release: add Mac OSX installer build

- include `scalar`
- build signed .dmg & .pkg for target OS version 10.6
- upload artifacts to workflow

Update 2022-08-11: .dmg and .pkg are now signed

Author: vdye

.github/macos-installer/Makefile

@@ -0,0 +1,116 @@
+SHELL := /bin/bash
+SUDO := sudo
+C_INCLUDE_PATH := /usr/include
+CPLUS_INCLUDE_PATH := /usr/include
+LD_LIBRARY_PATH := /usr/lib
+
+OSX_VERSION := $(shell sw_vers -productVersion)
+TARGET_FLAGS := -mmacosx-version-min=$(OSX_VERSION) -DMACOSX_DEPLOYMENT_TARGET=$(OSX_VERSION)
+
+ARCH := x86_64
+ARCH_CODE := x86_64
+ARCH_FLAGS_x86_64 := -arch x86_64
+
+CFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE})
+LDFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE})
+
+PREFIX := /usr/local
+GIT_PREFIX := $(PREFIX)/git
+
+BUILD_CODE := intel-$(ARCH_CODE)
+BUILD_DIR := $(GITHUB_WORKSPACE)/payload
+DESTDIR := $(PWD)/stage/git-$(BUILD_CODE)-$(VERSION)
+ARTIFACTDIR := build_artifacts
+SUBMAKE := $(MAKE) C_INCLUDE_PATH="$(C_INCLUDE_PATH)" CPLUS_INCLUDE_PATH="$(CPLUS_INCLUDE_PATH)" LD_LIBRARY_PATH="$(LD_LIBRARY_PATH)" TARGET_FLAGS="$(TARGET_FLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" NO_GETTEXT=1 NO_DARWIN_PORTS=1 prefix=$(GIT_PREFIX) DESTDIR=$(DESTDIR)
+CORES := $(shell bash -c "sysctl hw.ncpu | awk '{print \$$2}'")
+
+.PHONY: image pkg payload
+
+.SECONDARY:
+
+$(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE):
+	rm -f $(BUILD_DIR)/git-$(VERSION)/osx-installed*
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-keychain:
+	cd $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain; $(SUBMAKE) CFLAGS="$(CFLAGS) -g -O2 -Wall"
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built:
+	[ -d $(DESTDIR)$(GIT_PREFIX) ] && $(SUDO) rm -rf $(DESTDIR) || echo ok
+	cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) -j $(CORES) all strip
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-bin: $(BUILD_DIR)/git-$(VERSION)/osx-built $(BUILD_DIR)/git-$(VERSION)/osx-built-keychain
+	cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) install
+	cp $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain $(DESTDIR)$(GIT_PREFIX)/bin/git-credential-osxkeychain
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)/contrib/completion
+	cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.bash $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+	cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.zsh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+	cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-prompt.sh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+	# This is needed for Git-Gui, GitK
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl
+	[ ! -f $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm ] && cp $(BUILD_DIR)/git-$(VERSION)/perl/private-Error.pm $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm || echo done
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-man: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)/share/man
