nix: build unsigned Android APK, sign separately
This has several benefits: * Less abuse of `extra-sandbox-paths` Nix option * Less inputs to the Android release build derivation * Easier for users to sign the build themselves * Simplification of `scripts/release-android.sh` * Preparation for building using Nix Flakes The only two remaining credentials passed via `extra-sandbox-paths` is the Infura and OpenSea API keys, and there is no way around that other than passing them via Nix arguments, but that would cause them to end up in `/nix/store` as part of `.drv` files. I'm also renaming `release-fdroid` to `build-fdroid` to be consistent. Depends on: https://github.com/status-im/status-jenkins-lib/pull/42 Signed-off-by: Jakub Sokołowski <jakub@status.im>
This commit is contained in:
parent
8a01d02135
commit
acfa73ab43
50
Makefile
50
Makefile
|
@ -32,10 +32,12 @@ ifndef BUILD_TAG
|
||||||
export BUILD_TAG := $(shell git rev-parse --short HEAD)
|
export BUILD_TAG := $(shell git rev-parse --short HEAD)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# We don't want to use /run/user/$UID because it runs out of space too easilly
|
# We don't want to use /run/user/$UID because it runs out of space too easilly.
|
||||||
export TMPDIR = /tmp/tmp-status-react-$(BUILD_TAG)
|
export TMPDIR = /tmp/tmp-status-react-$(BUILD_TAG)
|
||||||
# this has to be specified for both the Node.JS server process and the Qt process
|
# This has to be specified for both the Node.JS server process and the Qt process.
|
||||||
export REACT_SERVER_PORT ?= 5001
|
export REACT_SERVER_PORT ?= 5001
|
||||||
|
# The path can be anything, but home is usually safest.
|
||||||
|
export KEYSTORE_PATH ?= $(HOME)/.gradle/status-im.keystore
|
||||||
|
|
||||||
# Our custom config is located in nix/nix.conf
|
# Our custom config is located in nix/nix.conf
|
||||||
export NIX_CONF_DIR = $(PWD)/nix
|
export NIX_CONF_DIR = $(PWD)/nix
|
||||||
|
@ -153,11 +155,12 @@ update-fleets: ##@prepare Download up-to-date JSON file with current fleets stat
|
||||||
| jq --indent 4 --sort-keys . \
|
| jq --indent 4 --sort-keys . \
|
||||||
> resources/config/fleets.json
|
> resources/config/fleets.json
|
||||||
|
|
||||||
keystore: export TARGET := keytool
|
$(KEYSTORE_PATH): export TARGET := keytool
|
||||||
keystore: export KEYSTORE_PATH ?= $(HOME)/.gradle/status-im.keystore
|
$(KEYSTORE_PATH):
|
||||||
keystore: ##@prepare Generate a Keystore for signing Android APKs
|
|
||||||
@./scripts/generate-keystore.sh
|
@./scripts/generate-keystore.sh
|
||||||
|
|
||||||
|
keystore: $(KEYSTORE_PATH) ##@prepare Generate a Keystore for signing Android APKs
|
||||||
|
|
||||||
fdroid-max-watches: SHELL := /bin/sh
|
fdroid-max-watches: SHELL := /bin/sh
|
||||||
fdroid-max-watches: ##@prepare Bump max_user_watches to avoid ENOSPC errors
|
fdroid-max-watches: ##@prepare Bump max_user_watches to avoid ENOSPC errors
|
||||||
sysctl fs.inotify.max_user_watches=524288
|
sysctl fs.inotify.max_user_watches=524288
|
||||||
|
@ -190,23 +193,26 @@ xcode-clean: ##@prepare Clean XCode derived data and archives
|
||||||
#----------------
|
#----------------
|
||||||
release: release-android release-ios ##@build Build release for Android and iOS
|
release: release-android release-ios ##@build Build release for Android and iOS
|
||||||
|
|
||||||
release-android: export BUILD_ENV ?= prod
|
