-
Notifications
You must be signed in to change notification settings - Fork 24
167 lines (167 loc) · 6.32 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: CI
on: [push, pull_request, workflow_dispatch]
jobs:
build:
runs-on: ubuntu-22.04
strategy:
matrix:
python-version:
- '3.7'
- '3.8'
- '3.9'
- '3.10'
- '3.11'
- '3.12'
- '3.13'
# - '3.14.0-alpha - 3.14'
- pypy3.7
- pypy3.8
- pypy3.9
- pypy3.10
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
submodules: true
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
sudo apt-get update # || sudo apt-get update
# sudo apt-get upgrade -y
sudo apt-get install -y apksigner
python3 -m pip install --upgrade pip
python3 -m pip install flake8 pylint coverage
- name: Install mypy
run: python3 -m pip install mypy
continue-on-error:
${{ contains(matrix.python-version, 'alpha') ||
contains(matrix.python-version, 'pypy') }}
- name: Install
run: make install
- name: Test
run: make test-cli doctest
- name: Lint
run: make lint
continue-on-error:
${{ contains(matrix.python-version, 'alpha') }}
- name: Extra lint
run: make lint-extra
continue-on-error:
${{ contains(matrix.python-version, 'alpha') ||
contains(matrix.python-version, 'pypy') }}
- name: Test coverage
run: make coverage
- name: Cache mastodon build
uses: actions/cache@v4
with:
path: mastodon-release-unsigned.apk
key: v1.1.3-20221121
- name: Cache mastodon download
uses: actions/cache@v4
with:
path: mastodon-release.apk
key: v1.1.3-20221121
- name: Build mastodon
run: |
set -x
if [ ! -e mastodon-release-unsigned.apk ]; then
sudo apt-get install -y openjdk-17-jdk-headless
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
git clone -b v1.1.3 https://github.com/mastodon/mastodon-android.git
cd mastodon-android
test "$( git rev-parse HEAD )" = 8b40643e6306edadebba2a08f017da7cf1d3bf6f
touch local.properties
./gradlew assembleRelease
mv mastodon/build/outputs/apk/release/mastodon-release-unsigned.apk ../
fi
- name: Download mastodon
run: |
set -x
[ -e mastodon-release.apk ] || wget -O mastodon-release.apk -- \
https://github.com/mastodon/mastodon-android/releases/download/v1.1.3/mastodon-release.apk
sha256sum -c <<< '1ec636336a79ada1a3526323c90bb9fbfe5dc32b2984bb724998b5f47c822165 mastodon-release.apk'
- name: Copy APK
run: |
set -x
cp mastodon-release-unsigned.apk signed-dummy.apk
cp mastodon-release-unsigned.apk signed-dummy-v1.apk
cp mastodon-release-unsigned.apk signed-dummy-jarsigner.apk
- name: Generate dummy keystore
run: |
set -x
keytool -genkey -keystore ci-ks -alias dummy -keyalg RSA \
-keysize 4096 -sigalg SHA512withRSA -validity 10000 \
-storepass dummy-password -dname CN=dummy
- name: Sign APKs
run: |
set -x
apksigner sign -v --ks ci-ks --ks-key-alias dummy \
--ks-pass pass:dummy-password signed-dummy.apk
apksigner sign -v --ks ci-ks --ks-key-alias dummy \
--ks-pass pass:dummy-password \
--v2-signing-enabled=false --v3-signing-enabled=false signed-dummy-v1.apk
PASS=dummy-password jarsigner -keystore ci-ks -storepass:env PASS \
-sigalg SHA256withRSA -digestalg SHA-256 signed-dummy-jarsigner.apk dummy
- name: Copy signatures (dummy)
run: |
set -x
mkdir meta-dummy
apksigcopier extract signed-dummy.apk meta-dummy
ls -hlA meta-dummy
apksigcopier patch meta-dummy mastodon-release-unsigned.apk patched-dummy.apk
apksigcopier copy signed-dummy.apk mastodon-release-unsigned.apk copied-dummy.apk
apksigcopier copy --v1-only=auto signed-dummy-v1.apk \
mastodon-release-unsigned.apk copied-dummy-v1.apk
apksigcopier copy --v1-only=yes signed-dummy-jarsigner.apk \
mastodon-release-unsigned.apk copied-dummy-jarsigner.apk
- name: Copy signatures (upstream)
run: |
set -x
mkdir meta-upstream
apksigcopier extract mastodon-release.apk meta-upstream
ls -hlA meta-upstream
cat meta-upstream/differences.json
apksigcopier patch meta-upstream mastodon-release-unsigned.apk patched-upstream.apk
apksigcopier copy mastodon-release.apk mastodon-release-unsigned.apk copied-upstream.apk
- name: Compare APKs (dummy)
run: |
set -x
cmp signed-dummy.apk patched-dummy.apk
cmp signed-dummy.apk copied-dummy.apk
cmp signed-dummy-v1.apk copied-dummy-v1.apk
cmp signed-dummy-jarsigner.apk copied-dummy-jarsigner.apk || true
- name: Compare APKs (upstream)
run: |
set -x
cmp mastodon-release.apk patched-upstream.apk
cmp mastodon-release.apk copied-upstream.apk
- name: Checksums
run: sha512sum *.apk | sort
- name: Verify APKs
run: |
set -x
for apk in mastodon-release.apk signed*.apk patched*.apk copied*.apk; do
if [[ "$apk" == *jarsigner* ]] || [[ "$apk" == *v1* ]]; then
jarsigner -verify -strict "$apk" || test $? = 4
else
apksigner verify --verbose --print-certs "$apk" | grep -v ^WARNING:
fi
done
- name: apksigcopier compare
run: |
set -x
apksigcopier compare mastodon-release.apk patched-upstream.apk
apksigcopier compare mastodon-release.apk copied-upstream.apk
apksigcopier compare mastodon-release.apk --unsigned mastodon-release-unsigned.apk
apksigcopier compare mastodon-release.apk signed-dummy.apk
apksigcopier compare mastodon-release.apk copied-dummy.apk
# copying from an APK v1-signed with signflinger to an APK
# signed with apksigner works, whereas the reverse fails
! apksigcopier compare signed-dummy.apk mastodon-release.apk
! apksigcopier compare copied-dummy.apk mastodon-release.apk
- name: Test APKs
run: make test-apks