+	cp -R $(GITHUB_WORKSPACE)/manpages/ $(DESTDIR)$(GIT_PREFIX)/share/man
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-subtree:
+	cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" all git-subtree.1
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree: $(BUILD_DIR)/git-$(VERSION)/osx-built-subtree
+	mkdir -p $(DESTDIR)
+	cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" install install-man
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-assets: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)/etc
+	cat assets/etc/gitconfig.osxkeychain >> $(DESTDIR)$(GIT_PREFIX)/etc/gitconfig
+	cp assets/uninstall.sh $(DESTDIR)$(GIT_PREFIX)/uninstall.sh
+	sh -c "echo .DS_Store >> $(DESTDIR)$(GIT_PREFIX)/share/git-core/templates/info/exclude"
+
+symlinks:
+	mkdir -p $(ARTIFACTDIR)$(PREFIX)/bin
+	cd $(ARTIFACTDIR)$(PREFIX)/bin; find ../git/bin -type f -exec ln -sf {} \;
+	for man in man1 man3 man5 man7; do mkdir -p $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; (cd $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; ln -sf ../../../git/share/man/$$man/* ./); done
+	ruby ../scripts/symlink-git-hardlinks.rb $(ARTIFACTDIR)
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed: $(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE) $(BUILD_DIR)/git-$(VERSION)/osx-installed-man $(BUILD_DIR)/git-$(VERSION)/osx-installed-assets $(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree
+	find $(DESTDIR)$(GIT_PREFIX) -type d -exec chmod ugo+rx {} \;
+	find $(DESTDIR)$(GIT_PREFIX) -type f -exec chmod ugo+r {} \;
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE): $(BUILD_DIR)/git-$(VERSION)/osx-built
+ifeq ("$(ARCH_CODE)", "universal")
+	File $(BUILD_DIR)/git-$(VERSION)/git
+	File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain
+else
+	[ "$$(File $(BUILD_DIR)/git-$(VERSION)/git | cut -f 5 -d' ')" == "$(ARCH_CODE)" ]
+	[ "$$(File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain | cut -f 5 -d' ')" == "$(ARCH_CODE)" ]
+endif
+	touch $@
+
+disk-image/VERSION-$(VERSION)-$(ARCH_CODE):
+	rm -f disk-image/*.pkg disk-image/VERSION-* disk-image/.DS_Store
+	mkdir disk-image
+	touch "$@"
+
+disk-image/git-$(VERSION)-$(BUILD_CODE).pkg: disk-image/VERSION-$(VERSION)-$(ARCH_CODE) symlinks
+	pkgbuild --identifier com.git.pkg --version $(VERSION) --root $(ARTIFACTDIR)$(PREFIX) --scripts assets/scripts --install-location $(PREFIX) --component-plist ./assets/git-components.plist disk-image/git-$(VERSION)-$(BUILD_CODE).pkg
+
+git-%-$(BUILD_CODE).dmg:
+	hdiutil create git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg -fs HFS+ -srcfolder disk-image -volname "Git $(VERSION) Intel $(ARCH)" -ov
+	hdiutil convert -format UDZO -o $@ git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg
+	rm -f git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg
+
+payload: $(BUILD_DIR)/git-$(VERSION)/osx-installed $(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE)
+
+pkg: disk-image/git-$(VERSION)-$(BUILD_CODE).pkg
+
+image: git-$(VERSION)-$(BUILD_CODE).dmg