build-fdroid: export BUILD_ENV = prod
|
||||||
release-android: export BUILD_TYPE ?= nightly
|
build-fdroid: export BUILD_TYPE = release
|
||||||
release-android: export BUILD_NUMBER ?= $(TMP_BUILD_NUMBER)
|
build-fdroid: export ANDROID_ABI_SPLIT = false
|
||||||
release-android: export KEYSTORE_PATH ?= $(HOME)/.gradle/status-im.keystore
|
build-fdroid: export ANDROID_ABI_INCLUDE = armeabi-v7a;arm64-v8a;x86;x86_64
|
||||||
release-android: export ANDROID_APK_SIGNED ?= true
|
build-fdroid: ##@build Build release for F-Droid
|
||||||
release-android: export ANDROID_ABI_SPLIT ?= false
|
@scripts/build-android.sh
|
||||||
release-android: export ANDROID_ABI_INCLUDE ?= armeabi-v7a;arm64-v8a;x86
|
|
||||||
release-android: keystore ##@build Build release for Android
|
|
||||||
scripts/release-android.sh
|
|
||||||
|
|
||||||
release-fdroid: export BUILD_ENV = prod
|
build-android: SHELL := /bin/sh
|
||||||
release-fdroid: export BUILD_TYPE = release
|
build-android: export BUILD_ENV ?= prod
|
||||||
release-fdroid: export ANDROID_APK_SIGNED = false
|
build-android: export BUILD_TYPE ?= nightly
|
||||||
release-fdroid: export ANDROID_ABI_SPLIT = false
|
build-android: export BUILD_NUMBER ?= $(TMP_BUILD_NUMBER)
|
||||||
release-fdroid: export ANDROID_ABI_INCLUDE = armeabi-v7a;arm64-v8a;x86;x86_64
|
build-android: export ANDROID_ABI_SPLIT ?= false
|
||||||
release-fdroid: ##@build Build release for F-Droid
|
build-android: export ANDROID_ABI_INCLUDE ?= armeabi-v7a;arm64-v8a;x86
|
||||||
scripts/release-android.sh
|
build-android: ##@build Build unsigned Android APK
|
||||||
|
@scripts/build-android.sh
|
||||||
|
|
||||||
|
release-android: export TARGET := keytool
|
||||||
|
release-android: export KEYSTORE_PATH ?= $(HOME)/.gradle/status-im.keystore
|
||||||
|
release-android: keystore build-android ##@build Build signed Android APK
|
||||||
|
@scripts/sign-android.sh result/app-release-unsigned.apk
|
||||||
|
|
||||||
release-ios: export TARGET := ios
|
release-ios: export TARGET := ios
|
||||||
release-ios: export BUILD_ENV ?= prod
|
release-ios: export BUILD_ENV ?= prod
|
||||||
|
@ -221,7 +227,7 @@ jsbundle-android: export BUILD_ENV ?= prod
|
||||||
jsbundle-android: ##@jsbundle Compile JavaScript and Clojurescript into app directory
|
jsbundle-android: ##@jsbundle Compile JavaScript and Clojurescript into app directory
|
||||||
# Call nix-build to build the 'targets.mobile.android.jsbundle' attribute and copy the.js files to the project root
|
# Call nix-build to build the 'targets.mobile.android.jsbundle' attribute and copy the.js files to the project root
|
||||||
nix/scripts/build.sh targets.mobile.android.jsbundle && \
|
nix/scripts/build.sh targets.mobile.android.jsbundle && \
|
||||||
mv result/* ./
|
mv result/*.js ./
|
||||||
|
|
||||||
jsbundle-ios: export TARGET := ios
|
jsbundle-ios: export TARGET := ios
|
||||||
jsbundle-ios: export BUILD_ENV ?= prod
|
jsbundle-ios: export BUILD_ENV ?= prod
|
||||||
|
|
|
@ -229,23 +229,6 @@ android {
|
||||||
jumboMode true
|
jumboMode true
|
||||||
javaMaxHeapSize "8g"
|
javaMaxHeapSize "8g"
|
||||||
}
|
}
|
||||||
signingConfigs {
|
|
||||||
debug {
|
|
||||||
storeFile file('debug.keystore')
|
|
||||||
storePassword 'android'
|
|
||||||
keyAlias 'androiddebugkey'
|
|
||||||
keyPassword 'android'
|
|
||||||
}
|
|
||||||
/* Caution! In production, you need to generate your own keystore file.
