From 957ae1aaadfb25890bfe6774aa1c5da8edc98f01 Mon Sep 17 00:00:00 2001
From: Ali <>
Date: Mon, 2 May 2022 16:40:58 +0400
Subject: [PATCH] Fix sudo-less builds

---
 .gitmodules                      |   2 +-
 WORKSPACE                        |   4 +-
 build-system/AppleWWDRCAG3.cer   | Bin 0 -> 1109 bytes
 buildbox/build-telegram-next.sh  | 137 +++++++++++++++++++++++++++++++
 buildbox/guest-build-telegram.sh |   5 +-
 third-party/mozjpeg/BUILD        |   2 +-
 third-party/yasm/BUILD           |   2 +-
 7 files changed, 146 insertions(+), 6 deletions(-)
 create mode 100644 build-system/AppleWWDRCAG3.cer
 create mode 100644 buildbox/build-telegram-next.sh

diff --git a/.gitmodules b/.gitmodules
index 28c5f3dda4..95ed8e1665 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,7 +4,7 @@
 	url=../rlottie.git
 [submodule "build-system/bazel-rules/rules_apple"]
 	path = build-system/bazel-rules/rules_apple
-url=https://github.com/bazelbuild/rules_apple.git
+url=https://github.com/ali-fareed/rules_apple.git
 [submodule "build-system/bazel-rules/rules_swift"]
 	path = build-system/bazel-rules/rules_swift
 url=https://github.com/bazelbuild/rules_swift.git
diff --git a/WORKSPACE b/WORKSPACE
index a41ed5cce6..ecc527cbb5 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -53,8 +53,8 @@ bazel_skylib_workspace()
 
 http_file(
     name = "cmake_tar_gz",
-    urls = ["https://github.com/Kitware/CMake/releases/download/v3.19.2/cmake-3.19.2-macos-universal.tar.gz"],
-    sha256 = "50afa2cb66bea6a0314ef28034f3ff1647325e30cf5940f97906a56fd9640bd8",
+    urls = ["https://github.com/Kitware/CMake/releases/download/v3.23.1/cmake-3.23.1-macos-universal.tar.gz"],
+    sha256 = "f794ed92ccb4e9b6619a77328f313497d7decf8fb7e047ba35a348b838e0e1e2",
 )
 
 http_archive(
diff --git a/build-system/AppleWWDRCAG3.cer b/build-system/AppleWWDRCAG3.cer
new file mode 100644
index 0000000000000000000000000000000000000000..32f96f81dd6ea4c1c0f8e84698a50df773444b83
GIT binary patch
literal 1109
zcmXqLVhJ>8Vzyks%*4pVBv7+HlS_5G<-h9LE>#CBj=nSCW#iOp^Jx3d%gD&h%3zRW
z$Zf#M#vIDRCd?EXY$$9X2;y)Fb2%0i<fJNi<|XSHsu`$&1i6J}A%f1SMJ1VOnaPPI
znfZANj-@3T`9+x}m4;#lA|Q3l!n_c5LHYS53eJuOa^k#31_nlkmWCFF#wO-b;=IN{
zE>H*zq6|t6T@0MSI(e)iI>Ymea#G4OQ&JUNQp-|v@(WUn6oOK7z!nxO;Ibd;6K)<R
zcVoCuc#wU9>{o*(MkVCXU}R-rZerwT0E%-lH8C<W-1yr0XGJ7;`*EL%db(i~E?3Ad
zF?hMu<2|?Ye%+SeDzUE8PhUrx3B`n@%*#pA-EwUDsWUd;uCY!0^OR|sOxBjltLdlL
zytHQ*eAu$bT{f-Ha?y(|o^P!#Jrqc&>YLni>cB0Y1I-s6|D1SjdC!T1#gEpxT}+xg
zX~l#D^V*DQXL}#~nf<F`_v7mIy5e`E|20G^mx}KYI`~%lsmZy2N?Yf7Zg?8HzrSUX
z&5B(|+op;=VK_OT`NEmaR$|rHSYzhCc3;Q4Rkw#P)7RmGw~sZ;yk5nPYxJB$49*?w
zYMU~{`+gR${lDKb>!ynzs^Bts5HBBM?YUi*LCU=8QrPsRL7p`U7PH?oF*7nSE^d5p
z(D=qc2pB!G!i<dnSvU;XfD{uWgMmCqOqoT(K&(MT`$DGslrqkLU$T4k9F~1|_pRrM
zGjL(!&}L&~Wo2h%WU(+XGcbYi4H(-rGD=Dctn~HslZy-V5<zKAFF8LK%r!991q&1b
zlTUJ@fgZ>jc@}j8RRiS(iVNi1WT9G<i*k^3f>i4Pg$!gt>iJm2SVTDg9T1)HbA1Ze
zB%z&Z8p%A<-z?u`zz34%2l<2rm_yhM1lYL1`5`%ljfs(k3792Na|kd^Ffy!76@KyU
zL1VcKle^Qt_@$N#uaZ{&Jv!lJvGCP-voEaT@9jPPmhpU!hC}r6P!-1?f6gD=s{HcK
zn~(XY8f4249ZB?5O<&J{%2IXh<;PWLj5T=q^cIFY6#se_vyLrL^X=nS9{<EUMq=IN
z7hF!o7BL&T%~?0wLF(6+2bb-B>G!0~pME4H^8F=`FYGft6Cx##-<@*tz`>mQ3dQ$4
zudQ=tHhBjnSZuXy%6$`L7`%^vqK~I%N&m9I(=G0PvZd;Idw*Vv`CNY}hnv&vQOc7;
z=FB3JS6^jKS+(-^zi+cR(!1Yl?^q@7*}VSz={+ycznWUOVT<dcGf&%BaUFKFs*Jf6
JU@~{AH2}Gqoj3ph

