Add local signing of extra files

Because we are currently building and signing things locally in a VM for MacOS, rather than shipping files to a signing server and then shipping them back, we sign the files in-place. This adds this capability to the ExtraFilesSigner class, and adds a new project parameter to specify that local signing should be used.

Author: nmburgan

lib/vanagon/platform/osx.rb

@@ -36,7 +36,8 @@ def generate_package(project) # rubocop:disable Metrics/AbcSize
         end
 
         if project.extra_files_to_sign.any?
-          sign_commands = Vanagon::Utilities::ExtraFilesSigner.commands(project, @mktemp, "/osx/build/root/#{project.name}-#{project.version}")
+          method = project.use_local_signing ? 'local_commands' : 'commands'
+          sign_commands = Vanagon::Utilities::ExtraFilesSigner.send(method, project, @mktemp, "/osx/build/root/#{project.name}-#{project.version}")
         else
           sign_commands = []
         end

lib/vanagon/project.rb

@@ -111,12 +111,11 @@ class Project
     attr_accessor :no_packaging
 
     # Extra files to sign
-    # Right now just supported on windows, useful for signing powershell scripts
-    # that need to be signed between build and MSI creation
     attr_accessor :extra_files_to_sign
     attr_accessor :signing_hostname
     attr_accessor :signing_username
     attr_accessor :signing_command
+    attr_accessor :use_local_signing
 
     # For creating reproducible builds
     attr_accessor :source_date_epoch
@@ -173,6 +172,7 @@ def initialize(name, platform) # rubocop:disable Metrics/AbcSize
       @signing_hostname = ''
       @signing_username = ''
       @signing_command = ''
+      @use_local_signing = false
       @source_date_epoch = (ENV['SOURCE_DATE_EPOCH'] || Time.now.utc).to_i
     end
 

lib/vanagon/project/dsl.rb

@@ -397,6 +397,14 @@ def signing_username(username)
       def signing_command(command)
         @project.signing_command = command
       end
+
+      # When true, run the signing commands locally rather than SSHing to a
+      # signing host.
+      #
+      # @param [Boolean] Whether to use local signing
+      def use_local_signing(var)
+        @project.use_local_signing = var
+      end
     end
   end
 end

lib/vanagon/utilities/extra_files_signer.rb

@@ -1,7 +1,53 @@
+require 'open3'
+
 class Vanagon
   module Utilities
     module ExtraFilesSigner
       class << self
+        RED = "\033[31m".freeze
+        GREEN = "\033[32m".freeze
+        RESET = "\033[0m".freeze
+
+        def run_command(cmd, silent: true, print_command: false, report_status: false)
+          puts "#{GREEN}Running #{cmd}#{RESET}" if print_command
+          output = ''
+          Open3.popen2e(cmd) do |_stdin, stdout_stderr, thread|
+            stdout_stderr.each do |line|
+              puts line unless silent
+              output += line
+            end
+            exitcode = thread.value.exitstatus
+            unless exitcode.zero?
+              err = "#{RED}Command failed! Command: #{cmd}, Exit code: #{exitcode}"
+              # Print details if we were running silent
+              err += "\nOutput:\n#{output}" if silent
+              err += RESET
+              abort err
+            end
+            puts "#{GREEN}Command finished with status #{exitcode}#{RESET}" if report_status
+          end
+          output.chomp
+        end
+
+        def local_commands(project, mktmp, source_dir)
+          commands = []
+          signing_script_path = File.join(run_command("#{mktmp} 2>/dev/null"), File.basename('sign_extra_file'))
+
+          project.extra_files_to_sign.each do |file|
+            commands += [
+              "echo '#{project.signing_command} #{file}' > #{signing_script_path}",
+              "/bin/bash #{signing_script_path}",
+            ]
+          end
+
+          commands
+        rescue RuntimeError
+          require 'vanagon/logger'
+          VanagonLogger.error "Error signing extra files: #{project.extra_files_to_sign.join(',')}"
+          raise if ENV['VANAGON_FORCE_SIGNING']
+          []
+        end
+
         def commands(project, mktemp, source_dir) # rubocop:disable Metrics/AbcSize
           tempdir = nil
           commands = []