|
|
||||||
* See: https://facebook.github.io/react-native/docs/signed-apk-android */
|
|
||||||
release {
|
|
||||||
/* environment variables take precedence over gradle.properties file */
|
|
||||||
storeFile file(getEnvOrConfig('KEYSTORE_PATH').replaceAll("~", System.properties['user.home']))
|
|
||||||
storePassword getEnvOrConfig('KEYSTORE_PASSWORD')
|
|
||||||
keyAlias getEnvOrConfig('KEYSTORE_ALIAS')
|
|
||||||
keyPassword getEnvOrConfig('KEYSTORE_KEY_PASSWORD')
|
|
||||||
}
|
|
||||||
}
|
|
||||||
splits {
|
splits {
|
||||||
abi {
|
abi {
|
||||||
reset()
|
reset()
|
||||||
|
@ -254,20 +237,26 @@ android {
|
||||||
universalApk true
|
universalApk true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
signingConfigs {
|
||||||
|
debug {
|
||||||
|
storeFile file('debug.keystore')
|
||||||
|
storePassword 'android'
|
||||||
|
keyAlias 'androiddebugkey'
|
||||||
|
keyPassword 'android'
|
||||||
|
}
|
||||||
|
}
|
||||||
buildTypes {
|
buildTypes {
|
||||||
debug {
|
debug {
|
||||||
applicationIdSuffix ".debug"
|
applicationIdSuffix ".debug"
|
||||||
debuggable true
|
debuggable true
|
||||||
versionNameSuffix "-SNAPSHOT"
|
versionNameSuffix "-SNAPSHOT"
|
||||||
signingConfig signingConfigs.debug
|
|
||||||
resValue "string", "build_config_package", "im.status.ethereum"
|
resValue "string", "build_config_package", "im.status.ethereum"
|
||||||
|
signingConfig signingConfigs.debug
|
||||||
}
|
}
|
||||||
release {
|
release {
|
||||||
minifyEnabled enableProguardInReleaseBuilds
|
minifyEnabled enableProguardInReleaseBuilds
|
||||||
proguardFiles getDefaultProguardFile("proguard-android.txt"), "proguard-rules.pro"
|
proguardFiles getDefaultProguardFile("proguard-android.txt"), "proguard-rules.pro"
|
||||||
if (getEnvOrConfig('ANDROID_APK_SIGNED').toBoolean()) {
|
signingConfig null
|
||||||
signingConfig signingConfigs.release
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
pr {
|
pr {
|
||||||
initWith release
|
initWith release
|
||||||
|
|
|
@ -42,8 +42,6 @@ KEYSTORE_KEY_PASSWORD=password
|
||||||
ANDROID_ABI_SPLIT=false
|
ANDROID_ABI_SPLIT=false
|
||||||
# Some platforms are excluded though
|
# Some platforms are excluded though
|
||||||
ANDROID_ABI_INCLUDE=armeabi-v7a;arm64-v8a;x86
|
ANDROID_ABI_INCLUDE=armeabi-v7a;arm64-v8a;x86
|
||||||
# F-Droid builds need to be unsigned
|
|
||||||
ANDROID_APK_SIGNED=true
|
|
||||||
|
|
||||||
org.gradle.jvmargs=-Xmx8704M
|
org.gradle.jvmargs=-Xmx8704M
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
library 'status-jenkins-lib@v1.4.2'
|
library 'status-jenkins-lib@v1.4.3'
|
||||||
|
|
||||||
pipeline {
|
pipeline {
|
||||||
agent { label 'linux && x86_64 && nix-2.8' }
|
agent { label 'linux && x86_64 && nix-2.8' }
|
||||||
|
@ -81,6 +81,11 @@ pipeline {
|
||||||
script { apks = android.bundle() }
|
script { apks = android.bundle() }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
stage('Sign') {
|
||||||
|
steps {
|
||||||
|
script { apks = android.sign(apks) }
|
||||||
|
}
|
||||||
|
}
|
||||||
} }
|
} }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
library 'status-jenkins-lib@v1.4.2'
|
library 'status-jenkins-lib@v1.4.3'
|
||||||
|
|
||||||
pipeline {
|
pipeline {
|
||||||
agent { label 'linux' }
|
agent { label 'linux' }
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
library 'status-jenkins-lib@v1.4.2'
|
library 'status-jenkins-lib@v1.4.3'
|
||||||
|
|
||||||
pipeline {
|
pipeline {
|
||||||
agent { label 'macos && x86_64 && nix-2.8 && xcode-13.3' }
