Add the ability to generate SSL certs from tray icon (#778)

* move `config.go` to it's own package and make functions public.
This way we have a single source of truth.

* move `config.ini` in the right package and remove hack

* fix linter

* move `CrashesIsEmpty` function to the config package and rename it

* move `certificate.go` in it's own package and make functions public

* update license header

* add menu option to generate the certs only if they are not present

* systray is useless in this func

* add cert install on macos

leverage objective C APIs to install our CA certificate in the user's trusted keystore

* add cert install on win

leverage windows syscalls to install our CA certificate in the user's trusted keystore
code heavily inspired by https://github.com/FiloSottile/mkcert

* fix certificate not being valid for 127.0.0.1

* disable the generation/install certs menuItem on OS that are not macos

* remove the cert generation from the installer, remove duplicate step

* parallelization for notarization is no more required

* test new version of the installer config

* move archive generation in the CI and save a rename operation (we do that in the installer)

* removed `-` in arch matrix variable for clarity

* Revert "add cert install on win"

This reverts commit bcaeb75.

* add popup on error

* Fixed warnings in obj-c code

* remove the certs if the install process errors. The user is able to retry

* Revert "test new version of the installer config"

This reverts commit fa425dd.

---------

Co-authored-by: Cristian Maglie <[email protected]>

Author: umbynos

.github/workflows/release.yml

@@ -31,10 +31,10 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-20.04, windows-2019, macos-12]
-        arch: [-amd64]
+        arch: [amd64]
         include:
         - os: windows-2019
-          arch: -386
+          arch: 386
           ext: ".exe"
         - os: windows-2019
           ext: ".exe"
@@ -104,11 +104,11 @@ jobs:
         env:
           GOARCH: 386  # 32bit architecture (for support)
         run: task go:build-win
-        if: matrix.os == 'windows-2019' && matrix.arch == '-386'
+        if: matrix.os == 'windows-2019' && matrix.arch == '386'
 
       - name: Build the Agent for win64
         run: task go:build-win # GOARCH=amd64 by default on the runners
-        if: matrix.os == 'windows-2019' && matrix.arch == '-amd64'
+        if: matrix.os == 'windows-2019' && matrix.arch == 'amd64'
 
       - name: Build the Agent for macos
         env:
@@ -121,7 +121,7 @@ jobs:
         # this will create `public/` dir with compressed full bin (<version>/<os>-<arch>.gz) and a json file
       - name: Create autoupdate files
         run: go-selfupdate ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION}
-        if: matrix.arch != '-386' && steps.prerelease.outputs.IS_PRE != 'true'
+        if: matrix.arch != '386' && steps.prerelease.outputs.IS_PRE != 'true'
 
         # for now we do not distribute m1 build, this is a workaround for now
       - name: Copy autoupdate file for darwin-arm64 (m1 arch)
@@ -132,8 +132,8 @@ jobs:
         if: matrix.os == 'macos-12' && steps.prerelease.outputs.IS_PRE != 'true'
 
       - name: Create autoupdate files for win32
-        run: go-selfupdate -platform windows${{ matrix.arch }} ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION}
-        if: matrix.arch == '-386' && matrix.os == 'windows-2019' && steps.prerelease.outputs.IS_PRE != 'true'
+        run: go-selfupdate -platform windows-${{ matrix.arch }} ${{ env.PROJECT_NAME }}${{ matrix.ext }} ${TAG_VERSION}
+        if: matrix.arch == '386' && matrix.os == 'windows-2019' && steps.prerelease.outputs.IS_PRE != 'true'
 
