vrr/TrustTunnel
2
0
Fork 0
mirror of https://github.com/TrustTunnel/TrustTunnel.git synced 2026-04-26 10:51:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Pull request 185: TRUST-428 add binary build universal for macos

Browse source 
Squashed commit of the following:

commit 01359b7031
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Mon Mar 23 21:26:58 2026 +0500

    Update prebuilt-arch list in README.md

commit 2dd63cb81a
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Tue Mar 17 13:49:28 2026 +0500

    More unification with client build

commit 6fb885198d
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Tue Mar 17 13:47:24 2026 +0500

    Add Gemfile.lock

commit 62a2ee7feb
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 21:00:15 2026 +0500

    More unification with trusttunnel-client deployment plan

commit e60ac36d5a
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 20:49:06 2026 +0500

    Remove REPO_ROOT variable

commit 145949a852
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 20:42:16 2026 +0500

    Unify codesign approach with trusttunnel-client

commit 38baac17fe
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 18:26:00 2026 +0500

    Use separate macOS notarization identifier for setup_wizard

commit 296e7ea9ab
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 18:17:57 2026 +0500

    Integrate fastlane-based macOS signing into Bamboo deploy pipeline

commit e2c3bede74
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 18:12:26 2026 +0500

    Add supporting fastlane files for macOS release signing

commit 8e2bc2e87d
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 18:06:28 2026 +0500

    Add fastlane automation for macOS endpoint release signing

commit af89eef0f3
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 17:40:06 2026 +0500

    Add macOS dSYM artifacts to Bamboo deploy pipeline

commit 21cd7d99d7
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date:   Fri Mar 13 17:30:24 2026 +0500

    Add universal macOS release artifact to Bamboo deploy pipeline
This commit is contained in:
Ilia Zhirov 2026-03-25 11:45:50 +00:00 committed by Sergey Fionov
parent f0d445adc9
commit 4b9aa62600
10 changed files with 650 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Gemfile Normal file
View file

@ -0,0 +1,7 @@
source "https://rubygems.org"
gem "cocoapods", "1.12.1"
gem "fastlane"
# https://github.com/fastlane/fastlane/issues/29183
gem "abbrev"