|
agent { label 'macos && x86_64 && nix-2.8 && xcode-13.3' }
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
library 'status-jenkins-lib@v1.4.2'
|
library 'status-jenkins-lib@v1.4.3'
|
||||||
|
|
||||||
pipeline {
|
pipeline {
|
||||||
agent { label params.AGENT_LABEL }
|
agent { label params.AGENT_LABEL }
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
library 'status-jenkins-lib@v1.4.2'
|
library 'status-jenkins-lib@v1.4.3'
|
||||||
|
|
||||||
pipeline {
|
pipeline {
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
library 'status-jenkins-lib@v1.4.2'
|
library 'status-jenkins-lib@v1.4.3'
|
||||||
|
|
||||||
pipeline {
|
pipeline {
|
||||||
agent { label 'macos' }
|
agent { label 'macos' }
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
library 'status-jenkins-lib@v1.4.2'
|
library 'status-jenkins-lib@v1.4.3'
|
||||||
|
|
||||||
pipeline {
|
pipeline {
|
||||||
agent { label 'linux' }
|
agent { label 'linux' }
|
||||||
|
|
|
@ -19,7 +19,6 @@ Here is a sample structure of the `config` attribute set:
|
||||||
build-number = 9999; # Used for versionCode and CFBundleVersion in Android and iOS respectively
|
build-number = 9999; # Used for versionCode and CFBundleVersion in Android and iOS respectively
|
||||||
android = {
|
android = {
|
||||||
gradle-opts = ""; # Gradle options passed for Android builds
|
gradle-opts = ""; # Gradle options passed for Android builds
|
||||||
keystore-path = ""; # Path to keystore for signing the APK
|
|
||||||
abi-split = false; # If APKs should be split based on architectures
|
abi-split = false; # If APKs should be split based on architectures
|
||||||
abi-include = "x86"; # Android architectures to build for
|
abi-include = "x86"; # Android architectures to build for
|
||||||
};
|
};
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
|
|
||||||
android = {
|
android = {
|
||||||
gradle-opts = null; # Gradle options passed for Android builds
|
gradle-opts = null; # Gradle options passed for Android builds
|
||||||
keystore-path = null; # Path to keystore for signing the APK
|
|
||||||
apk-signed = true; # F-Droid builds aren't signed by us
|
apk-signed = true; # F-Droid builds aren't signed by us
|
||||||
abi-split = false; # If APKs should be split based on architectures
|
abi-split = false; # If APKs should be split based on architectures
|
||||||
abi-include = "armeabi-v7a;arm64-v8a;x86"; # Android architectures to build for
|
abi-include = "armeabi-v7a;arm64-v8a;x86"; # Android architectures to build for
|
||||||
|
|
|
@ -2,9 +2,6 @@
|
||||||
, status-go, androidPkgs, androidShell }:
|
, status-go, androidPkgs, androidShell }:
|
||||||
|
|
||||||
let
|
let
|
||||||
# For generating a temporary keystore for local development
|
|
||||||
keystore = callPackage ./keystore.nix { };
|
|
||||||
|
|
||||||
# Import a jsbundle compiled out of clojure codebase
|
# Import a jsbundle compiled out of clojure codebase
|
||||||
jsbundle = callPackage ./jsbundle { };
|
jsbundle = callPackage ./jsbundle { };
|
||||||
|
|
||||||
|
@ -13,12 +10,12 @@ let
|
||||||
|
|
||||||
# TARGETS
|
# TARGETS
|
||||||
release = callPackage ./release.nix {
|
release = callPackage ./release.nix {
|
||||||
inherit keystore jsbundle status-go watchmanFactory;
|
inherit jsbundle status-go watchmanFactory;
|
||||||
};
|
};
|
||||||
|
|
||||||
in {
|
in {
|
||||||
# TARGETS
|
# TARGETS
|
||||||
inherit keystore release jsbundle;
|
inherit release jsbundle;
