proj-flow 0.9.3__py3-none-any.whl → 0.9.4__py3-none-any.whl

proj_flow/{plugins → ext}/sign/__init__.py

@@ -2,7 +2,7 @@
 # This code is licensed under MIT license (see LICENSE for details)
 
 """
-The **proj_flow.plugins.sign** provides the ``"Sign"`` and ``"SignPackages"``
+The **proj_flow.ext.sign** provides the ``"Sign"`` and ``"SignPackages"``
 steps.
 """
 
@@ -14,23 +14,7 @@ from typing import List, cast
 
 from proj_flow.api import env, init, step
 
-if sys.platform == "win32":
-    from . import win32
-
-else:
-
-    class win32:
-        @staticmethod
-        def is_active(*args):
-            return False
-
-        @staticmethod
-        def sign(*args):
-            return 0
-
-        @staticmethod
-        def is_pe_exec(arg):
-            return False
+from . import api, win32
 
 
 def should_exclude(filename: str, exclude: List[str], config_os: str):
@@ -44,34 +28,69 @@ def should_exclude(filename: str, exclude: List[str], config_os: str):
 
 
 class SignBase(step.Step):
+    _name: str
+    _runs_after: List[str] = []
+    _runs_before: List[str] = []
+
+    _active_tools: List[api.SigningTool] = []
+
+    @property
+    def name(self):
+        return self._name
+
+    @property
+    def runs_after(self):
+        return self._runs_after
+
+    @property
+    def runs_before(self):
+        return self._runs_before
+
+    def __init__(
+        self, name: str, runs_after: List[str] = [], runs_before: List[str] = []
+    ):
+        super().__init__()
+        self._name = name
+        self._runs_after = runs_after
+        self._runs_before = runs_before
+
     def is_active(self, config: env.Config, rt: env.Runtime) -> int:
-        return win32.is_active(config.os, rt)
+        self._active_tools = [
+            tool for tool in api.signing_tool.get() if tool.is_active(config, rt)
+        ]
+        return len(self._active_tools) > 0
 
     @abstractmethod
-    def get_files(self, config: env.Config, rt: env.Runtime) -> List[str]: ...
+    def get_files(
+        self, tool: api.SigningTool, config: env.Config, rt: env.Runtime
+    ) -> List[str]: ...
 
     def run(self, config: env.Config, rt: env.Runtime) -> int:
-        files = [file.replace(os.sep, "/") for file in self.get_files(config, rt)]
-        if len(files) == 0:
-            return 0
+        for tool in self._active_tools:
+            files = [
+                file.replace(os.sep, "/") for file in self.get_files(tool, config, rt)
+            ]
 
-        rt.print("signtool", *(os.path.basename(file) for file in files))
+            if len(files) == 0:
+                continue
 
-        if rt.dry_run:
-            return 0
+            result = tool.sign(config, rt, files)
+            if result:
+                return result
 
-        return win32.sign(files, rt)
+        return 0
 
 
 @step.register
 class SignFiles(SignBase):
     """*(Windows)* Signs executable files in build directory"""
 
-    name = "Sign"
-    runs_after = ["Build"]
-    runs_before = ["Pack"]
+    def __init__(self):
+        super().__init__(name="Sign", runs_after=["Build"], runs_before=["Pack"])
 
-    def get_files(self, config: env.Config, rt: env.Runtime) -> List[str]:
+    def get_files(
+        self, tool: api.SigningTool, config: env.Config, rt: env.Runtime
+    ) -> List[str]:
         cfg = cast(dict, rt._cfg.get("sign", {}))
         roots = cfg.get("directories", ["bin", "lib", "libexec", "share"])
         exclude = cfg.get("exclude", ["*-test"])
@@ -85,10 +104,8 @@ class SignFiles(SignBase):
                         continue
 
                     full_path = os.path.join(curr_dir, filename)
-                    if not win32.is_pe_exec(full_path):
-                        continue
-
-                    result.append(full_path)
+                    if tool.is_executable(full_path, as_package=False):
+                        result.append(full_path)
         return result
 
 
@@ -96,26 +113,29 @@ class SignFiles(SignBase):
 class SignMsi(SignBase):
     """*(Windows)* Signs MSI installers in build directory"""
 
-    name = "SignPackages"
-    runs_after = ["Pack"]
-    runs_before = ["StorePackages", "Store"]
+    def __init__(self):
+        super().__init__(
+            name="SignPackages",
+            runs_after=["Pack"],
+            runs_before=["StorePackages", "Store"],
+        )
 
     def is_active(self, config: env.Config, rt: env.Runtime) -> int:
         return super().is_active(config, rt) and "WIX" in config.items.get(
             "cpack_generator", []
         )
 
