openstudiocoalition
diff --git a/‎.github/workflows/app_build.yml
Lines changed: 193 additions & 22 deletions b/‎.github/workflows/app_build.yml
Lines changed: 193 additions & 22 deletions
diff --git a/‎CMake/CPackSignAndNotarizeDmg.cmake
Lines changed: 53 additions & 0 deletions b/‎CMake/CPackSignAndNotarizeDmg.cmake
Lines changed: 53 additions & 0 deletions
@@ -23,6 +23,9 @@ jobs:
   build:
     if: ${{ github.event_name == 'push' || !github.event.pull_request.draft }}
 
+    outputs:
+      OS_APP_VERSION: ${{ steps.parse_cmake_versions.outputs.OS_APP_VERSION }}
+
     runs-on: ${{ matrix.os }}
     continue-on-error: true
     strategy:
@@ -40,6 +43,7 @@ jobs:
           COMPRESSED_PKG_PATH: _CPack_Packages/Linux/TGZ
           QT_OS_NAME: linux
           QT_ARCH: gcc_64
+          arch: x86_64
         - os: ubuntu-22.04
           SELF_HOSTED: false
           PLATFORM_NAME: Linux
@@ -49,6 +53,7 @@ jobs:
           COMPRESSED_PKG_PATH: _CPack_Packages/Linux/TGZ
           QT_OS_NAME: linux
           QT_ARCH: gcc_64
+          arch: x86_64
         - os: windows-2022
           SELF_HOSTED: false
           PLATFORM_NAME: Windows
@@ -58,6 +63,7 @@ jobs:
           COMPRESSED_PKG_PATH: _CPack_Packages/win64/ZIP
           QT_OS_NAME: windows
           QT_ARCH: win64_msvc2019_64
+          arch: x86_64
         - os: macos-13
           SELF_HOSTED: false
           PLATFORM_NAME: Darwin
@@ -69,6 +75,7 @@ jobs:
           SDKROOT: /Applications/Xcode_15.0.1.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
           QT_OS_NAME: mac
           QT_ARCH: clang_64
+          arch: x86_64
         - os: macos-arm64
           SELF_HOSTED: true
           PLATFORM_NAME: Darwin
@@ -80,6 +87,7 @@ jobs:
           SDKROOT: /Applications/Xcode_15.0.1.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk
           QT_OS_NAME: mac
           QT_ARCH: arm_64
+          arch: arm64
 
     steps:
 
@@ -96,6 +104,7 @@ jobs:
         ruby-version: 3.2.2
 
     - name: Extract OSApp and OS SDK versions from CMakeLists.txt
+      id: parse_cmake_versions
       shell: bash
       run: |
         # This both prints the variables and adds them to GITHUB_ENV
@@ -190,33 +199,65 @@ jobs:
             rm /usr/local/lib/pkgconfig/libcrypto.pc
             rm /usr/local/lib/pkgconfig/libssl.pc
             rm /usr/local/lib/pkgconfig/openssl.pc
-
-            echo "Installing IFW"
-            curl -L -O https://download.qt.io/official_releases/qt-installer-framework/4.6.1/QtInstallerFramework-macOS-x64-4.6.1.dmg
-            hdiutil attach -mountpoint ./qtfiw_installer QtInstallerFramework-macOS-x64-4.6.1.dmg
-            echo "ls ./qtfiw_installer"
-            ls ./qtfiw_installer
-            echo "ls ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/"
-            ls ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/
-            echo "ls ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/Contents/"
-            ls ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/Contents/
-            echo "ls ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/Contents/MacOS"
-            ls ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/Contents/MacOS
-            echo "ls ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/Contents/Resources"
-            ls ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/Contents/Resources
-
-            sudo ./qtfiw_installer/QtInstallerFramework-macOS-x64-4.6.1.app/Contents/MacOS/QtInstallerFramework-macOS-x64-4.6.1 --verbose --script ./ci/install_script_qtifw.qs
-            ls ~
-            ls ~/Qt/ || true
-            ls ~/Qt/QtIFW-4.6.1 || true
-            echo "~/Qt/QtIFW-4.6.1/bin/" >> $GITHUB_PATH
           fi;
         fi;
 
         cmake --version
         ccache --show-config || true
         ccache --zero-stats || true
 