|
||||||
|
|
||||||
shell = mkShell {
|
shell = mkShell {
|
||||||
buildInputs = with pkgs; [
|
buildInputs = with pkgs; [
|
||||||
|
|
|
@ -1,44 +0,0 @@
|
||||||
#
|
|
||||||
# Generates an ad-hoc and temporary keystore for signing debug/pr builds.
|
|
||||||
#
|
|
||||||
# WARNING: Do NOT use this to make a keystore that needs to be secret!
|
|
||||||
# Using a derivation will store the inputs in a .drv file.
|
|
||||||
#
|
|
||||||
{ stdenv, lib, pkgs }:
|
|
||||||
|
|
||||||
let
|
|
||||||
inherit (lib) getAttr;
|
|
||||||
|
|
||||||
gradleProps = pkgs.gradlePropParser ../../../android/gradle.properties;
|
|
||||||
|
|
||||||
# Loading defaults from gradle.properties which should be safe.
|
|
||||||
KEYSTORE_ALIAS = getAttr "KEYSTORE_ALIAS" gradleProps;
|
|
||||||
KEYSTORE_PASSWORD = getAttr "KEYSTORE_PASSWORD" gradleProps;
|
|
||||||
KEYSTORE_KEY_PASSWORD = getAttr "KEYSTORE_KEY_PASSWORD" gradleProps;
|
|
||||||
|
|
||||||
in stdenv.mkDerivation {
|
|
||||||
name = "status-react-android-keystore";
|
|
||||||
|
|
||||||
buildInputs = [ pkgs.openjdk8 ];
|
|
||||||
|
|
||||||
phases = [ "generatePhase" ];
|
|
||||||
generatePhase = ''
|
|
||||||
keytool -genkey -v \
|
|
||||||
-keyalg RSA \
|
|
||||||
-keysize 2048 \
|
|
||||||
-validity 10000 \
|
|
||||||
-deststoretype pkcs12 \
|
|
||||||
-dname "CN=, OU=, O=, L=, S=, C=" \
|
|
||||||
-keystore "$out" \
|
|
||||||
-alias "${KEYSTORE_ALIAS}" \
|
|
||||||
-storepass "${KEYSTORE_PASSWORD}" \
|
|
||||||
-keypass "${KEYSTORE_KEY_PASSWORD}" \
|
|
||||||
>&2
|
|
||||||
'';
|
|
||||||
|
|
||||||
shellHook = ''
|
|
||||||
export KEYSTORE_ALIAS="${KEYSTORE_ALIAS}"
|
|
||||||
export KEYSTORE_PASSWORD="${KEYSTORE_PASSWORD}"
|
|
||||||
export KEYSTORE_KEY_PASSWORD="${KEYSTORE_KEY_PASSWORD}"
|
|
||||||
'';
|
|
||||||
}
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ stdenv, pkgs, deps, lib, config, callPackage,
|
{ stdenv, pkgs, deps, lib, config, callPackage,
|
||||||
watchmanFactory, androidPkgs, patchMavenSources,
|
watchmanFactory, androidPkgs, patchMavenSources,
|
||||||
keystore, jsbundle, status-go }:
|
jsbundle, status-go }:
|
||||||
|
|
||||||
{
|
{
|
||||||
# Value for BUILD_ENV checked by Clojure code at compile time
|
# Value for BUILD_ENV checked by Clojure code at compile time
|
||||||
|
@ -28,9 +28,6 @@ let
|
||||||
gradleOpts = getConfig "android.gradle-opts" null;
|
gradleOpts = getConfig "android.gradle-opts" null;
|
||||||
# Used to detect end-to-end builds
|
# Used to detect end-to-end builds
|
||||||
androidAbiInclude = getConfig "android.abi-include" "armeabi-v7a;arm64-v8a;x86";
|
androidAbiInclude = getConfig "android.abi-include" "armeabi-v7a;arm64-v8a;x86";