-    def get_files(self, config: env.Config, rt: env.Runtime) -> List[str]:
+    def get_files(
+        self, tool: api.SigningTool, config: env.Config, rt: env.Runtime
+    ) -> List[str]:
         result: List[str] = []
         pkg_dir = os.path.join(config.build_dir, "packages")
         for curr_dir, dirnames, filenames in os.walk(pkg_dir):
             dirnames[:] = []
             for filename in filenames:
-                _, ext = os.path.splitext(filename)
-                if ext.lower() != ".msi":
-                    continue
-
-                result.append(os.path.join(curr_dir, filename))
+                full_path = os.path.join(curr_dir, filename)
+                if tool.is_executable(full_path, as_package=False):
+                    result.append(full_path)
 
         return result
 

proj_flow/ext/sign/api.py

@@ -0,0 +1,83 @@
+# Copyright (c) 2025 Marcin Zdun
+# This code is licensed under MIT license (see LICENSE for details)
+
+"""
+The **proj_flow.ext.sign.api** defines an extension point for per-platform
+sign tools.
+"""
+
+import base64
+import json
+import os
+from abc import ABC, abstractmethod
+from typing import List, NamedTuple, Optional
+
+from proj_flow import base
+from proj_flow.api import env
+
+ENV_KEY = "SIGN_TOKEN"
+
+
+class Key(NamedTuple):
+    token: str
+    secret: bytes
+
+
+def _get_key_from_contents(key: str, rt: env.Runtime):
+    try:
+        obj = json.loads(key)
+    except json.decoder.JSONDecodeError:
+        rt.message("sign: the signature is not a valid JSON document")
+        return None
+
+    if not isinstance(obj, dict):
+        rt.message("sign: the signature is missing required fields")
+        return None
+
+    token = obj.get("token")
+    secret = obj.get("secret")
+    if not isinstance(token, str) or not isinstance(secret, str):
+        rt.message("sign: the signature is missing required fields")
+        return None
+
+    return Key(
+        base64.b64decode(token).decode("UTF-8"),
+        base64.b64decode(secret),
+    )
+
+
+def get_key(rt: env.Runtime) -> Optional[Key]:
+    rt.message(f"sign: trying ${ENV_KEY}")
+    env = os.environ.get(ENV_KEY)
+    if env:
+        key = _get_key_from_contents(env, rt)
+        if key is not None:
+            return key
+    local_signature = os.path.join(".", "signature.key")
+    home_signature = os.path.join(os.path.expanduser("~"), "signature.key")
+    for filename in [local_signature, home_signature]:
+        rt.message(f"sign: trying {filename}")
+        if os.path.isfile(filename):
+            with open(filename, encoding="UTF-8") as file:
+                result = file.read().strip()
+                key = _get_key_from_contents(result, rt)
+                if key is not None:
+                    return key
+
+    rt.message("sign: no key set up")
+
+    return None
+
+
+class SigningTool(ABC):
+    @abstractmethod
+    def is_active(self, config: env.Config, rt: env.Runtime): ...
+
+    @abstractmethod
+    def sign(self, config: env.Config, rt: env.Runtime, files: List[str]): ...
+
+    @abstractmethod
+    def is_executable(self, filename: str, as_package: bool): ...
+
+
+signing_tool = base.registry.Registry[SigningTool]("SigningTool")