       - name: Upload autoupdate files to Arduino downloads servers
         run: |
@@ -144,7 +144,7 @@ jobs:
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
-          name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}${{ matrix.arch }}
+          name: ${{ env.PROJECT_NAME }}-${{ matrix.os }}-${{ matrix.arch }}
           path: |
             ${{ env.PROJECT_NAME }}*
           if-no-files-found: error
@@ -334,9 +334,6 @@ jobs:
       INSTALLBUILDER_PATH: "/opt/installbuilder-22.10.0/bin/builder"
       INSTALLER_VARS: "project.outputDirectory=$PWD project.version=${GITHUB_REF##*/} workspace=$PWD realname=Arduino_Create_Agent"
       # vars passed to installbuilder to install https certs automatically
-      CERT_INSTALL: "ask_certificates_install=CI"  # win(edge),mac(safari)
-      NO_CERT_INSTALL: "ask_certificates_install=CS"  # linux
-      CHOICE_CERT_INSTALL: "ask_certificates_install=CC"  # win,mac:(ff,chrome)
       CREATE_OSX_BUNDLED_MG: 0  # tell installbuilder to not create the DMG, gon will take care of that later
       # installbuilder will read this vars automatically (defined in installer.xml):
       INSTALLER_CERT_WINDOWS_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
@@ -348,29 +345,27 @@ jobs:
       fail-fast: false  # if one os is failing continue nonetheless
       matrix:  # used to generate installers for different OS and not for runs-on
         os: [ubuntu-20.04, windows-2019, macos-12]
-        arch: [-amd64]
+        arch: [amd64]
         include:
           - os: ubuntu-20.04
             install-builder-name: linux
             executable-path: artifacts/linux-amd64/
+            installer-extension: .run
             artifact-name: arduino-create-agent-ubuntu-20.04-amd64
           - os: windows-2019
-            arch: -386
-            browser: edge
+            arch: 386
             install-builder-name: windows
             executable-path: artifacts/windows/
             extension: .exe
             installer-extension: .exe
             artifact-name: arduino-create-agent-windows-2019-386
           - os: windows-2019
-            browser: edge
             install-builder-name: windows
             executable-path: artifacts/windows/
             extension: .exe
             installer-extension: .exe
             artifact-name: arduino-create-agent-windows-2019-amd64
           - os: macos-12
-            browser: safari
             install-builder-name: osx
             executable-path: artifacts/macos/ArduinoCreateAgent.app
             installer-extension: .app
@@ -425,32 +420,19 @@ jobs:
         run: echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode  > ${{ env.INSTALLER_CERT_MAC_P12 }}
         if: matrix.os == 'macos-12'
 
-        # win(edge),mac(safari) -> CERT_INSTALL and win,mac:(ff,chrome) -> CHOICE_CERT_INSTALL
         # installbuilder reads the env vars with certs paths and use it to sign the installer.
-      - name: Launch Bitrock installbuilder-20 with CERT_INSTALL && CHOICE_CERT_INSTALL
+      - name: Launch Bitrock installbuilder
         run: |
-          ${{ env.INSTALLBUILDER_PATH }} build installer.xml ${{ matrix.install-builder-name }} --verbose --license /tmp/license.xml  --setvars ${{ env.INSTALLER_VARS }} ${{ env.CERT_INSTALL }}
-          mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CI${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-${{matrix.browser}}${{matrix.installer-extension}}
-          ${{ env.INSTALLBUILDER_PATH }} build installer.xml ${{ matrix.install-builder-name }} --verbose --license /tmp/license.xml  --setvars ${{ env.INSTALLER_VARS }} ${{ env.CHOICE_CERT_INSTALL }}
-          cp -vr ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CC${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-chrome${{matrix.installer-extension}}
-          mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CC${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-firefox${{matrix.installer-extension}}
-          rm -r ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-C*
-        if: matrix.os == 'windows-2019' || matrix.os == 'macos-12'
-
-        # linux
-      - name: Launch Bitrock installbuilder-20 with NO_CERT_INSTALL
-        run: |
-          ${{ env.INSTALLBUILDER_PATH }} build installer.xml linux-x64 --verbose --license /tmp/license.xml  --setvars ${{ env.INSTALLER_VARS }} ${{ env.NO_CERT_INSTALL }}
-          cp -v ArduinoCreateAgent-${GITHUB_REF##*/}-linux-x64-installer-CS.run ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-chrome.run
-          mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-linux-x64-installer-CS.run ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-firefox.run
-          cp -v ArduinoCreateAgent-${GITHUB_REF##*/}-linux-x64-installer-CS.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-chrome.tar.gz
-          mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-linux-x64-installer-CS.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}${{ matrix.arch }}-installer-firefox.tar.gz
+          ${{ env.INSTALLBUILDER_PATH }} build installer.xml ${{ matrix.install-builder-name }} --verbose --license /tmp/license.xml  --setvars ${{ env.INSTALLER_VARS }} architecture=${{ matrix.arch }}
+
+      - name: Generate archive
+        run: tar -czvf ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-${{ matrix.arch }}-installer.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-${{ matrix.arch }}-installer${{matrix.installer-extension}}
         if: matrix.os == 'ubuntu-20.04'
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
-          name: ArduinoCreateAgent-${{ matrix.install-builder-name }}${{ matrix.arch }}
+          name: ArduinoCreateAgent-${{ matrix.install-builder-name }}-${{ matrix.arch }}
           path: ArduinoCreateAgent*
           if-no-files-found: error
 
