forked from psychopy/psychopy
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'dev' of https://github.com/psychopy/psychopy into dev
- Loading branch information
Showing
79 changed files
with
1,347 additions
and
634 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
name: "CodeQL" | ||
|
||
on: | ||
push: | ||
branches: [ 'dev' ] | ||
pull_request: | ||
# The branches below must be a subset of the branches above | ||
branches: [ 'dev' ] | ||
schedule: | ||
- cron: '8 3 * * 3' | ||
|
||
jobs: | ||
analyze: | ||
name: Analyze | ||
runs-on: ubuntu-latest | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
language: [ 'python', 'javascript' ] | ||
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] | ||
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
|
||
# Initializes the CodeQL tools for scanning. | ||
- name: Initialize CodeQL | ||
uses: github/codeql-action/init@v3 | ||
with: | ||
languages: ${{ matrix.language }} | ||
# If you wish to specify custom queries, you can do so here or in a config file. | ||
# By default, queries listed here will override any specified in a config file. | ||
# Prefix the list here with "+" to use these queries and those in the config file. | ||
|
||
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | ||
# queries: security-extended,security-and-quality | ||
|
||
|
||
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). | ||
# If this step fails, then you should remove it and run the build manually (see below) | ||
- name: Autobuild | ||
uses: github/codeql-action/autobuild@v3 | ||
|
||
# ℹ️ Command-line programs to run using the OS shell. | ||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun | ||
|
||
# If the Autobuild fails above, remove it and uncomment the following three lines. | ||
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. | ||
|
||
# - run: | | ||
# echo "Run, Build Application using script" | ||
# ./location_of_script_within_repo/buildscript.sh | ||
|
||
- name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@v3 | ||
with: | ||
category: "/language:${{matrix.language}}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,7 +11,6 @@ | |
import time, sys, os | ||
import argparse | ||
import shutil | ||
import dmgbuild | ||
import argparse | ||
|
||
thisFolder = Path(__file__).parent | ||
|
@@ -23,6 +22,7 @@ | |
USERNAME = "[email protected]" | ||
|
||
SIGN_ALL = True | ||
logFile = open("_lastCodeSign.log", "w") | ||
|
||
# handy resources for info: | ||
# | ||
|
@@ -79,12 +79,15 @@ def signAll(self, verbose=None): | |
|
||
# ready? Let's do this! | ||
t0 = time.time() | ||
print(f"Signing dylibs...see {logFile.name} for details. key: \n" | ||
" . success\n" | ||
" o already signed\n" | ||
" - failed (deleted)\n" | ||
" X failed (couldn't delete)") | ||
for filename in files: | ||
print('.', end='') | ||
sys.stdout.flush() | ||
if filename.exists(): # might have been removed since glob | ||
self.signSingleFile(filename, verbose=False, removeFailed=True) | ||
print(f'...done signing dylibs in {time.time()-t0:.03f}s') | ||
print(f'\n...done signing dylibs in {time.time()-t0:.03f}s') | ||
|
||
# then sign the outer app file | ||
print('Signing app') | ||
|
@@ -94,36 +97,79 @@ def signAll(self, verbose=None): | |
print(f'...done signing app in {time.time()-t0:.03f}s') | ||
sys.stdout.flush() | ||
|
||
def signSingleFile(self, filename, removeFailed=False, verbose=None, | ||
appFile=False): | ||
def signSingleFile(self, filename, removeFailed=False, verbose=None): | ||
"""Signs a single file (if it isn't already signed) | ||
Returns: | ||
True (success) | ||
list of warnings (partial success) | ||
False (failed) | ||
Params: | ||
filename | ||
removedFailed (bool): if True then try to remove files that don't sign | ||
verbose: increases printing level (although you can see the logs) | ||
""" | ||
|
||
# " . success\n" | ||
# " - failed (deleted)\n" | ||
# " X failed (couldn't delete) | ||
|
||
if verbose is None: | ||
verbose = self.verbose | ||
|
||
# is there already a valid signature? MUST overwrite or won't notarize | ||
# if self.signCheck(str(filename)) is True: # check actual boolean, not list of warnings | ||
# print('o', end='') | ||
# sys.stdout.flush() | ||
# return True | ||
|
||
# try signing it ourselves | ||
if not self._apple_id: | ||
raise ValueError('No identity provided for signing') | ||
cmd = ['codesign', str(filename), | ||
'--sign', self._team_id, | ||
'--sign', self._team_id, | ||
'--entitlements', str(ENTITLEMENTS), | ||
'--force', | ||
'--timestamp', | ||
# '--deep', # not recommended although used in most demos | ||
'--options', 'runtime', | ||
] | ||
cmdStr = ' '.join(cmd) | ||
logFile.write(f"{cmdStr}\n") | ||