.github/macos-installer/assets/etc/gitconfig.osxkeychain

@@ -0,0 +1,2 @@
+[credential]
+	helper = osxkeychain

.github/macos-installer/assets/git-components.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<dict>
+		<key>BundleHasStrictIdentifier</key>
+		<true/>
+		<key>BundleIsRelocatable</key>
+		<false/>
+		<key>BundleIsVersionChecked</key>
+		<true/>
+		<key>BundleOverwriteAction</key>
+		<string>upgrade</string>
+		<key>RootRelativeBundlePath</key>
+		<string>git/share/git-gui/lib/Git Gui.app</string>
+	</dict>
+</array>
+</plist>

.github/macos-installer/assets/scripts/postinstall

@@ -0,0 +1,62 @@
+#!/bin/bash
+INSTALL_DST="$2"
+SCALAR_C_CMD="$INSTALL_DST/git/bin/scalar"
+SCALAR_DOTNET_CMD="/usr/local/scalar/scalar"
+SCALAR_UNINSTALL_SCRIPT="/usr/local/scalar/uninstall_scalar.sh"
+
+function cleanupScalar()
+{
+    echo "checking whether Scalar was installed"
+    if [ ! -f "$SCALAR_C_CMD" ]; then
+        echo "Scalar not installed; exiting..."
+        return 0
+    fi
+    echo "Scalar is installed!"
+
+    echo "looking for Scalar.NET"
+    if [ ! -f "$SCALAR_DOTNET_CMD" ]; then
+        echo "Scalar.NET not found; exiting..."
+        return 0
+    fi
+    echo "Scalar.NET found!"
+
+    currentUser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }')
+
+    # Re-register Scalar.NET repositories with the newly-installed Scalar
+    for repo in $($SCALAR_DOTNET_CMD list); do
+        (
+            PATH="$INSTALL_DST/git/bin:$PATH"
+            sudo -u "$currentUser" scalar register $repo || \
+                echo "warning: skipping re-registration of $repo"
+        )
+    done
+
+    # Uninstall Scalar.NET
+    echo "removing Scalar.NET"
+
+    # Add /usr/local/bin to path - default install location of Homebrew
+    PATH="/usr/local/bin:$PATH"
+    if (sudo -u "$currentUser" brew list --cask scalar); then
+        # Remove from Homebrew
+        sudo -u "$currentUser" brew remove --cask scalar || echo "warning: Scalar.NET uninstall via Homebrew completed with code $?"
+        echo "Scalar.NET uninstalled via Homebrew!"
+    elif (sudo -u "$currentUser" brew list --cask scalar-azrepos); then
+        sudo -u "$currentUser" brew remove --cask scalar-azrepos || echo "warning: Scalar.NET with GVFS uninstall via Homebrew completed with code $?"
+        echo "Scalar.NET with GVFS uninstalled via Homebrew!"
+    elif [ -f $SCALAR_UNINSTALL_SCRIPT ]; then
+        # If not installed with Homebrew, manually remove package
+        sudo -S sh $SCALAR_UNINSTALL_SCRIPT || echo "warning: Scalar.NET uninstall completed with code $?"
+        echo "Scalar.NET uninstalled!"
+    else
+        echo "warning: Scalar.NET uninstall script not found"
+    fi
+
+    # Re-create the Scalar symlink, in case it was removed by the Scalar.NET uninstall operation
+    mkdir -p $INSTALL_DST/bin
+    /bin/ln -Fs "$SCALAR_C_CMD" "$INSTALL_DST/bin/scalar"
+}
+
+# Run Scalar cleanup (will exit if not applicable)
+cleanupScalar
+
+exit 0

.github/macos-installer/assets/uninstall.sh

@@ -0,0 +1,34 @@
+#!/bin/bash -e
+if [ ! -r "/usr/local/git" ]; then
+  echo "Git doesn't appear to be installed via this installer.  Aborting"
+  exit 1
+fi
+
+if [ "$1" != "--yes" ]; then
+  echo "This will uninstall git by removing /usr/local/git/, and symlinks"
+  printf "Type 'yes' if you are sure you wish to continue: "
+  read response
+else
+  response="yes"
+fi
+
+if [ "$response" == "yes" ]; then
+  # remove all of the symlinks we've created
+  pkgutil --files com.git.pkg | grep bin | while read f; do
+    if [ -L /usr/local/$f ]; then
+      sudo rm /usr/local/$f
+    fi
+  done
+
+  # forget receipts.
+  pkgutil --packages | grep com.git.pkg | xargs -I {} sudo pkgutil --forget {}
+  echo "Uninstalled"
+
+  # The guts all go here.
+  sudo rm -rf /usr/local/git/
+else
+  echo "Aborted"
+  exit 1
+fi
+
+exit 0

