Add codesign for cortex cpp

.github/workflows/build.yml → .github/workflows/cortex-cpp-build.yml

@@ -1,4 +1,4 @@
-name: CI
+name: CI Cortex CPP
 
 on:
   push:
@@ -25,7 +25,8 @@ jobs:
     steps:
       - name: Extract tag name without v prefix
         id: get_version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV && echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
+        run: |
+          echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV && echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
         env:
           GITHUB_REF: ${{ github.ref }}
       - name: Create Draft Release
@@ -166,11 +167,40 @@ jobs:
         run: |
           choco install make -y
 
+      - name: Get Cer for code signing
+        if: ${{ matrix.runs-on }} == 'macos-13'
+        run: base64 -d <<< "$CODE_SIGN_P12_BASE64" > /tmp/codesign.p12
+        shell: bash
+        env:
+          CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
+
+      - uses: apple-actions/import-codesign-certs@v2
+        if: ${{ matrix.runs-on }} == 'macos-13'
+        with:
+          p12-file-base64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
+          p12-password: ${{ secrets.CODE_SIGN_P12_PASSWORD }}
+
+      - name: Unblock keychain
+        if: ${{ matrix.runs-on }} == 'mac-silicon'
+        run: |
+          security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ~/Library/Keychains/login.keychain-db
+
       - name: Build
         run: |
           cd cortex-cpp
           make build CMAKE_EXTRA_FLAGS="${{ matrix.cmake-flags }}"
 
+      - name: Pre-package
+        run: |
+          cd cortex-cpp
+          make pre-package
+  
+      - name: Code Signing
+        run: |
+          cd cortex-cpp
+          make codesign AZURE_KEY_VAULT_URI="${{ secrets.AZURE_KEY_VAULT_URI }}" AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" AZURE_CLIENT_SECRET="${{ secrets.AZURE_CLIENT_SECRET }}" AZURE_CERT_NAME="${{ secrets.AZURE_CERT_NAME }}" DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}"
+
+
       - name: Package
         run: |
           cd cortex-cpp

.github/workflows/quality-gate.yml → .github/workflows/cortex-cpp-quality-gate.yml

@@ -1,4 +1,4 @@
-name: CI Quality Gate
+name: CI Quality Gate Cortex CPP
 
 on:
   pull_request:
@@ -145,6 +145,11 @@ jobs:
           cd cortex-cpp
           make build CMAKE_EXTRA_FLAGS="${{ matrix.cmake-flags }}"
 
+      - name: Pre-package
+        run: |
+          cd cortex-cpp
+          make pre-package
+ 
       - name: Package
         run: |
           cd cortex-cpp

cortex-cpp/Makefile

@@ -6,6 +6,13 @@ CMAKE_EXTRA_FLAGS ?= ""
 RUN_TESTS ?= false
 LLM_MODEL_URL ?= "https://delta.jan.ai/tinyllama-1.1b-chat-v0.3.Q2_K.gguf"
 EMBEDDING_MODEL_URL ?= "https://catalog.jan.ai/dist/models/embeds/nomic-embed-text-v1.5.f16.gguf"
+CODE_SIGN ?= false
+AZURE_KEY_VAULT_URI ?= xxxx
+AZURE_CLIENT_ID ?= xxxx
+AZURE_TENANT_ID ?= xxxx
+AZURE_CLIENT_SECRET ?= xxxx
+AZURE_CERT_NAME ?= xxxx
+DEVELOPER_ID ?= xxxx
 
 # Default target, does nothing
 all:
@@ -29,24 +36,46 @@ else
 	make -j4;
 endif
 
-package:
+pre-package:
 ifeq ($(OS),Windows_NT)
 	@powershell -Command "mkdir -p cortex-cpp\engines\cortex.llamacpp\; cp -r build\engines\cortex.llamacpp\engine.dll cortex-cpp\engines\cortex.llamacpp\;"
 	@powershell -Command "cp -r build\Release\cortex-cpp.exe .\cortex-cpp\;"
 	@powershell -Command "cp -r build-deps\_install\bin\zlib.dll .\cortex-cpp\;"
 	@powershell -Command "cp -r ..\.github\patches\windows\msvcp140.dll .\cortex-cpp\;"
 	@powershell -Command "cp -r ..\.github\patches\windows\vcruntime140_1.dll .\cortex-cpp\;"
 	@powershell -Command "cp -r ..\.github\patches\windows\vcruntime140.dll .\cortex-cpp\;"
-	@powershell -Command "7z a -ttar temp.tar cortex-cpp\*; 7z a -tgzip cortex-cpp.tar.gz temp.tar;"
 else ifeq ($(shell uname -s),Linux)
 	@mkdir -p cortex-cpp/engines/cortex.llamacpp; \
 	cp build/engines/cortex.llamacpp/libengine.so cortex-cpp/engines/cortex.llamacpp/; \
-	cp build/cortex-cpp cortex-cpp/; \
-	tar -czvf cortex-cpp.tar.gz cortex-cpp;
+	cp build/cortex-cpp cortex-cpp/;
 else
 	@mkdir -p cortex-cpp/engines/cortex.llamacpp; \
 	cp build/engines/cortex.llamacpp/libengine.dylib cortex-cpp/engines/cortex.llamacpp/; \
-	cp build/cortex-cpp cortex-cpp/; \
+	cp build/cortex-cpp cortex-cpp/;
+endif
+
+codesign:
+ifeq ($(CODE_SIGN),false)
+	@echo "Skipping Code Sign"
+	@exit 0
+endif
+
+ifeq ($(OS),Windows_NT)
+	@powershell -Command "dotnet tool install --global AzureSignTool;"
+	@powershell -Command "Get-ChildItem -Path .\cortex-cpp -Recurse | ForEach-Object { & '%USERPROFILE%\.dotnet\tools\azuresigntool.exe' sign -kvu '$(AZURE_KEY_VAULT_URI)' -kvi '$(AZURE_CLIENT_ID)' -kvt '$(AZURE_TENANT_ID)' -kvs '$(AZURE_CLIENT_SECRET)' -kvc '$(AZURE_CERT_NAME)' -tr http://timestamp.globalsign.com/tsa/r6advanced1 -v '$_.FullName' };"
+else ifeq ($(shell uname -s),Linux)
+	@echo "Skipping Code Sign for linux"
+	@exit 0
+else
+	find "cortex-cpp" -type f -exec codesign --force -s "$(DEVELOPER_ID)" --options=runtime {} \;
+endif
+
+package:
+ifeq ($(OS),Windows_NT)
+	@powershell -Command "7z a -ttar temp.tar cortex-cpp\*; 7z a -tgzip cortex-cpp.tar.gz temp.tar;"
+else ifeq ($(shell uname -s),Linux)
+	tar -czvf cortex-cpp.tar.gz cortex-cpp;
+else
 	tar -czvf cortex-cpp.tar.gz cortex-cpp;
 endif