if verbose: | ||
print(cmdStr) | ||
exitcode, output = subprocess.getstatusoutput(cmdStr) | ||
# if failed or verbose then give info | ||
if exitcode != 0 or ('failed' in output) or (verbose and output): | ||
if verbose and output: | ||
print(output) | ||
# if failed and removing then remove | ||
if (exitcode != 0 or 'failed' in output) and removeFailed: | ||
|
||
|
||
# CODESIGN SUCCESS | ||
if exitcode == 0 and not ('failed' in output): | ||
# successfully signed | ||
print('.', end='') | ||
sys.stdout.flush() | ||
# do a detailed check and return | ||
return self.signCheck(filename, verbose=False, removeFailed=removeFailed) | ||
|
||
# CODESIGN FAIL. Let's see if we can remove | ||
logFile.write(f"{output}\n") | ||
try: # remove the file because we couldn't sign it | ||
Path(filename).unlink() | ||
print(f"FILE {filename}: failed to codesign") | ||
return self.signCheck(filename, verbose=False, removeFailed=removeFailed) | ||
print('-', end='') | ||
logFile.write(f"FILE {filename}: failed to codesign and was removed\n") | ||
except: | ||
print('X', end='') | ||
logFile.write(f"\nFILE {filename}: failed to codesign and failed to remove\n") | ||
return | ||
|
||
def signCheck(self, filepath=None, verbose=False, strict=True, | ||
removeFailed=False): | ||
"""Checks whether a file is signed and returns a list of warnings""" | ||
"""Checks whether a file is signed and returns a list of warnings | ||
Returns: | ||
False if not signed at all | ||
A list of warnings if signed but with concerns (and these are printed) | ||
True if signed with no warnings found | ||
""" | ||
if not filepath: | ||
filepath = self.appFile | ||
# just check the details | ||
|
@@ -135,6 +181,9 @@ def signCheck(self, filepath=None, verbose=False, strict=True, | |
exitcode, output = subprocess.getstatusoutput(cmdStr) | ||
if verbose: | ||
print(f"Checking that codesign worked: {output}") | ||
|
||
if exitcode == 1: # indicates no valid signature | ||
return False | ||
|
||
# check for warnings | ||
warnings=[] | ||
|
@@ -148,7 +197,9 @@ def signCheck(self, filepath=None, verbose=False, strict=True, | |
if removeFailed: | ||
Path(filepath).unlink() | ||
print(f"REMOVED FILE {filepath}: failed to codesign") | ||
return warnings | ||
return warnings | ||
else: | ||
return True | ||
|
||
def upload(self, fileToNotarize): | ||
"""Uploads a file to Apple for notarizing""" | ||
|
@@ -232,6 +283,7 @@ def staple(self, filepath): | |
print(f"Staple successful. You can verify with\n xcrun stapler validate {filepath}") | ||
|
||
def dmgBuild(self): | ||
import dmgbuild | ||
dmgFilename = str(self.appFile).replace(".app", "_rw.dmg") | ||
appName = self.appFile.name | ||
print(f"building dmg file: {dmgFilename}") | ||
|
@@ -324,13 +376,13 @@ def main(): | |
action='store', required=False, default=defaultVersion) | ||
parser.add_argument("--file", help="path for a single file to be signed", | ||
action='store', required=False, default=None) | ||
parser.add_argument("--skipNotarize", help="path for a single file to be signed", | ||
parser.add_argument("--skipNotarize", help="Include this flag only if you want to skip", | ||
action='store', required=False, default=None) | ||
parser.add_argument("--runPreDmgBuild", help="Runs up until dmg is built (and notarised) then exits", | ||
parser.add_argument("--runPreDmgBuild", help="Runs up until dmg is built (and notarized) then exits", | ||
action='store', required=False, default='true') | ||
parser.add_argument("--runDmgBuild", help="Runs the dmg build itself", | ||
action='store', required=False, default='true') | ||
parser.add_argument("--runPostDmgBuild", help="Runs up until dmg is built (and notarised) then exits", | ||
parser.add_argument("--runPostDmgBuild", help="Runs up until dmg is built (and notarized) then exits", | ||
action='store', required=False, default='true') | ||
parser.add_argument("--teamId", help="ost id from apple for codesigning", | ||
action='store', required=False, default=None) | ||
|
@@ -388,15 +440,15 @@ def main(): | |
signer.signAll() | ||
signer.signCheck(verbose=False) | ||
|
||
if NOTARIZE and args.runDmgBuild: | ||
if args.runDmgBuild: | ||
print(signer.zipFile) | ||
if NOTARIZE: | ||
signer.upload(signer.zipFile) | ||
# build the read/writable dmg file while waiting for notarize | ||
signer.dmgBuild() | ||
# build the read/writable dmg file (while waiting for notarize) | ||
signer.dmgBuild() | ||
if NOTARIZE: | ||
# notarize and staple | ||
signer.awaitNotarized() | ||
elif args.runDmgBuild: | ||
# just build the dmg | ||
signer.dmgBuild() | ||
|
||
if args.runPostDmgBuild: | ||
signer.dmgStapleInside() # doesn't require UUID | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.