305
Gemfile.lock Normal file
View file

@ -0,0 +1,305 @@
GEM
remote: https://rubygems.org/
specs:
CFPropertyList (3.0.7)
base64
nkf
rexml
abbrev (0.1.2)
activesupport (7.2.2.1)
base64
benchmark (>= 0.3)
bigdecimal
concurrent-ruby (~> 1.0, >= 1.3.1)
connection_pool (>= 2.2.5)
drb
i18n (>= 1.6, < 2)
logger (>= 1.4.2)
minitest (>= 5.1)
securerandom (>= 0.3)
tzinfo (~> 2.0, >= 2.0.5)
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
algoliasearch (1.27.5)
httpclient (~> 2.8, >= 2.8.3)
json (>= 1.5.1)
artifactory (3.0.17)
atomos (0.1.3)
aws-eventstream (1.3.2)
aws-partitions (1.1106.0)
aws-sdk-core (3.224.0)
aws-eventstream (~> 1, >= 1.3.0)
aws-partitions (~> 1, >= 1.992.0)
aws-sigv4 (~> 1.9)
base64
jmespath (~> 1, >= 1.6.1)
logger
aws-sdk-kms (1.101.0)
aws-sdk-core (~> 3, >= 3.216.0)
aws-sigv4 (~> 1.5)
aws-sdk-s3 (1.186.1)
aws-sdk-core (~> 3, >= 3.216.0)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.5)
aws-sigv4 (1.11.0)
aws-eventstream (~> 1, >= 1.0.2)
babosa (1.0.4)
base64 (0.2.0)
benchmark (0.4.0)
bigdecimal (3.1.9)
claide (1.1.0)
cocoapods (1.12.1)
addressable (~> 2.8)
claide (>= 1.0.2, < 2.0)
cocoapods-core (= 1.12.1)
cocoapods-deintegrate (>= 1.0.3, < 2.0)
cocoapods-downloader (>= 1.6.0, < 2.0)
cocoapods-plugins (>= 1.0.0, < 2.0)
cocoapods-search (>= 1.0.0, < 2.0)
cocoapods-trunk (>= 1.6.0, < 2.0)
cocoapods-try (>= 1.1.0, < 2.0)
colored2 (~> 3.1)
escape (~> 0.0.4)
fourflusher (>= 2.3.0, < 3.0)
gh_inspector (~> 1.0)
molinillo (~> 0.8.0)
nap (~> 1.0)
ruby-macho (>= 2.3.0, < 3.0)
xcodeproj (>= 1.21.0, < 2.0)
cocoapods-core (1.12.1)
activesupport (>= 5.0, < 8)
addressable (~> 2.8)
algoliasearch (~> 1.0)
concurrent-ruby (~> 1.1)
fuzzy_match (~> 2.0.4)
nap (~> 1.0)
netrc (~> 0.11)
public_suffix (~> 4.0)
typhoeus (~> 1.0)
cocoapods-deintegrate (1.0.5)
cocoapods-downloader (1.6.3)
cocoapods-plugins (1.0.0)
nap
cocoapods-search (1.0.1)
cocoapods-trunk (1.6.0)
nap (>= 0.8, < 2.0)
netrc (~> 0.11)
cocoapods-try (1.2.0)
colored (1.2)
colored2 (3.1.2)
commander (4.6.0)
highline (~> 2.0.0)
concurrent-ruby (1.3.5)
connection_pool (2.5.3)
declarative (0.0.20)
digest-crc (0.7.0)
rake (>= 12.0.0, < 14.0.0)
domain_name (0.6.20240107)
dotenv (2.8.1)
drb (2.2.3)
emoji_regex (3.2.3)
escape (0.0.4)
ethon (0.16.0)
ffi (>= 1.15.0)
excon (0.112.0)
