Get back to original

buildbot/config/worker/blender/sign.py

@@ -0,0 +1,205 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# SPDX-FileCopyrightText: 2011-2024 Blender Authors
+# <pep8 compliant>
+
+import pathlib
+import sys
+
+from typing import Optional, Sequence
+
+import worker.blender
+import worker.utils
+
+
+def sign_windows_files(
+    service_env_id: str,
+    file_paths: Sequence[pathlib.Path],
+    description: Optional[str] = None,
+    certificate_id: str = "",
+) -> None:
+    import conf.worker
+
+    worker_config = conf.worker.get_config(service_env_id)
+
+    # TODO: Rotate them if first 1 fails
+    worker_config.sign_code_windows_time_servers[0]
+    server_url = worker_config.sign_code_windows_server_url
+    if not certificate_id:
+        certificate_id = worker_config.sign_code_windows_certificate
+
+    dry_run = False
+    if service_env_id == "LOCAL" and not certificate_id:
+        worker.utils.warning("Performing dry run on LOCAL service environment")
+        dry_run = True
+
+    cmd_args = [
+        sys.executable,
+        "C:\\tools\\codesign.py",
+        "--server-url",
+        worker.utils.HiddenArgument(server_url),
+    ]
+    if description:
+        cmd_args += ["--description", description]
+
+    cmd: worker.utils.CmdSequence = cmd_args
+
+    # Signing one file at a time causes a stampede on servers, resulting in blocking.
+    # Instead sign in chunks of multiple files.
+    chunk_size = 25  # Sign how many files at a time
+    retry_count = 3
+
+    for i in range(0, len(file_paths), chunk_size):
+        file_chunks = file_paths[i : i + chunk_size]
+        worker.utils.call(
+            list(cmd) + list(file_chunks), retry_count=retry_count, dry_run=dry_run
+        )
+
+
+def sign_windows(service_env_id: str, install_path: pathlib.Path) -> None:
+    # TODO: Why use a junction? Is there some failure with long file paths?
+    # worker.utils.info("Creating building link")
+    # temp_build_root_path = pathlib.Path("C:/BlenderTemp")
+    # os.makedirs(temp_build_root_path, exist_ok=True)
+    # orig_install_path = install_path
+    # install_path = temp_build_root_path / install_path.name
+
+    try:
+        # TODO
+        # New-Item -type Junction -path install_path -value orig_install_path
+
+        worker.utils.info("Collecting files to process")
+        file_paths = list(install_path.glob("*.exe"))
+        file_paths += list(install_path.glob("*.dll"))
+        file_paths += list(install_path.glob("*.pyd"))
+        file_paths = [f for f in file_paths if str(f).find("blender.crt") == -1]
+        for f in file_paths:
+            print(f)
+
+        sign_windows_files(service_env_id, file_paths)
+    finally:
+        # worker.utils.info(f"Removing temporary folder {temp_build_root_path}")
+        # worker.utils.remove_dir(temp_build_root_path, retry_count=5, retry_wait_time=5.0)
+
+        # TODO: is this really necessary?
+        # worker.utils.info("Flushing volume cache...")
+        # Write-VolumeCache -DriveLetter C
+
+        # core_shell_retry_command -retry_count 5 -delay_in_milliseconds 1000 -script_block `
+        #    worker.utils.info("Junction information...")
+        #    junction = Get-Item -Path install_path
+        #    worker.utils.info(junction | Format-Table)
+        #    worker.utils.info("Attempting to remove...")
+        #    junction.Delete()
+        #    worker.utils.info("Junction deleted!")
+        pass
+
+    worker.utils.info("End of codesign steps")
+
+
+def sign_darwin_files(
+    builder: worker.blender.CodeBuilder,
+    file_paths: Sequence[pathlib.Path],
+    entitlements_file_name: str,
+) -> None:
+    entitlements_path = (
+        builder.code_path / "release" / "darwin" / entitlements_file_name
+    )
+
+    if not entitlements_path.exists():
+        raise Exception(f"File {entitlements_path} not found, aborting")
+
+    worker_config = builder.get_worker_config()
+    certificate_id = worker_config.sign_code_darwin_certificate
+
+    dry_run = False
+    if builder.service_env_id == "LOCAL" and not certificate_id:
+        worker.utils.warning("Performing dry run on LOCAL service environment")
+        dry_run = True
+
+    keychain_password = worker_config.darwin_keychain_password(builder.service_env_id)
+    cmd: worker.utils.CmdSequence = [
+        "security",
+        "unlock-keychain",
+        "-p",
+        worker.utils.HiddenArgument(keychain_password),
+    ]
+    worker.utils.call(cmd, dry_run=dry_run)
+
+    for file_path in file_paths:
+        if file_path.is_dir() and file_path.suffix != ".app":
+            continue
+
+        # Remove signature
+        if file_path.suffix != ".dmg":
+            worker.utils.call(
+                ["codesign", "--remove-signature", file_path],
+                exit_on_error=False,
+                dry_run=dry_run,
+            )
+
+        # Add signature
+        worker.utils.call(
+            [
+                "codesign",
+                "--force",
+                "--timestamp",
+                "--options",
+                "runtime",
+                f"--entitlements={entitlements_path}",
+                "--sign",
+                certificate_id,
+                file_path,
+            ],
+            retry_count=3,
+            dry_run=dry_run,
+        )
+        if file_path.suffix == ".app":
+            worker.utils.info(f"Vaildating app bundle {file_path}")
+            worker.utils.call(
+                ["codesign", "-vvv", "--deep", "--strict", file_path], dry_run=dry_run
+            )
+
+
+def sign_darwin(builder: worker.blender.CodeBuilder) -> None:
+    bundle_path = builder.install_dir / "Blender.app"
+
+    # Executables
+    sign_path = bundle_path / "Contents" / "MacOS"
+    worker.utils.info(f"Collecting files to process in {sign_path}")
+    sign_darwin_files(builder, list(sign_path.rglob("*")), "entitlements.plist")
+
+    # Thumbnailer app extension.
+    thumbnailer_appex_path = (
+        bundle_path / "Contents" / "PlugIns" / "blender-thumbnailer.appex"
+    )
+    if thumbnailer_appex_path.exists():
+        sign_path = thumbnailer_appex_path / "Contents" / "MacOS"
+        worker.utils.info(f"Collecting files to process in {sign_path}")
+        sign_darwin_files(
+            builder, list(sign_path.rglob("*")), "thumbnailer_entitlements.plist"
+        )
+
+    # Shared librarys and Python
+    sign_path = bundle_path / "Contents" / "Resources"
+    worker.utils.info(f"Collecting files to process in {sign_path}")
+    file_paths = list(
+        set(sign_path.rglob("*.dylib"))
+        | set(sign_path.rglob("*.so"))
+        | set(sign_path.rglob("python3.*"))
+    )
+    sign_darwin_files(builder, file_paths, "entitlements.plist")
+
+    # Bundle
+    worker.utils.info(f"Signing app bundle {bundle_path}")
+    sign_darwin_files(builder, [bundle_path], "entitlements.plist")
+
+
+def sign(builder: worker.blender.CodeBuilder) -> None:
+    builder.setup_build_environment()
+
+    if builder.platform == "windows":
+        sign_windows(builder.service_env_id, builder.install_dir)
+    elif builder.platform == "darwin":
+        sign_darwin(builder)
+    else:
+        worker.utils.info("No code signing to be done on this platform")