|
||||||
# Keystore can be provided via config and extra-sandbox-paths.
|
|
||||||
# If it is not we use an ad-hoc one generated with default password.
|
|
||||||
keystorePath = getConfig "android.keystore-path" keystore;
|
|
||||||
|
|
||||||
baseName = "${buildType}-android";
|
baseName = "${buildType}-android";
|
||||||
name = "status-react-build-${baseName}";
|
name = "status-react-build-${baseName}";
|
||||||
|
@ -76,7 +73,6 @@ in stdenv.mkDerivation rec {
|
||||||
|
|
||||||
# custom env variables derived from config
|
# custom env variables derived from config
|
||||||
STATUS_GO_SRC_OVERRIDE = getConfig "status-go.src-override" null;
|
STATUS_GO_SRC_OVERRIDE = getConfig "status-go.src-override" null;
|
||||||
ANDROID_APK_SIGNED = getConfig "android.apk-signed" "true";
|
|
||||||
ANDROID_ABI_SPLIT = getConfig "android.abi-split" "false";
|
ANDROID_ABI_SPLIT = getConfig "android.abi-split" "false";
|
||||||
ANDROID_ABI_INCLUDE = androidAbiInclude;
|
ANDROID_ABI_INCLUDE = androidAbiInclude;
|
||||||
|
|
||||||
|
@ -88,8 +84,7 @@ in stdenv.mkDerivation rec {
|
||||||
STATUS_GO_ANDROID_LIBDIR = status-go { inherit secretsFile; };
|
STATUS_GO_ANDROID_LIBDIR = status-go { inherit secretsFile; };
|
||||||
|
|
||||||
phases = [
|
phases = [
|
||||||
"unpackPhase" "secretsPhase" "keystorePhase"
|
"unpackPhase" "secretsPhase" "buildPhase" "checkPhase" "installPhase"
|
||||||
"buildPhase" "checkPhase" "installPhase"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
unpackPhase = ''
|
unpackPhase = ''
|
||||||
|
@ -120,21 +115,13 @@ in stdenv.mkDerivation rec {
|
||||||
${patchMavenSources} ./android/build.gradle
|
${patchMavenSources} ./android/build.gradle
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# if secretsFile is not set we use generate keystore
|
# Secrets file is passed to sandbox using extra-sandbox-paths.
|
||||||
secretsPhase = if (secretsFile != "") then ''
|
secretsPhase = if (secretsFile != "") then ''
|
||||||
source "${secretsFile}"
|
source "${secretsFile}"
|
||||||
${checkEnvVarSet "KEYSTORE_ALIAS"}
|
'' else ''
|
||||||
${checkEnvVarSet "KEYSTORE_PASSWORD"}
|
echo 'WARNING: No secrets provided!' >&2
|
||||||
${checkEnvVarSet "KEYSTORE_KEY_PASSWORD"}
|
|
||||||
'' else keystore.shellHook;
|
|
||||||
|
|
||||||
# if keystorePath is set copy it into build directory
|
|
||||||
keystorePhase =
|
|
||||||
assert assertMsg (keystorePath != null) "keystorePath has to be set!";
|
|
||||||
''
|
|
||||||
export KEYSTORE_PATH="$PWD/status-im.keystore"
|
|
||||||
cp -a --no-preserve=ownership "${keystorePath}" "$KEYSTORE_PATH"
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
buildPhase = let
|
buildPhase = let
|
||||||
adhocEnvVars = optionalString stdenv.isLinux
|
adhocEnvVars = optionalString stdenv.isLinux
|
||||||
"LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${makeLibraryPath [ pkgs.zlib ]}";
|
"LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${makeLibraryPath [ pkgs.zlib ]}";
|
||||||
|
|
|
@ -58,7 +58,7 @@ nixOpts=(
|
||||||
${GIT_ROOT}/nix/scripts/gcroots.sh "${TARGET}" "${@}"
|
${GIT_ROOT}/nix/scripts/gcroots.sh "${TARGET}" "${@}"
|
||||||
|
|
||||||
# Run the actual build
|
# Run the actual build
|
||||||
echo "Running: nix-build "${nixOpts[@]}" "${@}" default.nix"
|
echo "${GRN}Running:${RST} nix-build "${nixOpts[@]}" "${@}" default.nix"
|
||||||
nixResultPath=$(nix-build "${nixOpts[@]}" "${@}" default.nix)