proj_flow/ext/sign/win32.py

@@ -0,0 +1,152 @@
+# Copyright (c) 2025 Marcin Zdun
+# This code is licensed under MIT license (see LICENSE for details)
+
+"""
+The **proj_flow.ext.sign.win32** provides code signing with SignTool
+from Windows SDKs.
+"""
+
+import base64
+import json
+import os
+import platform
+import struct
+import subprocess
+import sys
+from typing import Iterable, List, Optional, Tuple
+
+from proj_flow.api.env import Config, Msg, Runtime
+
+from .api import ENV_KEY, SigningTool, get_key, signing_tool
+
+if sys.platform == "win32":
+    import winreg
+
+    @signing_tool.add
+    class Win32SigningTool(SigningTool):
+        def is_active(self, config: Config, rt: Runtime):
+            return _is_active(config.os, rt)
+
+        def sign(self, config: Config, rt: Runtime, files: List[str]):
+            rt.print("signtool", *(os.path.basename(file) for file in files))
+            return _sign(files, rt)
+
+        def is_signable(self, filename: str, as_package: bool):
+            if as_package:
+                _, ext = os.path.splitext(filename)
+                return ext.lower() == ".msi"
+            return _is_pe_exec(filename)
+
+    Version = Tuple[int, int, int]
+
+    machine = {"ARM64": "arm64", "AMD64": "x64", "X86": "x86"}.get(
+        platform.machine(), "x86"
+    )
+
+    def _find_sign_tool(rt: Runtime) -> Optional[str]:
+        with winreg.OpenKeyEx(  # type: ignore
+            winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows Kits\Installed Roots"  # type: ignore
+        ) as kits:
+            try:
+                kits_root = winreg.QueryValueEx(kits, "KitsRoot10")[0]  # type: ignore
+            except FileNotFoundError:
+                rt.message("sign/win32: No KitsRoot10 value")
+                return None
+
+            versions: List[Tuple[Version, str]] = []
+            try:
+                index = 0
+                while True:
+                    ver_str = winreg.EnumKey(kits, index)  # type: ignore
+                    ver = tuple(int(chunk) for chunk in ver_str.split("."))
+                    index += 1
+                    versions.append((ver, ver_str))  # type: ignore
+            except OSError:
+                pass
+        versions.sort()
+        versions.reverse()
+        rt.message(
+            "sign/win32: Regarding versions:",
+            ", ".join(version[1] for version in versions),
+        )
+        for _, version in versions:
+            # C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe
+            sign_tool = os.path.join(kits_root, "bin", version, machine, "signtool.exe")
+            if os.path.isfile(sign_tool):
+                rt.message("sign/win32: using:", sign_tool)
+                return sign_tool
+        return None
+
+    def _is_active(os_name: str, rt: Runtime):
+        if os_name != "windows":
+            return False
+        key = get_key(rt)
+        return (
+            key is not None
+            and key.token is not None
+            and key.secret is not None
+            and _find_sign_tool(rt) is not None
+        )
+
+    _IMAGE_DOS_HEADER = "HHHHHHHHHHHHHH8sHH20sI"
+    _IMAGE_NT_HEADERS_Signature = "H"
+    _IMAGE_DOS_HEADER_size = struct.calcsize(_IMAGE_DOS_HEADER)
+    _IMAGE_NT_HEADERS_Signature_size = struct.calcsize(_IMAGE_NT_HEADERS_Signature)
+    _MZ = 23117
+    _PE = 17744
+
+    def _is_pe_exec(path: str):
+        with open(path, "rb") as exe:
+            mz_header = exe.read(_IMAGE_DOS_HEADER_size)
+            dos_header = struct.unpack(_IMAGE_DOS_HEADER, mz_header)
+            if dos_header[0] != _MZ:
+                return False
+
+            PE_offset = dos_header[-1]
+            if PE_offset < _IMAGE_DOS_HEADER_size:
+                return False
+
+            if PE_offset > _IMAGE_DOS_HEADER_size:
+                exe.read(PE_offset - _IMAGE_DOS_HEADER_size)
+
+            pe_header = exe.read(_IMAGE_NT_HEADERS_Signature_size)
+            signature = struct.unpack(_IMAGE_NT_HEADERS_Signature, pe_header)[0]
+            return signature == _PE
+
+    def _sign(files: Iterable[str], rt: Runtime):
+        key = get_key(rt)
+
+        if key is None or key.token is None or key.secret is None:
+            rt.fatal("sign: the key is missing")
+
+        sign_tool = _find_sign_tool(rt)
+        if sign_tool is None:
+            rt.message("proj-flow: sign: signtool.exe not found", level=Msg.ALWAYS)
+            return 0
+
+        with open("temp.pfx", "wb") as pfx:
+            pfx.write(key.secret)
+
+        args = [
+            sign_tool,
+            "sign",
+            "/f",
+            "temp.pfx",
+            "/p",
+            key.token,
+            "/tr",
+            "http://timestamp.digicert.com",
+            "/fd",
+            "sha256",
+            "/td",
+            "sha256",
+            *files,
+        ]
+
+        result = 1
+        try:
+            result = subprocess.run(args, shell=False).returncode
+        finally:
+            os.remove("temp.pfx")
+
+        return result

proj_flow/{plugins/store/store_packages.py → ext/store.py}

@@ -2,18 +2,17 @@
 # This code is licensed under MIT license (see LICENSE for details)
 
 """
-The **proj_flow.plugins.store** provides ``"StorePackages"`` step.
+The **proj_flow.ext.store** provides ``"Store"``, ``"StoreTests"`` and
+``"StorePackages"`` steps.
 """
 
 import os
 import shutil
 from typing import List, cast
 
-from proj_flow.api import env, step
+from proj_flow.api import env, release, step
 from proj_flow.base.uname import uname
 
-from ..cmake.parser import get_project
-
 _system, _version, _arch = uname()
 _version = "" if _version is None else f"-{_version}"
 _project_pkg = None
@@ -26,12 +25,24 @@ def _package_name(config: env.Config, pkg: str, group: str):
     return f"{pkg}-{_system}{_version}-{_arch}{debug}{suffix}"
 
 
+def _get_project(rt: env.Runtime):
+    def wrap(suite: release.ProjectSuite):
+        return suite.get_project(rt)
+
+    return wrap
+
+
 @step.register
-class StorePackages:
+class StorePackages(step.Step):
     """Stores archives and installers build for ``preset`` config value."""
 