faraday (1.10.4)
faraday-em_http (~> 1.0)
faraday-em_synchrony (~> 1.0)
faraday-excon (~> 1.1)
faraday-httpclient (~> 1.0)
faraday-multipart (~> 1.0)
faraday-net_http (~> 1.0)
faraday-net_http_persistent (~> 1.0)
faraday-patron (~> 1.0)
faraday-rack (~> 1.0)
faraday-retry (~> 1.0)
ruby2_keywords (>= 0.0.4)
faraday-cookie_jar (0.0.7)
faraday (>= 0.8.0)
http-cookie (~> 1.0.0)
faraday-em_http (1.0.0)
faraday-em_synchrony (1.0.0)
faraday-excon (1.1.0)
faraday-httpclient (1.0.1)
faraday-multipart (1.1.0)
multipart-post (~> 2.0)
faraday-net_http (1.0.2)
faraday-net_http_persistent (1.2.0)
faraday-patron (1.0.0)
faraday-rack (1.0.0)
faraday-retry (1.0.3)
faraday_middleware (1.2.1)
faraday (~> 1.0)
fastimage (2.4.0)
fastlane (2.227.2)
CFPropertyList (>= 2.3, < 4.0.0)
addressable (>= 2.8, < 3.0.0)
artifactory (~> 3.0)
aws-sdk-s3 (~> 1.0)
babosa (>= 1.0.3, < 2.0.0)
bundler (>= 1.12.0, < 3.0.0)
colored (~> 1.2)
commander (~> 4.6)
dotenv (>= 2.1.1, < 3.0.0)
emoji_regex (>= 0.1, < 4.0)
excon (>= 0.71.0, < 1.0.0)
faraday (~> 1.0)
faraday-cookie_jar (~> 0.0.6)
faraday_middleware (~> 1.0)
fastimage (>= 2.1.0, < 3.0.0)
fastlane-sirp (>= 1.0.0)
gh_inspector (>= 1.1.2, < 2.0.0)
google-apis-androidpublisher_v3 (~> 0.3)
google-apis-playcustomapp_v1 (~> 0.1)
google-cloud-env (>= 1.6.0, < 2.0.0)
google-cloud-storage (~> 1.31)
highline (~> 2.0)
http-cookie (~> 1.0.5)
json (< 3.0.0)
jwt (>= 2.1.0, < 3)
mini_magick (>= 4.9.4, < 5.0.0)
multipart-post (>= 2.0.0, < 3.0.0)
naturally (~> 2.2)
optparse (>= 0.1.1, < 1.0.0)
plist (>= 3.1.0, < 4.0.0)
rubyzip (>= 2.0.0, < 3.0.0)
security (= 0.1.5)
simctl (~> 1.6.3)
terminal-notifier (>= 2.0.0, < 3.0.0)
terminal-table (~> 3)
tty-screen (>= 0.6.3, < 1.0.0)
tty-spinner (>= 0.8.0, < 1.0.0)
word_wrap (~> 1.0.0)
xcodeproj (>= 1.13.0, < 2.0.0)
xcpretty (~> 0.4.1)
xcpretty-travis-formatter (>= 0.0.3, < 2.0.0)
fastlane-sirp (1.0.0)
sysrandom (~> 1.0)
ffi (1.17.2-arm64-darwin)
fourflusher (2.3.1)
fuzzy_match (2.0.4)
gh_inspector (1.1.3)
google-apis-androidpublisher_v3 (0.54.0)
google-apis-core (>= 0.11.0, < 2.a)
google-apis-core (0.11.3)
addressable (~> 2.5, >= 2.5.1)
googleauth (>= 0.16.2, < 2.a)
httpclient (>= 2.8.1, < 3.a)
mini_mime (~> 1.0)
representable (~> 3.0)
retriable (>= 2.0, < 4.a)
rexml
google-apis-iamcredentials_v1 (0.17.0)