|
nixResultPath=$(nix-build "${nixOpts[@]}" "${@}" default.nix)
|
||||||
|
|
||||||
echo -e "\n${YLW}Extracting result${RST}: ${BLD}${nixResultPath}${RST}"
|
echo -e "\n${YLW}Extracting result${RST}: ${BLD}${nixResultPath}${RST}"
|
||||||
|
|
|
@ -58,7 +58,7 @@ let
|
||||||
|
|
||||||
# for 'scripts/generate-keystore.sh'
|
# for 'scripts/generate-keystore.sh'
|
||||||
keytool = mkShell {
|
keytool = mkShell {
|
||||||
buildInputs = with pkgs; [ openjdk8 ];
|
buildInputs = with pkgs; [ openjdk8 apksigner ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# for targets that need 'adb' and other SDK/NDK tools
|
# for targets that need 'adb' and other SDK/NDK tools
|
||||||
|
|
|
@ -26,13 +26,9 @@ config=''
|
||||||
if [[ -n "${STATUS_GO_SRC_OVERRIDE}" ]]; then
|
if [[ -n "${STATUS_GO_SRC_OVERRIDE}" ]]; then
|
||||||
config+="status-im.status-go.src-override=\"${STATUS_GO_SRC_OVERRIDE}\";"
|
config+="status-im.status-go.src-override=\"${STATUS_GO_SRC_OVERRIDE}\";"
|
||||||
fi
|
fi
|
||||||
if [[ "${ANDROID_APK_SIGNED}" == "true" ]]; then
|
|
||||||
config+="status-im.android.keystore-path=\"$(must_get_env KEYSTORE_PATH)\";"
|
|
||||||
fi
|
|
||||||
config+="status-im.commit-hash=\"$(git rev-parse --verify HEAD)\";"
|
config+="status-im.commit-hash=\"$(git rev-parse --verify HEAD)\";"
|
||||||
config+="status-im.build-type=\"$(must_get_env BUILD_TYPE)\";"
|
config+="status-im.build-type=\"$(must_get_env BUILD_TYPE)\";"
|
||||||
config+="status-im.build-number=\"$(must_get_env BUILD_NUMBER)\";"
|
config+="status-im.build-number=\"$(must_get_env BUILD_NUMBER)\";"
|
||||||
config+="status-im.android.apk-signed=\"$(must_get_env ANDROID_APK_SIGNED)\";"
|
|
||||||
config+="status-im.android.abi-split=\"$(must_get_env ANDROID_ABI_SPLIT)\";"
|
config+="status-im.android.abi-split=\"$(must_get_env ANDROID_ABI_SPLIT)\";"
|
||||||
config+="status-im.android.abi-include=\"$(must_get_env ANDROID_ABI_INCLUDE)\";"
|
config+="status-im.android.abi-include=\"$(must_get_env ANDROID_ABI_INCLUDE)\";"
|
||||||
nixOpts=()
|
nixOpts=()
|
||||||
|
@ -42,19 +38,10 @@ export SECRETS_FILE_PATH=$(mktemp)
|
||||||
chmod 644 ${SECRETS_FILE_PATH}
|
chmod 644 ${SECRETS_FILE_PATH}
|
||||||
# If secrets file was created we want to remove it.
|
# If secrets file was created we want to remove it.
|
||||||
trap "rm -vf ${SECRETS_FILE_PATH}" EXIT ERR INT QUIT
|
trap "rm -vf ${SECRETS_FILE_PATH}" EXIT ERR INT QUIT
|
||||||
|
|
||||||
# Secrets like this can't be passed via args or they end up in derivation.
|
# Secrets like this can't be passed via args or they end up in derivation.
|
||||||
if [[ -n "${KEYSTORE_ALIAS}${KEYSTORE_ALIAS}${KEYSTORE_ALIAS}" ]]; then
|
if [[ -n "${INFURA_TOKEN}" ]]; then append_env_export 'INFURA_TOKEN'; fi
|
||||||
# WARNING: All three have to be set!
|
if [[ -n "${OPENSEA_API_KEY}" ]]; then append_env_export 'OPENSEA_API_KEY'; fi
|
||||||
append_env_export 'KEYSTORE_PASSWORD'
|
|
||||||
append_env_export 'KEYSTORE_ALIAS'
|
|
||||||
append_env_export 'KEYSTORE_KEY_PASSWORD'
|
|
||||||
fi
|
|
||||||
if [[ -n "${INFURA_TOKEN}" ]]; then
|
|
||||||
append_env_export 'INFURA_TOKEN'
|
|
||||||
fi
|
|
||||||
if [[ -n "${OPENSEA_API_KEY}" ]]; then
|
|
||||||
append_env_export 'OPENSEA_API_KEY'
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If no secrets were passed there's no need to pass the 'secretsFile'.