+    - name: "Configure for codesigning"
+      if: runner.os == 'macOS'
+      run: |
+        set -x
+        cd $RUNNER_TEMP
+        mkdir codesigning && cd codesigning
+        # ----- Create certificate files from secrets base64 -----
+        echo "${{ secrets.MACOS_DEVELOPER_ID_APPLICATION_CERTIFICATE_P12_BASE64 }}" | base64 --decode > certificate_application.p12
+        echo "${{ secrets.MACOS_DEVELOPER_ID_INSTALLER_CERTIFICATE_P12_BASE64 }}" | base64 --decode > certificate_installer.p12
+
+        # ----- Configure Keychain -----
+        KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+        security create-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" $KEYCHAIN_PATH
+        # Unlock it for 6 hours
+        security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+        security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" $KEYCHAIN_PATH
+
+        # ----- Import certificates on Keychain -----
+        security import certificate_application.p12 -P '${{ secrets.MACOS_DEVELOPER_ID_APPLICATION_CERTIFICATE_P12_PASSWORD }}' -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+        security import certificate_installer.p12   -P '${{ secrets.MACOS_DEVELOPER_ID_INSTALLER_CERTIFICATE_P12_PASSWORD }}'   -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+        security list-keychain -d user -s $KEYCHAIN_PATH
+        security find-identity -vvvv $KEYCHAIN_PATH
+
+        # Add needed intermediary certificates
+        brew list aria2 || brew install aria2
+        aria2c https://www.apple.com/certificateauthority/AppleWWDRCAG2.cer
+        aria2c https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
+        security import AppleWWDRCAG2.cer -k $KEYCHAIN_PATH
+        security import DeveloperIDG2CA.cer -k $KEYCHAIN_PATH
+        security find-identity -vvvv $KEYCHAIN_PATH
+        security find-identity -v -p codesigning
+
+        # Store AppConnect credentials
+        echo "${{ secrets.NOTARIZATION_API_KEY }}" > AppConnect_Developer_API_Key.p8
+        xcrun notarytool store-credentials OpenStudioApplication \
+              --key AppConnect_Developer_API_Key.p8 \
+              --key-id ${{ secrets.NOTARIZATION_API_TEAM_ID }} \
+              --issuer ${{ secrets.NOTARIZATION_API_ISSUER_ID }} \
+              --keychain $KEYCHAIN_PATH
+
+        cd .. && rm -Rf codesigning
+
+        # Download my patched QtIFW
+        mkdir QtIFW && cd QtIFW
+        aria2c https://github.com/jmarrec/QtIFW-fixup/releases/download/v5.0.0-dev-with-fixup/QtIFW-5.0.0-${{ matrix.arch }}.zip
+        xattr -r -d com.apple.quarantine ./QtIFW-5.0.0-${{ matrix.arch }}.zip
+        unzip QtIFW-5.0.0-${{ matrix.arch }}.zip
+        rm -Rf ./*.zip
+        chmod +x *
+        ./installerbase --version
+        echo "$(pwd)" >> $GITHUB_PATH
+
     - name: Install conan
       shell: bash
       run: |
@@ -487,12 +528,24 @@ jobs:
               -DANALYTICS_MEASUREMENT_ID:STRING=${{ secrets.ANALYTICS_MEASUREMENT_ID }} -Dopenstudio_DIR:PATH=$OS_DIR
         fi
 
-        cmake --preset conan-release -DQT_INSTALL_DIR:PATH=${{ env.QT_INSTALL_DIR }} \
+        if [ "$RUNNER_OS" == "macOS" ]; then
+          cmake --preset conan-release -DQT_INSTALL_DIR:PATH=${{ env.QT_INSTALL_DIR }} \
               -DBUILD_DOCUMENTATION:BOOL=${{ env.BUILD_DOCUMENTATION }} \
               -DBUILD_PACKAGE:BOOL=${{ env.BUILD_PACKAGE }} \
               -DCPACK_BINARY_TGZ:BOOL=ON \
               -DANALYTICS_API_SECRET:STRING=${{ secrets.ANALYTICS_API_SECRET }} \
-              -DANALYTICS_MEASUREMENT_ID:STRING=${{ secrets.ANALYTICS_MEASUREMENT_ID }}
+              -DANALYTICS_MEASUREMENT_ID:STRING=${{ secrets.ANALYTICS_MEASUREMENT_ID }} \
+              -DCPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION:STRING="Developer ID Application: The Energy Coalition (UG9S5ZLM34)" \
+              -DCPACK_CODESIGNING_NOTARY_PROFILE_NAME:STRING=OpenStudioApplication \
+              -DCPACK_CODESIGNING_MACOS_IDENTIFIER:STRING=org.openstudiocoalition.OpenStudioApplication
+        else
+          cmake --preset conan-release -DQT_INSTALL_DIR:PATH=${{ env.QT_INSTALL_DIR }} \
+                -DBUILD_DOCUMENTATION:BOOL=${{ env.BUILD_DOCUMENTATION }} \
+                -DBUILD_PACKAGE:BOOL=${{ env.BUILD_PACKAGE }} \
+                -DCPACK_BINARY_TGZ:BOOL=ON \
+                -DANALYTICS_API_SECRET:STRING=${{ secrets.ANALYTICS_API_SECRET }} \
+                -DANALYTICS_MEASUREMENT_ID:STRING=${{ secrets.ANALYTICS_MEASUREMENT_ID }}
+        fi;
         cmake --build --preset conan-release --target package
         # Delete conan build and source folders
         conan cache clean --source --build --download --temp
@@ -555,6 +608,26 @@ jobs:
         name: OpenStudioApplication-${{ env.OS_APP_VERSION }}.${{ github.sha }}-${{ matrix.os }}.${{ env.COMPRESSED_EXT }}
         path: build/${{ matrix.COMPRESSED_PKG_PATH }}/*.${{ env.COMPRESSED_EXT }}
 