google-apis-core (>= 0.11.0, < 2.a)
google-apis-playcustomapp_v1 (0.13.0)
google-apis-core (>= 0.11.0, < 2.a)
google-apis-storage_v1 (0.31.0)
google-apis-core (>= 0.11.0, < 2.a)
google-cloud-core (1.8.0)
google-cloud-env (>= 1.0, < 3.a)
google-cloud-errors (~> 1.0)
google-cloud-env (1.6.0)
faraday (>= 0.17.3, < 3.0)
google-cloud-errors (1.5.0)
google-cloud-storage (1.47.0)
addressable (~> 2.8)
digest-crc (~> 0.4)
google-apis-iamcredentials_v1 (~> 0.1)
google-apis-storage_v1 (~> 0.31.0)
google-cloud-core (~> 1.6)
googleauth (>= 0.16.2, < 2.a)
mini_mime (~> 1.0)
googleauth (1.8.1)
faraday (>= 0.17.3, < 3.a)
jwt (>= 1.4, < 3.0)
multi_json (~> 1.11)
os (>= 0.9, < 2.0)
signet (>= 0.16, < 2.a)
highline (2.0.3)
http-cookie (1.0.8)
domain_name (~> 0.5)
httpclient (2.9.0)
mutex_m
i18n (1.14.7)
concurrent-ruby (~> 1.0)
jmespath (1.6.2)
json (2.12.0)
jwt (2.10.1)
base64
logger (1.7.0)
mini_magick (4.13.2)
mini_mime (1.1.5)
minitest (5.25.5)
molinillo (0.8.0)
multi_json (1.15.0)
multipart-post (2.4.1)
mutex_m (0.3.0)
nanaimo (0.4.0)
nap (1.1.0)
naturally (2.2.1)
netrc (0.11.0)
nkf (0.2.0)
optparse (0.6.0)
os (1.1.4)
plist (3.7.2)
public_suffix (4.0.7)
rake (13.2.1)
representable (3.2.0)
declarative (< 0.1.0)
trailblazer-option (>= 0.1.1, < 0.2.0)
uber (< 0.2.0)
retriable (3.1.2)
rexml (3.4.1)
rouge (3.28.0)
ruby-macho (2.5.1)
ruby2_keywords (0.0.5)
rubyzip (2.4.1)
securerandom (0.4.1)
security (0.1.5)
signet (0.20.0)
addressable (~> 2.8)
faraday (>= 0.17.5, < 3.a)
jwt (>= 1.5, < 3.0)
multi_json (~> 1.10)
simctl (1.6.10)
CFPropertyList
naturally
sysrandom (1.0.5)
terminal-notifier (2.0.0)
terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3)
trailblazer-option (0.1.2)
tty-cursor (0.7.1)
tty-screen (0.8.2)
tty-spinner (0.9.3)
tty-cursor (~> 0.7)
typhoeus (1.4.1)
ethon (>= 0.9.0)
tzinfo (2.0.6)
concurrent-ruby (~> 1.0)
uber (0.1.0)
unicode-display_width (2.6.0)
word_wrap (1.0.0)
xcodeproj (1.27.0)
CFPropertyList (>= 2.3.3, < 4.0)
atomos (~> 0.1.3)
claide (>= 1.0.2, < 2.0)
colored2 (~> 3.1)
nanaimo (~> 0.4.0)
rexml (>= 3.3.6, < 4.0)
xcpretty (0.4.1)
rouge (~> 3.28.0)
xcpretty-travis-formatter (1.0.1)
xcpretty (~> 0.2, >= 0.0.7)
PLATFORMS
arm64-darwin-22
arm64-darwin-24
DEPENDENCIES
abbrev
cocoapods (= 1.12.1)
fastlane
BUNDLED WITH
2.6.9

