SignPath signing #170

Workflow file for this run

.github/workflows/natives.yml at 93408b5

	# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
	# https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle

	name: Native Libraries

	on:
	push:
	branches:
	- '*'
	tags:
	- '[0-9]*'
	paths:
	- 'flatlaf-natives/**'
	- '.github/workflows/natives.yml'
	- 'gradle/wrapper/gradle-wrapper.properties'
	- '!**.md'
	- '!/.settings/'

	jobs:
	Natives:
	strategy:
	matrix:
	os:
	- windows-latest
	- macos-latest
	- ubuntu-latest
	- ubuntu-24.04-arm

	runs-on: ${{ matrix.os }}

	steps:
	- uses: actions/checkout@v4

	- uses: gradle/actions/wrapper-validation@v4

	- name: apt update (Linux)
	if: matrix.os == 'ubuntu-latest' \|\| matrix.os == 'ubuntu-24.04-arm'
	run: sudo apt-get update

	- name: install libxt-dev and libgtk-3-dev (Linux)
	if: matrix.os == 'ubuntu-latest' \|\| matrix.os == 'ubuntu-24.04-arm'
	run: sudo apt-get install libxt-dev libgtk-3-dev

	# - name: Download libgtk-3.so for arm64 (Linux)
	# if: matrix.os == 'ubuntu-latest'
	# working-directory: flatlaf-natives/flatlaf-natives-linux/lib/aarch64
	# run: \|
	# pwd
	# ls -l /usr/lib/x86_64-linux-gnu/libgtk*
	# wget --no-verbose https://ports.ubuntu.com/pool/main/g/gtk%2b3.0/libgtk-3-0_3.24.18-1ubuntu1_arm64.deb
	# ls -l
	# ar -x libgtk-3-0_3.24.18-1ubuntu1_arm64.deb data.tar.xz
	# tar -xvf data.tar.xz --wildcards --to-stdout "./usr/lib/aarch64-linux-gnu/libgtk-3.so.0.*" > libgtk-3.so
	# rm libgtk-3-0_3.24.18-1ubuntu1_arm64.deb data.tar.xz
	# ls -l

	# - name: install g++-aarch64-linux-gnu (Linux)
	# if: matrix.os == 'ubuntu-latest'
	# run: sudo apt-get install g++-aarch64-linux-gnu

	- name: Setup Java 21
	uses: actions/setup-java@v4
	with:
	java-version: 21
	distribution: temurin

	- name: Cache Gradle
	uses: ./.github/actions/cache-gradle

	- name: Build with Gradle
	# --no-daemon is necessary on Windows otherwise caching Gradle would fail with:
	# tar.exe: Couldn't open ~/.gradle/caches/modules-2/modules-2.lock: Permission denied
	run: ./gradlew build-natives --no-daemon

	- name: Upload unsigned Windows DLLs for signing by SignPath.org
	if: matrix.os == 'windows-latest' && github.repository == 'JFormDesigner/FlatLaf'
	id: windows-unsigned
	uses: actions/upload-artifact@v4
	with:
	name: FlatLaf-natives-windows-unsigned
	path: flatlaf-natives/flatlaf-natives-windows/build/lib/main/release/*/.dll

	- name: Sign Windows DLLs using SignPath.org
	if: matrix.os == 'windows-latest' && github.repository == 'JFormDesigner/FlatLaf'
	uses: signpath/github-action-submit-signing-request@v2
	with:
	api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
	organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
	project-slug: FlatLaf
	signing-policy-slug: release-signing
	artifact-configuration-slug: windows-dlls
	github-artifact-id: ${{ steps.windows-unsigned.outputs.artifact-id }}
	wait-for-completion: true
	output-artifact-directory: flatlaf-natives/flatlaf-natives-windows/build/lib/signed

	- name: Copy signed Windows DLLs to flatlaf-core
	if: matrix.os == 'windows-latest' && github.repository == 'JFormDesigner/FlatLaf'
	shell: bash
	run: \|
	SRC=flatlaf-natives/flatlaf-natives-windows/build/lib/signed
	DEST=flatlaf-core/src/main/resources/com/formdev/flatlaf/natives
	cp $SRC/aarch64/flatlaf-natives-windows.dll $DEST/flatlaf-windows-arm64.dll
	cp $SRC/x86/flatlaf-natives-windows.dll $DEST/flatlaf-windows-x86.dll
	cp $SRC/x86-64/flatlaf-natives-windows.dll $DEST/flatlaf-windows-x86_64.dll

	- name: Sign macOS natives
	if: matrix.os == 'DISABLED--macos-latest'
	env:
	CERT_BASE64: ${{ secrets.CODE_SIGN_CERT_BASE64 }}
	CERT_PASSWORD: ${{ secrets.CODE_SIGN_CERT_PASSWORD }}
	CERT_IDENTITY: ${{ secrets.CODE_SIGN_CERT_IDENTITY }}
	run: \|
	# https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development
	# create variables
	CERTIFICATE_PATH=$RUNNER_TEMP/cert.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/signing.keychain-db
	KEYCHAIN_PASSWORD=$CERT_PASSWORD
	# decode certificate
	printenv CERT_BASE64 \| base64 --decode > $CERTIFICATE_PATH
	# create temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	# import certificate to keychain
	security import $CERTIFICATE_PATH -P "$CERT_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	# set partition list (required for codesign)
	security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	# add keychain to keychain search list
	security list-keychains -d user -s $KEYCHAIN_PATH
	# sign code
	codesign --sign "$CERT_IDENTITY" --force --verbose=4 --timestamp \
	flatlaf-core/src/main/resources/com/formdev/flatlaf/natives/libflatlaf-macos-*.dylib
	codesign --display --verbose=4 flatlaf-core/src/main/resources/com/formdev/flatlaf/natives/libflatlaf-macos-*.dylib
	# cleanup
	security delete-keychain $KEYCHAIN_PATH

	- name: Set artifacts pattern for upload step
	shell: bash
	run: \|
	case ${{ matrix.os }} in
	windows-latest) echo "artifactPattern=flatlaf-windows-*.dll" >> $GITHUB_ENV ;;
	macos-latest) echo "artifactPattern=libflatlaf-macos-*.dylib" >> $GITHUB_ENV ;;
	ubuntu-latest) echo "artifactPattern=libflatlaf-linux-x86_64.so" >> $GITHUB_ENV ;;
	ubuntu-24.04-arm) echo "artifactPattern=libflatlaf-linux-arm64.so" >> $GITHUB_ENV ;;
	esac

	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	name: FlatLaf-natives-build-artifacts-${{ matrix.os }}
	path: \|
	flatlaf-core/src/main/resources/com/formdev/flatlaf/natives/${{ env.artifactPattern }}
	flatlaf-natives/flatlaf-natives-*/build

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SignPath signing #170

Workflow file

SignPath signing #170

Uh oh!

Workflow file for this run