+    - name: Full Test Package signing for IFW and TGZ
+      if: runner.os == 'macOS'
+      working-directory: ./build
+      shell: bash
+      run: |
+        begin_group() { echo -e "::group::\033[93m$1\033[0m"; }
+
+        begin_group "Full Check signature of _CPack_Packages for both IFW and TGZ"
+        python ../developer/python/verify_signature.py --verbose --only-generator IFW .
+        python ../developer/python/verify_signature.py --otool --otool-out-file otool_infos_cpack_tgz.json --verbose --only-generator TGZ .
+        echo "::endgroup::"
+
+    - name: Upload otool info as artifact
+      if: runner.os == 'macOS'
+      uses: actions/upload-artifact@v4
+      with:
+        name: otool_infos_cpack_${{ matrix.os }}_${{ matrix.arch }}
+        path: build/otool*json
+        if-no-files-found: error
+
     - name: Test
       working-directory: ./build
       shell: bash
@@ -628,3 +701,101 @@ jobs:
         /bin/rm OpenStudioApplication-*${{ env.COMPRESSED_EXT }} || true
         /bin/rm OpenStudioApplication-*${{ env.BINARY_EXT }} || true
         ls OpenStudioApplication-* || true
+
+
+  test_package_macos:
+    name: Test Built Package on macOS
+    needs: build
+    runs-on: ${{ matrix.os }}
+    strategy:
+      # fail-fast: Default is true, switch to false to allow one platform to fail and still run others
+      fail-fast: false
+      matrix:
+        os: [macos-13, macos-14]
+        include:
+        - os: macos-13
+          binary_os: macos-13
+          SELF_HOSTED: false
+          BINARY_EXT: dmg
+          COMPRESSED_EXT: tar.gz
+          arch: x86_64
+        # This is the GHA hosted one
+        - os: macos-14
+          binary_os: macos-arm64
+          SELF_HOSTED: false
+          BINARY_EXT: dmg
+          COMPRESSED_EXT: tar.gz
+          arch: arm64
+
+    steps:
+    - uses: actions/checkout@v4  # Still need code checked out to get testing scripts
+      with:
+        path: checkout
+
+    #- name: Gather Test Package from Artifacts
+    #  uses: actions/download-artifact@v4
+    #  with:
+    #    name: OpenStudioApplication-${{ needs.build.outputs.OS_APP_VERSION }}.${{ github.sha }}-${{ matrix.binary_os }}.${{ matrix.COMPRESSED_EXT }}
+    #    path: package
+
+    - name: Gather Dmg Package from Artifacts
+      uses: actions/download-artifact@v4
+      with:
+        name: OpenStudioApplication-${{ needs.build.outputs.OS_APP_VERSION }}.${{ github.sha }}-${{ matrix.binary_os }}.${{ matrix.BINARY_EXT }}
+        path: dmg
+
+    - name: Test Dmg Install and Package signing
+      working-directory: ./dmg
+      shell: bash
+      run: |
+        begin_group() { echo -e "::group::\033[93m$1\033[0m"; }
+
+        set -x
+
+        dmg=$(ls OpenStudioApplication-*.dmg)
+        begin_group "Checking Signature of .dmg"
+        spctl --assess --type open --context context:primary-signature -vvvv $dmg
+        echo "::endgroup::"
+
+        begin_group "Mounting Dmg, and checking signature of installer app"
+        mkdir temp_mount
+        hdiutil attach -mountpoint ./temp_mount/ $dmg
+        filename="${dmg%.*}"
+        spctl --assess --type open --context context:primary-signature -vvvv ./temp_mount/$filename.app
+        echo "::endgroup::"
+
+        begin_group "Installing"
+        sudo ./temp_mount/$filename.app/Contents/MacOS/$filename --accept-licenses --default-answer --confirm-command --root $(pwd)/test_install install
+        echo "::endgroup::"
+
+        begin_group "Quick Check signature of inner executables and binaries"
+        codesign -dvvv ./test_install/lib/libopenstudiolib.dylib
+        codesign -dvvv ./test_install/lib/libpythonengine.so
+        codesign -dvvv ./test_install/lib/librubyengine.so
+        codesign -dvvv ./test_install/EnergyPlus/energyplus
+        codesign -dvvv ./test_install/EnergyPlus/libenergyplusapi.dylib