4
README.md
View file

@ -118,8 +118,8 @@ curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnel/refs/heads/
```
> [!NOTE]
> Currently only `linux-x86_64` and `linux-aarch64` architectures are provided
> for the prebuilt packages.
> Prebuilt packages are available for `linux-x86_64`, `linux-aarch64`, and
> `macos-universal` (Intel and Apple Silicon) architectures.
#### Updating the endpoint

120
bamboo-specs/deploy.yaml
View file

@ -13,7 +13,7 @@ stages:
final: false
jobs:
- Build on Linux
# - Build on macOS
- Build on macOS
- Deploy artifacts:
manual: false
final: false
@ -134,30 +134,96 @@ Build on Linux:
required: true
shared: true
# Build on macOS:
# key: BM
# tasks:
# - checkout:
# description: Checkout Default Repository
# force-clean-build: 'true'
# - script:
# interpreter: SHELL
# scripts:
# - |-
# #!/bin/bash
# set -x -e
# cargo build --release --target x86_64-apple-darwin
# cp target/x86_64-apple-darwin/release/trusttunnel_endpoint target/trusttunnel_endpoint.osx-x86_64
# requirements:
# - ephemeral
# - image: registry.int.agrd.dev/macos/sequoia-build-agent-xcode16.1:latest
# artifact-subscriptions: [ ]
# artifacts:
# - name: Build result macOS
# location: target
# pattern: 'trusttunnel_endpoint.osx-x86_64'
# required: false
# shared: true
Build on macOS:
key: BM
tasks:
- checkout:
description: Checkout Default Repository
force-clean-build: 'true'
- script:
interpreter: SHELL
scripts:
- |-
#!/bin/bash
set -x -e
ENDPOINT_ROOT=${PWD}
CODESIGN_IDENTITY="Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)"
CODESIGN_IDENTIFIER="com.adguard.trusttunnel.endpoint"
export BUILD_DIR=build_macos
printf "%b\n" "${bamboo_sshSecretKey}" | ssh-add -
bundle config --local path '.bundle/vendor'
bundle config
bundle install
bundle exec fastlane remove_certs || true
bundle exec fastlane certs
mkdir -p build_macos
VERSION=$(cat endpoint/Cargo.toml | grep "version = " | head -n 1 | sed -e 's/version = "\(.*\)"/\1/')
GPG_KEY=devteam@adguard.com
echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\
| awk '{ gsub(/\\n/, "\n"); print; }'\
| gpg --import --batch --yes
cargo build --release --target x86_64-apple-darwin
cargo build --release --target aarch64-apple-darwin
lipo -create \
-output build_macos/trusttunnel_endpoint \
target/x86_64-apple-darwin/release/trusttunnel_endpoint \
target/aarch64-apple-darwin/release/trusttunnel_endpoint
lipo -create \
-output build_macos/setup_wizard \
target/x86_64-apple-darwin/release/setup_wizard \
target/aarch64-apple-darwin/release/setup_wizard
lipo -info build_macos/trusttunnel_endpoint
lipo -info build_macos/setup_wizard
dsymutil build_macos/trusttunnel_endpoint -o build_macos/trusttunnel_endpoint.dSYM
dsymutil build_macos/setup_wizard -o build_macos/setup_wizard.dSYM
strip build_macos/trusttunnel_endpoint
strip build_macos/setup_wizard
codesign -f -s "${CODESIGN_IDENTITY}" -i "${CODESIGN_IDENTIFIER}" --options=runtime build_macos/trusttunnel_endpoint
codesign -f -s "${CODESIGN_IDENTITY}" -i "${CODESIGN_IDENTIFIER}" --options=runtime build_macos/setup_wizard
bundle exec fastlane notari id:"${CODESIGN_IDENTIFIER}" bundle:"${ENDPOINT_ROOT}/build_macos/trusttunnel_endpoint"
bundle exec fastlane notari id:"${CODESIGN_IDENTIFIER}" bundle:"${ENDPOINT_ROOT}/build_macos/setup_wizard"
bundle exec fastlane remove_certs || true
pushd build_macos
cp ${ENDPOINT_ROOT}/LICENSE .
gpg --default-key "${GPG_KEY}" \
--detach-sig \
--passphrase "${bamboo.gpgPassword}" \
--pinentry-mode loopback \
trusttunnel_endpoint
gpg --default-key "${GPG_KEY}" \
--detach-sig \
--passphrase "${bamboo.gpgPassword}" \
--pinentry-mode loopback \
setup_wizard
NAME=trusttunnel-v${VERSION}-macos-universal