literal 0
HcmV?d00001

diff --git a/buildbox/build-telegram-next.sh b/buildbox/build-telegram-next.sh
new file mode 100644
index 0000000000..34a3971161
--- /dev/null
+++ b/buildbox/build-telegram-next.sh
@@ -0,0 +1,137 @@
+#!/bin/bash
+
+set -e
+
+MACOS_VERSION="12"
+XCODE_VERSION="13.2.1"
+GUEST_SHELL="bash"
+
+if [ -z "$VIRTUALBUILD_HOST" ]; then
+	echo "VIRTUALBUILD_HOST is not defined"
+	exit 1
+fi
+
+VM_BASE_NAME="macos$(echo $MACOS_VERSION | sed -e 's/\.'/_/g)-Xcode$(echo $XCODE_VERSION | sed -e 's/\.'/_/g)"
+echo "Base VM: \"$VM_BASE_NAME\""
+
+if [ -z "$BAZEL" ]; then
+	echo "BAZEL is not defined"
+	exit 1
+fi
+
+if [ ! -f "$BAZEL" ]; then
+	echo "bazel not found at $BAZEL"
+	exit 1
+fi
+
+BUILDBOX_DIR="buildbox"
+
+mkdir -p "$BUILDBOX_DIR/transient-data"
+
+rm -f "tools/bazel"
+cp "$BAZEL" "tools/bazel"
+
+BUILD_CONFIGURATION="$1"
+
+if [ "$BUILD_CONFIGURATION" == "hockeyapp" ] || [ "$BUILD_CONFIGURATION" == "appcenter-experimental" ] || [ "$BUILD_CONFIGURATION" == "appcenter-experimental-2" ]; then
+	CODESIGNING_SUBPATH="$BUILDBOX_DIR/transient-data/telegram-codesigning/codesigning"
+elif [ "$BUILD_CONFIGURATION" == "appstore" ]; then
+	CODESIGNING_SUBPATH="$BUILDBOX_DIR/transient-data/telegram-codesigning/codesigning"
+elif [ "$BUILD_CONFIGURATION" == "verify" ]; then
+	CODESIGNING_SUBPATH="build-system/fake-codesigning"
+else
+	echo "Unknown configuration $1"
+	exit 1
+fi
+
+COMMIT_COMMENT="$(git log -1 --pretty=%B)"
+case "$COMMIT_COMMENT" in 
+  *"[nocache]"*)
+	export BAZEL_HTTP_CACHE_URL=""
+    ;;
+esac
+
+COMMIT_ID="$(git rev-parse HEAD)"
+COMMIT_AUTHOR=$(git log -1 --pretty=format:'%an')
+if [ -z "$2" ]; then
+	COMMIT_COUNT=$(git rev-list --count HEAD)
+	BUILD_NUMBER_OFFSET="$(cat build_number_offset)"
+	COMMIT_COUNT="$(($COMMIT_COUNT+$BUILD_NUMBER_OFFSET))"
+	BUILD_NUMBER="$COMMIT_COUNT"
+else
+	BUILD_NUMBER="$2"
+fi
+
+BASE_DIR=$(pwd)
+
+if [ "$BUILD_CONFIGURATION" == "hockeyapp" ] || [ "$BUILD_CONFIGURATION" == "appcenter-experimental" ] || [ "$BUILD_CONFIGURATION" == "appcenter-experimental-2" ] || [ "$BUILD_CONFIGURATION" == "appstore" ]; then
+	if [ ! `which generate-configuration.sh` ]; then
+		echo "generate-configuration.sh not found in PATH $PATH"
+		exit 1
+	fi
+
+	mkdir -p "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning"
+	mkdir -p "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration"
+
+	case "$BUILD_CONFIGURATION" in
+		"hockeyapp"|"appcenter-experimental"|"appcenter-experimental-2")
+			generate-configuration.sh internal release "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning" "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration"
+			;;
+
+		"appstore")
+			generate-configuration.sh appstore release "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning" "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration"
+			;;
+
+		*)
+			echo "Unknown build configuration $BUILD_CONFIGURATION"
+			exit 1
+			;;
+	esac
+elif [ "$BUILD_CONFIGURATION" == "verify" ]; then
+	mkdir -p "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning"
+	mkdir -p "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration"
+