+        codesign -dvvv ./test_install/EnergyPlus/libpython*.dylib
+        codesign -dvvv ./test_install/EnergyPlus/ExpandObjects
+        echo "::endgroup::"
+
+        begin_group "Full Check signature of installed DMG for all executables and resolve otool libraries"
+        python ../checkout/developer/python/verify_signature.py --otool --otool-out-file otool_info_dmg.json --verbose --install test_install
+        echo "::endgroup::"
+
+        begin_group "Running a simulation with python"
+        ./test_install/EnergyPlus/energyplus --help
+        cur_v=$(python -c "import sys; sys.path.insert(0, './test_install/EnergyPlus'); from pyenergyplus.func import EnergyPlusVersion; v = EnergyPlusVersion(); print(f'{v.ep_version_major}.{v.ep_version_minor}.{v.ep_version_patch}')")
+        aria2c https://raw.githubusercontent.com/NREL/EnergyPlus/v${cur_v}/testfiles/PythonPluginCustomSchedule.py
+        aria2c https://raw.githubusercontent.com/NREL/EnergyPlus/v${cur_v}/testfiles/PythonPluginCustomSchedule.idf
+        aria2c https://raw.githubusercontent.com/NREL/EnergyPlus/v${cur_v}/weather/USA_IL_Chicago-OHare.Intl.AP.725300_TMY3.epw
+        ./test_install/EnergyPlus/energyplus -w USA_IL_Chicago-OHare.Intl.AP.725300_TMY3.epw -d out PythonPluginCustomSchedule.idf
+        echo "::endgroup::"
+
+        hdiutil detach ./temp_mount/
+
+    - name: Upload otool info as artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: otool_info_dmg_${{ matrix.os }}_${{ matrix.arch }}
+        path: dmg/otool*json
+        if-no-files-found: error
@@ -0,0 +1,53 @@
+#[=======================================================================[.rst:
+CPackSignAndNotarizeDmg
+-----------------------
+
+This file is meant to be used up as a ``CPACK_POST_BUILD_SCRIPTS``
+
+It will run only on ``APPLE`` when the generator is ``IFW`` to codesign the resulting .dmg and notarize it.
+
+To do so, it uses the `CodeSigning`_ functions :cmake:command:`codesign_files_macos`
+
+It requires that this be set: :cmake:variable:`CPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION`
+
+And it will only notarize if this is set: :cmake:variable:`CPACK_CODESIGNING_NOTARY_PROFILE_NAME`
+
+#]=======================================================================]
+message(STATUS "The message from ${CMAKE_CURRENT_LIST_FILE} and generator ${CPACK_GENERATOR}")
+message(STATUS "Built packages: ${CPACK_PACKAGE_FILES}")
+
+if(APPLE AND CPACK_GENERATOR STREQUAL "IFW")
+
+  message(DEBUG "CPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION=${CPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION}")
+  message(DEBUG "CPACK_CODESIGNING_NOTARY_PROFILE_NAME=${CPACK_CODESIGNING_NOTARY_PROFILE_NAME}")
+  message(DEBUG "CPACK_IFW_PACKAGE_SIGNING_IDENTITY=${CPACK_IFW_PACKAGE_SIGNING_IDENTITY}")
+  message(DEBUG "CPACK_CODESIGNING_MACOS_IDENTIFIER=${CPACK_CODESIGNING_MACOS_IDENTIFIER}")
+
+  include(${CMAKE_CURRENT_LIST_DIR}/CodeSigning.cmake)
+
+  if(NOT CPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION)
+    message(FATAL_ERROR "CPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION is required, this should not have happened")
+  endif()
+  if(NOT CPACK_CODESIGNING_MACOS_IDENTIFIER)
+    message(FATAL_ERROR "CPACK_CODESIGNING_MACOS_IDENTIFIER is required, this should not have happened")
+  endif()
+
+  codesign_files_macos(
+    FILES ${CPACK_PACKAGE_FILES}
+    SIGNING_IDENTITY ${CPACK_CODESIGNING_DEVELOPPER_ID_APPLICATION}
+    IDENTIFIER "${CPACK_CODESIGNING_MACOS_IDENTIFIER}.DmgInstaller"
+    FORCE
+    VERBOSE
+  )
+
+  if(CPACK_CODESIGNING_NOTARY_PROFILE_NAME)
+    notarize_files_macos(
+      FILES ${CPACK_PACKAGE_FILES}
+      NOTARY_PROFILE_NAME ${CPACK_CODESIGNING_NOTARY_PROFILE_NAME}
+      STAPLE
+      VERIFY
+      VERBOSE
+    )
+  endif()
+
+endif()