|
# If no secrets were passed there's no need to pass the 'secretsFile'.
|
||||||
if [[ -s "${SECRETS_FILE_PATH}" ]]; then
|
if [[ -s "${SECRETS_FILE_PATH}" ]]; then
|
|
@ -32,7 +32,6 @@ KEYSTORE_PATH=${KEYSTORE_PATH/#\~/$HOME}
|
||||||
|
|
||||||
if [[ -e "${KEYSTORE_PATH}" ]]; then
|
if [[ -e "${KEYSTORE_PATH}" ]]; then
|
||||||
echo -e "${YLW}Keystore file already exists:${RST} ${KEYSTORE_PATH}" >&2
|
echo -e "${YLW}Keystore file already exists:${RST} ${KEYSTORE_PATH}" >&2
|
||||||
echo "${KEYSTORE_PATH}"
|
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -41,7 +40,7 @@ KEYSTORE_DIR=$(dirname "${KEYSTORE_PATH}")
|
||||||
|
|
||||||
echo -e "${GRN}Generating keystore...${RST}" >&2
|
echo -e "${GRN}Generating keystore...${RST}" >&2
|
||||||
|
|
||||||
keytool -genkey -v \
|
exec keytool -genkey -v \
|
||||||
-keyalg RSA \
|
-keyalg RSA \
|
||||||
-keysize 2048 \
|
-keysize 2048 \
|
||||||
-validity 10000 \
|
-validity 10000 \
|
||||||
|
@ -52,5 +51,3 @@ keytool -genkey -v \
|
||||||
-storepass "${KEYSTORE_PASSWORD}" \
|
-storepass "${KEYSTORE_PASSWORD}" \
|
||||||
-keypass "${KEYSTORE_KEY_PASSWORD}" \
|
-keypass "${KEYSTORE_KEY_PASSWORD}" \
|
||||||
> /dev/stderr
|
> /dev/stderr
|
||||||
|
|
||||||
echo "${KEYSTORE_PATH}"
|
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -e
|
||||||
|
|
||||||
|
GIT_ROOT=$(cd "${BASH_SOURCE%/*}" && git rev-parse --show-toplevel)
|
||||||
|
source "${GIT_ROOT}/scripts/colors.sh"
|
||||||
|
|
||||||
|
function property() {
|
||||||
|
grep "${2}" "${1}" | cut -d'=' -f2
|
||||||
|
}
|
||||||
|
|
||||||
|
function gradle_property() {
|
||||||
|
property ${GIT_ROOT}/android/gradle.properties ${1}
|
||||||
|
}
|
||||||
|
|
||||||
|
function env_var_or_gradle_prop() {
|
||||||
|
VAR_NAME="${1}"
|
||||||
|
if [[ -n "${!VAR_NAME}" ]]; then
|
||||||
|
echo "${!VAR_NAME}"
|
||||||
|
else
|
||||||
|
gradle_property "${VAR_NAME}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function must_get_env() {
|
||||||
|
declare -n VAR_VALUE="$1"
|
||||||
|
if [[ -n "${VAR_VALUE}" ]]; then
|
||||||
|
echo "${VAR_VALUE}"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
echo -e "${RED}No required env variable:${RST} ${BLD}${!VAR_VALUE}${RST}" 1>&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# If filename contains string "unsigned" change that to signed.
|
||||||
|
# Otherwise sign in-place and overwrite the current unsigned file.
|
||||||
|
if [[ "${1}" =~ unsigned ]]; then
|
||||||
|
OUTPUT_FLAGS="--out=${1/unsigned/signed}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo -e "${GRN}Signing APK:${RST} ${1}" >&2
|
||||||
|
|
||||||
|
exec apksigner sign --verbose \
|
||||||
|
--ks="$(env_var_or_gradle_prop KEYSTORE_PATH)" \
|
||||||
|
--ks-pass="pass:$(env_var_or_gradle_prop KEYSTORE_PASSWORD)" \
|
||||||
|
--ks-key-alias="$(env_var_or_gradle_prop KEYSTORE_ALIAS)" \
|
||||||
|
--key-pass="pass:$(env_var_or_gradle_prop KEYSTORE_KEY_PASSWORD)" \
|
||||||
|
"${OUTPUT_FLAGS}" \
|
||||||
|
"${1}"
|
Loading…
Reference in New Issue