+	cp -R build-system/fake-codesigning/* "$BASE_DIR/$BUILDBOX_DIR/transient-data/telegram-codesigning/"
+	cp -R build-system/example-configuration/* "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration/"
+fi
+
+if [ ! -d "$CODESIGNING_SUBPATH" ]; then
+	echo "$CODESIGNING_SUBPATH does not exist"
+	exit 1
+fi
+
+SOURCE_DIR=$(basename "$BASE_DIR")
+rm -f "$BUILDBOX_DIR/transient-data/source.tar"
+set -x
+find . -type f -a -not -regex "\\." -a -not -regex ".*\\./git" -a -not -regex ".*\\./git/.*" -a -not -regex "\\./bazel-bin" -a -not -regex "\\./bazel-bin/.*" -a -not -regex "\\./bazel-out" -a -not -regex "\\./bazel-out/.*" -a -not -regex "\\./bazel-testlogs" -a -not -regex "\\./bazel-testlogs/.*" -a -not -regex "\\./bazel-telegram-ios" -a -not -regex "\\./bazel-telegram-ios/.*" -a -not -regex "\\./buildbox" -a -not -regex "\\./buildbox/.*" -a -not -regex "\\./buck-out" -a -not -regex "\\./buck-out/.*" -a -not -regex "\\./\\.buckd" -a -not -regex "\\./\\.buckd/.*" -a -not -regex "\\./build" -a -not -regex "\\./build/.*" -print0 | tar cf "$BUILDBOX_DIR/transient-data/source.tar" --null -T -
+
+PROCESS_ID="$$"
+
+initialization_params="$VM_BASE_NAME"
+initialization_params="$initialization_params&watchpid=$PROCESS_ID"
+
+ssh_credentials=$(curl --fail --insecure "https://$VIRTUALBUILD_HOST/run-image?name=$initialization_params")
+
+ssh_username=$(echo "$ssh_credentials" | python3 -c "import sys, json; print(json.load(sys.stdin)['sshCredentials']['username'])")
+ssh_host=$(echo "$ssh_credentials" | python3 -c "import sys, json; print(json.load(sys.stdin)['sshCredentials']['host'])")
+ssh_privateKey=$(echo "$ssh_credentials" | python3 -c "import sys, json; print(json.load(sys.stdin)['sshCredentials']['privateKey'])")
+
+ssh_privateKeyFile=$(mktemp)
+echo "$ssh_privateKey" | base64 --decode > "$ssh_privateKeyFile"
+
+scp -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -pr "$CODESIGNING_SUBPATH" $ssh_username@"$ssh_host":codesigning_data
+scp -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -pr "$BASE_DIR/$BUILDBOX_DIR/transient-data/build-configuration" $ssh_username@"$ssh_host":telegram-configuration
+
+scp -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -pr "$BUILDBOX_DIR/guest-build-telegram.sh" "$BUILDBOX_DIR/transient-data/source.tar" $ssh_username@"$ssh_host":
+
+ssh -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $ssh_username@"$ssh_host" -o ServerAliveInterval=60 -t "export BUILD_NUMBER=\"$BUILD_NUMBER\"; export BAZEL_HTTP_CACHE_URL=\"$BAZEL_HTTP_CACHE_URL\"; $GUEST_SHELL -l guest-build-telegram.sh $BUILD_CONFIGURATION" || true
+
+OUTPUT_PATH="build/artifacts"
+rm -rf "$OUTPUT_PATH"
+mkdir -p "$OUTPUT_PATH"
+
+scp -i "$ssh_privateKeyFile" -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -pr $ssh_username@"$ssh_host":"telegram-ios/build/artifacts/*" "$OUTPUT_PATH/"
+
+if [ ! -f "$OUTPUT_PATH/Telegram.ipa" ]; then
+	exit 1
+fi
diff --git a/buildbox/guest-build-telegram.sh b/buildbox/guest-build-telegram.sh
index 07f65327d1..6d64d9016c 100644
--- a/buildbox/guest-build-telegram.sh
+++ b/buildbox/guest-build-telegram.sh
@@ -73,9 +73,12 @@ for f in "$CERTS_PATH"/*.p12; do
 done
 