tar zcf ${NAME}.tar.gz -s ",^,${NAME}/," trusttunnel_endpoint trusttunnel_endpoint.sig setup_wizard setup_wizard.sig LICENSE
NAME_DBG=${NAME}-dbgsym
tar zcf ${NAME_DBG}.tar.gz -s ",^,${NAME_DBG}/," trusttunnel_endpoint.dSYM setup_wizard.dSYM
popd
requirements:
- ephemeral
- image: registry.int.agrd.dev/macos/tahoe-build-agent-xcode26.1.1:latest
artifact-subscriptions: [ ]
artifacts:
- name: Build for macOS
location: build_macos
pattern: 'trusttunnel-*.tar.gz'
required: true
shared: true
Deploy artifacts:
key: DA
@ -210,11 +276,15 @@ Deploy artifacts:
gh release upload ${TAG} ../build_linux/trusttunnel-v${VERSION}-linux-aarch64.tar.gz
gh release upload ${TAG} ../build_linux/trusttunnel-v${VERSION}-linux-x86_64-dbgsym.tar.gz
gh release upload ${TAG} ../build_linux/trusttunnel-v${VERSION}-linux-aarch64-dbgsym.tar.gz
gh release upload ${TAG} ../build_macos/trusttunnel-v${VERSION}-macos-universal.tar.gz
gh release upload ${TAG} ../build_macos/trusttunnel-v${VERSION}-macos-universal-dbgsym.tar.gz
requirements:
- adg-privileged-docker
artifact-subscriptions:
- artifact: Build for Linux
destination: build_linux
- artifact: Build for macOS
destination: build_macos
artifacts: []
repositories:

11
fastlane/.env.default Normal file
View file

@ -0,0 +1,11 @@
BUILD_DIR="build_macos"
DEFAULT_PLATFORM="mac"
KEYCHAIN_PATH_LOCAL=true
MATCH_PASSWORD="${bamboo_fastlaneMatchPassword}"
MATCH_KEYCHAIN_PASSWORD="pass-for-local-keychain"
MATCH_KEYCHAIN_NAME="trusttunnel-endpoint.keychain"
MATCH_APP_IDENTIFIER="com.adguard.trusttunnel.endpoint"
MATCH_GIT_URL="ssh://git@${bamboo_bitbucketHostname}:7999/adguard-mac/certificates.git"

1
fastlane/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
report.xml

96
fastlane/Fastfile Normal file
View file

@ -0,0 +1,96 @@
require 'tmpdir'
import "Subroutings"
before_all do |_lane, _options|
ENV["BUILD_PATH"] ||= File.join(Dir.pwd, ENV["BUILD_DIR"] || "build_macos")
app_store_connect_api_key(
key_id: ENV["bamboo_appStoreConnectApiKeyId"],
issuer_id: ENV["bamboo_appStoreConnectApiKeyIssuerId"],
key_content: ENV["bamboo_appStoreConnectApiKeyBase64Password"],
is_key_content_base64: true,
)
end
desc "Installs or updates certificates for macOS release signing"
lane :certs do |options|
app_id = ENV["MATCH_APP_IDENTIFIER"] || "com.adguard.trusttunnel.endpoint"
keychain_path = nil
if ENV["KEYCHAIN_PATH_LOCAL"] == 'true'
keychain_path = File.join(ENV["BUILD_PATH"], "certs", ENV["MATCH_KEYCHAIN_NAME"])
create_local_keychain(keychain_path)
UI.success("Keychain path: #{keychain_path}")
end
match(
step_name: "Sync Developer id identity and provisioning profiles",
app_identifier: [app_id],
type: "developer_id",
keychain_name: keychain_path,
readonly: "true",
force: "false",
force_for_new_devices: "false",
verbose: options[:verbose].nil? ? "false" : options[:verbose],
git_branch: "standalone",
clone_branch_directly: "true",
shallow_clone: "true",
platform: "macos",
fail_on_name_taken: "true",
skip_provisioning_profiles: "true",
)
end
desc "Remove local keychain, which contains certificates"
lane :remove_certs do |_options|
step_name = "Remove local keychain, which contains certificates"
keychain_path = File.join(ENV["BUILD_PATH"], "certs", ENV["MATCH_KEYCHAIN_NAME"])
if !File.exist?(keychain_path)
Actions.execute_action(step_name) do
UI.success("No local keychain")
end
next
end
delete_keychain(
keychain_path: keychain_path,
step_name: step_name
)
end
desc "Notarize bundle using default credentials"
desc "Required options:"
desc " - bundle: STRING Path to bundle"
desc " - id: STRING Bundle id, used for notary service"
lane :notari do |options|
UI.user_error!("Missing argument: 'id:<BUNDLE_ID>'") if options[:id].nil?