-    name = "StorePackages"
-    runs_after = ["Pack"]
+    @property
+    def name(self):
+        return "StorePackages"
+
+    @property
+    def runs_after(self):
+        return ["Pack"]
 
     def run(self, config: env.Config, rt: env.Runtime) -> int:
         if not rt.dry_run:
@@ -41,10 +52,10 @@ class StorePackages:
 
         global _project_pkg
         if _project_pkg is None:
-            project = get_project("")
+            _, project = release.project_suites.find(_get_project(rt))
             if project is None:
                 rt.fatal(f"Cannot get project information from {rt.root}")
-            _project_pkg = project.pkg
+            _project_pkg = project.archive_name
 
         main_group = cast(str, rt._cfg.get("package", {}).get("main-group"))
         if main_group is not None and not rt.dry_run:
@@ -77,3 +88,34 @@ class StorePackages:
             "build/artifacts/packages",
             f"^{_project_pkg}-.*$",
         )
+
+
+@step.register
+class StoreTests(step.Step):
+    """Stores test results gathered during tests for ``preset`` config value."""
+
+    @property
+    def name(self):
+        return "StoreTests"
+
+    @property
+    def runs_after(self):
+        return ["Test"]
+
+    def run(self, config: env.Config, rt: env.Runtime) -> int:
+        return rt.cp(
+            f"build/{config.preset}/test-results", "build/artifacts/test-results"
+        )
+
+
+@step.register
+class StoreBoth(step.SerialStep):
+    """Stores all artifacts created for ``preset`` config value."""
+
+    @property
+    def name(self):
+        return "Store"
+
+    def __init__(self):
+        super().__init__()
+        self.children = [StoreTests(), StorePackages()]

proj_flow/log/release.py

@@ -134,4 +134,4 @@ def add_release(
         if draft_url:
             rt.message("Visit draft at", draft_url, level=env.Msg.ALWAYS)
 
-    return setup.curr_tag
+    return setup.curr_tag

proj_flow/log/rich_text/markdown.py

@@ -2,7 +2,7 @@
 # This code is licensed under MIT license (see LICENSE for details)
 
 """
-The **proj_flow.log.rich.markdown** provides details of making Markdown
+The **proj_flow.log.rich_text.markdown** provides details of making Markdown
 changelogs.
 """
 

proj_flow/log/rich_text/re_structured_text.py

@@ -2,7 +2,7 @@
 # This code is licensed under MIT license (see LICENSE for details)
 
 """
-The **proj_flow.log.rich.re_structured_text** provides details of making
+The **proj_flow.log.rich_text.re_structured_text** provides details of making
 reStructuredText changelogs.
 """
 

proj_flow/minimal/__init__.py

@@ -6,6 +6,6 @@ The **proj_flow.minimal** defines minimal extension package: ``bootstrap``
 and ``run`` commands, with basic set of steps.
 """
 
-from . import bootstrap, list, run, system
+from . import bootstrap, init, list, run, system
 
-__all__ = ["bootstrap", "list", "run", "system"]
+__all__ = ["bootstrap", "init", "list", "run", "system"]

proj_flow/{plugins → minimal}/base.py

@@ -2,8 +2,8 @@
 # This code is licensed under MIT license (see LICENSE for details)
 
 """
-The **proj_flow.plugins.base** provides basic initialization setup for new
-projects.
+The **proj_flow.minimal.base** provides basic initialization setup for all
+new projects.
 """
 
 from proj_flow import __version__, api

proj_flow/{plugins/commands → minimal}/init.py

@@ -2,7 +2,7 @@
 # This code is licensed under MIT license (see LICENSE for details)
 
 """
-The **proj_flow.plugins.commands.init** implements ``proj-flow init`` command.
+The **proj_flow.minimal.init** implements ``proj-flow init`` command.
 """
 
 import json

{proj_flow-0.9.3.dist-info → proj_flow-0.9.4.dist-info}/METADATA

@@ -1,7 +1,8 @@
 Metadata-Version: 2.4
 Name: proj-flow
-Version: 0.9.3
+Version: 0.9.4
 Summary: C++ project maintenance, automated
+Project-URL: Changelog, https://github.com/mzdun/proj-flow/blob/main/CHANGELOG.rst
 Project-URL: Documentation, https://proj-flow.readthedocs.io/en/latest/
 Project-URL: Homepage, https://pypi.org/project/proj-flow/
 Project-URL: Source Code, https://github.com/mzdun/proj-flow