 for f in "$CERTS_PATH"/*.cer; do
-	sudo security add-trusted-cert -d -r trustRoot -p codeSign -k "$MY_KEYCHAIN" "$f"
+	#sudo security add-trusted-cert -d -r trustRoot -p codeSign -k "$MY_KEYCHAIN" "$f"
+	security import "$f" -k "$MY_KEYCHAIN" -P "" -T /usr/bin/codesign -T /usr/bin/security
 done
 
+security import "build-system/AppleWWDRCAG3.cer" -k "$MY_KEYCHAIN" -P "" -T /usr/bin/codesign -T /usr/bin/security
+
 security set-key-partition-list -S apple-tool:,apple: -k "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
 
 if [ "$1" == "hockeyapp" ] || [ "$1" == "appcenter-experimental" ] || [ "$1" == "appcenter-experimental-2" ]; then
diff --git a/third-party/mozjpeg/BUILD b/third-party/mozjpeg/BUILD
index f71d702e7d..faeca31222 100644
--- a/third-party/mozjpeg/BUILD
+++ b/third-party/mozjpeg/BUILD
@@ -57,7 +57,7 @@ genrule(
 
     mkdir -p "$$BUILD_DIR/Public/mozjpeg"
 
-    PATH="$$PATH:$$CMAKE_DIR/cmake-3.19.2-macos-universal/CMake.app/Contents/bin" sh $$BUILD_DIR/build-mozjpeg-bazel.sh $$BUILD_ARCH "$$BUILD_DIR/mozjpeg" "$$BUILD_DIR"
+    PATH="$$PATH:$$CMAKE_DIR/cmake-3.23.1-macos-universal/CMake.app/Contents/bin" sh $$BUILD_DIR/build-mozjpeg-bazel.sh $$BUILD_ARCH "$$BUILD_DIR/mozjpeg" "$$BUILD_DIR"
     """ +
     "\n".join([
         "cp -f \"$$BUILD_DIR/mozjpeg/{}\" \"$(location Public/mozjpeg/{})\"".format(header, header) for header in headers
diff --git a/third-party/yasm/BUILD b/third-party/yasm/BUILD
index 3d1ee6a815..38efc12b07 100644
--- a/third-party/yasm/BUILD
+++ b/third-party/yasm/BUILD
@@ -23,7 +23,7 @@ set -x
     pushd "$$BUILD_DIR/yasm-1.3.0"
     mkdir build
     cd build
-    PATH="$$PATH:$$CMAKE_DIR/cmake-3.19.2-macos-universal/CMake.app/Contents/bin" cmake .. -DYASM_BUILD_TESTS=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF
+    PATH="$$PATH:$$CMAKE_DIR/cmake-3.23.1-macos-universal/CMake.app/Contents/bin" cmake .. -DYASM_BUILD_TESTS=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DPYTHON_EXECUTABLE="$$(which python3)"
     make -j $$core_count
     popd