.github/scripts/run-esrp-signing.py

@@ -0,0 +1,135 @@
+import argparse
+import json
+import os
+import glob
+import pprint
+import subprocess
+import sys
+import re
+
+parser = argparse.ArgumentParser(description='Sign binaries for macOS')
+parser.add_argument('path', help='Path to file for signing')
+parser.add_argument('keycode', help='Platform-specific key code for signing')
+parser.add_argument('opcode', help='Platform-specific operation code for signing')
+# Setting nargs=argparse.REMAINDER allows us to pass in params that begin with `--`
+parser.add_argument('--params', nargs=argparse.REMAINDER, help='Parameters for signing')
+args = parser.parse_args()
+
+esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe")
+
+aad_id = os.environ['AZURE_AAD_ID'].strip()
+workspace = os.environ['GITHUB_WORKSPACE'].strip()
+
+source_location = args.path
+files = glob.glob(os.path.join(source_location, "*"))
+
+print("Found files:")
+pprint.pp(files)
+
+auth_json = {
+    "Version": "1.0.0",
+    "AuthenticationType": "AAD_CERT",
+    "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
+    "ClientId": f"{aad_id}",
+    "AuthCert": {
+            "SubjectName": f"CN={aad_id}.microsoft.com",
+            "StoreLocation": "LocalMachine",
+            "StoreName": "My",
+            "SendX5c" :  "true"
+    },
+    "RequestSigningCert": {
+            "SubjectName": f"CN={aad_id}",
+            "StoreLocation": "LocalMachine",
+            "StoreName": "My"
+    }
+}
+
+input_json = {
+	"Version": "1.0.0",
+	"SignBatches": [
+		{
+			"SourceLocationType": "UNC",
+			"SourceRootDirectory": source_location,
+			"DestinationLocationType": "UNC",
+			"DestinationRootDirectory": workspace,
+			"SignRequestFiles": [],
+			"SigningInfo": {
+				"Operations": [
+					{
+						"KeyCode": f"{args.keycode}",
+						"OperationCode": f"{args.opcode}",
+						"Parameters": {},
+						"ToolName": "sign",
+						"ToolVersion": "1.0",
+					}
+				]
+			}
+		}
+	]
+}
+
+# add files to sign
+for f in files:
+	name = os.path.basename(f)
+	input_json["SignBatches"][0]["SignRequestFiles"].append(
+		{
+			"SourceLocation": name,
+			"DestinationLocation": os.path.join("signed", name),
+		}
+	)
+
+# add parameters to input.json (e.g. enabling the hardened runtime for macOS)
+if args.params is not None:
+	i = 0
+	while i < len(args.params):
+		input_json["SignBatches"][0]["SigningInfo"]["Operations"][0]["Parameters"][args.params[i]] = args.params[i + 1]
+		i += 2
+
+policy_json = {
+	"Version": "1.0.0",
+	"Intent": "production release",
+	"ContentType": "binary",
+}
+
+configs = [
+	("auth.json", auth_json),
+	("input.json", input_json),
+	("policy.json", policy_json),
+]
+
+for filename, data in configs:
+	with open(filename, 'w') as fp:
+		json.dump(data, fp)
+
+# Run ESRP Client
+esrp_out = "esrp_out.json"
+result = subprocess.run(
+	[esrp_tool, "sign",
+	"-a", "auth.json",
+	"-i", "input.json",
+	"-p", "policy.json",
+	"-o", esrp_out,
+	"-l", "Verbose"],
+	capture_output=True,
+	text=True,
+	cwd=workspace)
+
+# Scrub log before printing
+log = re.sub(r'^.+Uploading.*to\s*destinationUrl\s*(.+?),.+$',
+    '***',
+    result.stdout,
+    flags=re.IGNORECASE|re.MULTILINE)
+print(log)
+
+if result.returncode != 0:
+	print("Failed to run ESRPClient.exe")
+	sys.exit(1)
+
+if os.path.isfile(esrp_out):
+	print("ESRP output json:")
+	with open(esrp_out, 'r') as fp:
+		pprint.pp(json.load(fp))
+
+for file in files:
+	if os.path.isfile(os.path.join("signed", file)):
+		print(f"Success!\nSigned {file}")

.github/scripts/set-up-esrp.ps1

@@ -0,0 +1,12 @@
+# Install ESRP client
+az storage blob download --file esrp.zip --auth-mode login --account-name esrpsigningstorage --container signing-resources --name microsoft.esrpclient.1.2.76.nupkg
+Expand-Archive -Path esrp.zip -DestinationPath .\esrp
+
+# Install certificates
+az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx
+certutil -f -importpfx out.pfx
+Remove-Item out.pfx
+
+az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:REQUEST_SIGNING_CERT" --file out.pfx
+certutil -f -importpfx out.pfx
+Remove-Item out.pfx