UI.user_error!("Missing argument: 'bundle:<BUNDLE_PATH>'") if options[:bundle].nil?
app_store_connect_api_key(
key_id: ENV["bamboo_appStoreConnectApiKeyId"],
issuer_id: ENV["bamboo_appStoreConnectApiKeyIssuerId"],
key_content: ENV["bamboo_appStoreConnectApiKeyBase64Password"],
is_key_content_base64: true,
)
bundle_path = options[:bundle]
bundle_id = options[:id]
Dir.mktmpdir do |temp_dir|
notari_path = File.join(temp_dir, "to_notarize.zip")
compress_bundle(bundle_path, notari_path)
notarize(
step_name: "Notarizing bundle",
package: notari_path,
use_notarytool: "true",
bundle_id: bundle_id,
skip_stapling: "true",
print_log: "true",
verbose: "false"
)
end
end
ENV["FASTLANE_PROC"] = "true"

3
fastlane/Matchfile Normal file
View file

@ -0,0 +1,3 @@
if ENV["FASTLANE_PROC"].nil?
raise "Use 'fastlane certs' with parameters you need"
end

88
fastlane/README.md Normal file
View file

@ -0,0 +1,88 @@
# fastlane for `vpn-libs-endpoint`
## Purpose
This directory contains the fastlane automation used for macOS release signing
and notarization of:
- `trusttunnel_endpoint`
- `setup_wizard`
The flow was adapted from `trusttunnel-client` to fit the Cargo-based endpoint
repository.
## Prerequisites
Make sure the macOS build environment provides:
- Xcode command line tools
- Ruby with Bundler support
- access to the signing certificate repository used by `match`
- App Store Connect API credentials via Bamboo environment variables
If Xcode command line tools are missing, install them with:
```sh
xcode-select --install
```
Install Ruby dependencies with:
```sh
bundle config --local path '.bundle/vendor'
bundle install
```
## Environment
Example defaults are provided in `.env.default`.
Important environment variables include:
- `BUILD_DIR`
- `MATCH_GIT_URL`
- `MATCH_PASSWORD`
- `MATCH_KEYCHAIN_PASSWORD`
- `MATCH_KEYCHAIN_NAME`
- `MATCH_APP_IDENTIFIER`
- `bamboo_appStoreConnectApiKeyId`
- `bamboo_appStoreConnectApiKeyIssuerId`
- `bamboo_appStoreConnectApiKeyBase64Password`
## Available lanes
### `certs`
```sh
[bundle exec] fastlane certs
```
Syncs the Developer ID signing identity required for macOS release signing.
### `remove_certs`
```sh
[bundle exec] fastlane remove_certs
```
Removes the temporary local keychain created for signing.
### `notari`
```sh
[bundle exec] fastlane notari id:"<bundle_id>" bundle:"<path_to_binary>"
```
Notarizes the specified binary using the default App Store Connect credentials.
Required options:
- `id`: bundle identifier used for notarization
- `bundle`: path to the signed binary
## Notes
- Executables are compressed into a temporary archive before notarization.
- Stapling is intentionally skipped for executables.
- This directory is maintained manually for the endpoint repository and is not
auto-generated.

42
fastlane/Subroutings Normal file
View file

@ -0,0 +1,42 @@
def create_local_keychain(keychain_path)
create_keychain(
unlock: true,
timeout: 0,
add_to_search_list: true,
lock_after_timeout: false,
path: keychain_path,
password: ENV["MATCH_KEYCHAIN_PASSWORD"],
step_name: "Create local keychain for build"
)
keychain_path
end
def compress_bundle(bundle_path, archive_path)
success = true
sh(
"ditto",
"-c",
"-k",
"--rsrc",
"--keepParent",
bundle_path,
archive_path,
error_callback: ->(_result) { success = false },
step_name: "Archiving bundle"
)
UI.user_error!("Failed archiving bundle: #{bundle_path}") unless success
end
def staple_bundle(bundle_path)
success = true
sh(
"xcrun",
"stapler",
"staple",
bundle_path,
error_callback: ->(_result) { success = false },
step_name: "Stapling bundle"
)
UI.user_error!("Failed to staple: #{bundle_path}") unless success
end