.linux.needed}</echo>
-        <echo> javafx.linux.found=${javafx.linux.found} (before download)</echo>
-        <echo/>
+        <echo level="info">
+        Windows:
+            current.platform.windows=${current.platform.windows}
+            target.platform.windows=${target.platform.windows}
+            javafx.windows.needed=${javafx.windows.needed}
+            javafx.windows.found=${javafx.windows.found} (before download)
+
+        Mac:
+            current.platform.mac=${current.platform.mac}
+            target.platform.mac=${target.platform.mac}
+            javafx.mac.needed=${javafx.mac.needed}
+            javafx.mac.found=${javafx.mac.found} (before download)
+
+        Linux:
+            current.platform.linux=${current.platform.linux}
+            target.platform.linux=${target.platform.linux}
+            javafx.linux.needed=${javafx.linux.needed}
+            javafx.linux.found=${javafx.linux.found} (before download)
+
+        </echo>
     </target>
 
     <target name="get-current-platform">
@@ -64,6 +68,7 @@
                 </tokenfilter>
             </filterchain>
         </loadresource>
+        <property description="suppress property warning" name="javafx.version-url" value="something went wrong"/>
     </target>
 
     <!-- Flags if javafx is needed for a particular platform-->
@@ -110,7 +115,7 @@
     </target>
 
     <!-- Downloads and extracts javafx for the specified platform -->
-    <target name="download-javafx-platform">
+    <target name="download-javafx-platform" depends="get-javafx-version">
         <get src="${javafx.mirror}/javafx-${javafx.version-url}-sdk-${javafx.platform}/" verbose="true" dest="javafx-${javafx.platform}.zip"/>
         <unzip src="javafx-${javafx.platform}.zip" dest="lib/javafx/${javafx.platform}" overwrite="true"/>
         <delete file="javafx-${javafx.platform}.zip"/>
@@ -137,7 +142,7 @@
         <condition property="javafx.current.extension" value="so">
             <isset property="current.platform.linux"/>
         </condition>
-        <echo>javafx.current.extension=${javafx.current.extension}</echo>
+        <echo level="info">javafx.current.extension=${javafx.current.extension}</echo>
 
         <antcall target="copy-native-platform">
             <param name="dest.dir" value="${dist.dir}"/>
@@ -157,7 +162,7 @@
         <condition property="javafx.target.extension" value="so">
             <isset property="target.platform.linux"/>
         </condition>
-        <echo>javafx.target.extension=${javafx.target.extension}</echo>
+        <echo level="info">javafx.target.extension=${javafx.target.extension}</echo>
 
         <antcall target="copy-native-platform">
             <param name="dest.dir" value="${dist.dir}"/>
@@ -166,8 +171,9 @@
         </antcall>
     </target>
 
-    <!-- Cleanup dist directory for packaging -->
-    <target name="cleanup-javafx-dist" if="javafx.target.extension" >
+    <!-- Tidy dist directory for packaging -->
+    <target name="tidy-javafx-dist" if="javafx.target.extension">
+        <echo level="info">Removing non-${javafx.target.extension} files</echo>
         <delete>
             <fileset dir="${dist.dir}/libs">
                 <include name="**"/>
@@ -192,29 +198,29 @@
                 <include name="**/glass.dll"/>
             </fileset>
         </first>
-        <condition property="javafx.windows.found" value="${toString:windows-found}">
-            <not><equals arg1="${toString:windows-found}" arg2=""/></not>
+        <pathconvert property="javafx.windows.files" refid="windows-found"/>
+        <condition property="javafx.windows.found" value="${javafx.windows.files}">
+            <not><equals arg1="${javafx.windows.files}" arg2=""/></not>
         </condition>
-        <property name="javafx.windows.files" value="${toString:windows-found}"/>
 
         <first id="mac-found">
             <fileset dir="lib">
                 <include name="**/libglass.dylib"/>
             </fileset>
         </first>
-        <condition property="javafx.mac.found" value="${toString:mac-found}">
-            <not><equals arg1="${toString:mac-found}" arg2=""/></not>
+        <pathconvert property="javafx.mac.files" refid="mac-found"/>
+        <condition property="javafx.mac.found" value="${javafx.mac.files}">
+            <not><equals arg1="${javafx.mac.files}" arg2=""/></not>
         </condition>
-        <property name="javafx.mac.files" value="${toString:mac-found}"/>
 
         <first id="linux-found">
             <fileset dir="lib">
                 <include name="**/libglass.so"/>
             </fileset>
         </first>
-        <condition property="javafx.linux.found" value="${toString:linux-found}">
-            <not><equals arg1="${toString:linux-found}" arg2=""/></not>
+        <pathconvert property="javafx.linux.files" refid="linux-found"/>
+        <condition property="javafx.linux.found" value="${javafx.linux.files}">
+            <not><equals arg1="${javafx.linux.files}" arg2=""/></not>
         </condition>
-        <property name="javafx.linux.files" value="${toString:linux-found}"/>
     </target>
 </project>
diff --git a/ant/lib/slim-icu.py b/ant/lib/slim-icu.py
@@ -1,7 +1,22 @@
-# Download icu4j source code, build using ant,
-# it will generate icu4j.jar and icu4j-charset.jar
-# Run slim-icu.py to generate slim version
-# Currently this script will only keep Arabic and English data
+# 2018 Yohanes Nugroho <[email protected]> (@yohanes)
+#
+# 1. Download icu4j source code, build using ant.
+#    It will generate icu4j.jar and icu4j-charset.jar
+#
+# 2. Run slim-icu.py to generate slim version.
+#
+#    To invoke from ant, add python to $PATH
+#    and add the following to build.xml:
+#
+#      <target name="distill-icu" depends="init">
+#          <exec executable="python">
+#              <arg line="ant/lib/slim-icu.py lib/charsets"/>
+#          </exec>
+#      </target>
+#
+#      ... then call: ant distill-icu
+#
+# 3. Overwrite files in lib/charsets/
 
 # slim ICU
 import sys