@@ -459,20 +441,19 @@ jobs:
     needs: package
     strategy:
       matrix:
-        browser: [safari, firefox, chrome]
-        arch: [-amd64]
+        arch: [amd64]
 
     runs-on: macos-12
     steps:
       - name: Download artifact
         uses: actions/download-artifact@v3
         with:
-          name: ArduinoCreateAgent-osx${{ matrix.arch }}
+          name: ArduinoCreateAgent-osx-${{ matrix.arch }}
           path: ArduinoCreateAgent-osx
 
         # zip artifacts do not mantain executable permission
       - name: Make executable
-        run: chmod -v +x ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx${{ matrix.arch }}-installer-${{ matrix.browser }}.app/Contents/MacOS/*
+        run: chmod -v +x ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.app/Contents/MacOS/*
 
       - name: Import Code-Signing Certificates
         run: |
@@ -502,33 +483,33 @@ jobs:
         # gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
         run: |
           cat > gon.config_installer.hcl <<EOF
-          source = ["ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx${{ matrix.arch }}-installer-${{ matrix.browser }}.app"]
+          source = ["ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.app"]
           bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}-installer"
 
           sign {
             application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
           }
 
           dmg {
-            output_path = "ArduinoCreateAgent-${GITHUB_REF##*/}-osx${{ matrix.arch }}-installer-${{ matrix.browser }}.dmg"
+            output_path = "ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg"
             volume_name = "ArduinoCreateAgent"
           }
           EOF
 
       - name: Code sign and notarize app
         run: |
-          echo "gon will notarize executable in ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx${{ matrix.arch }}-installer-${{ matrix.browser }}.app"
+          echo "gon will notarize executable in ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.app"
           gon -log-level=debug -log-json gon.config_installer.hcl
         timeout-minutes: 30
 
       #  tar dmg file to keep executable permission
       - name: Tar files to keep permissions
-        run: tar -cvf ArduinoCreateAgent-${GITHUB_REF##*/}-osx${{ matrix.arch }}-installer-${{ matrix.browser }}.tar ArduinoCreateAgent-${GITHUB_REF##*/}-osx${{ matrix.arch }}-installer-${{ matrix.browser }}.dmg
+        run: tar -cvf ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.tar ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
-          name: ArduinoCreateAgent-osx${{ matrix.arch }}
+          name: ArduinoCreateAgent-osx-${{ matrix.arch }}
           path: ArduinoCreateAgent*.tar
           if-no-files-found: error
 

certificates.go renamed to certificates/certificates.go

@@ -1,11 +1,22 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright 2023 Arduino SA
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published
+// by the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 // Generate a self-signed X.509 certificate for a TLS server. Outputs to
 // 'cert.pem' and 'key.pem' and will overwrite existing files.
 
-package main
+package certificates
 
 import (
 	"crypto/ecdsa"
@@ -23,6 +34,7 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/arduino/arduino-create-agent/config"
 	"github.com/arduino/go-paths-helper"
 	"github.com/gin-gonic/gin"
 	log "github.com/sirupsen/logrus"
@@ -115,14 +127,8 @@ func generateSingleCertificate(isCa bool) (*x509.Certificate, error) {
 		BasicConstraintsValid: true,
 	}
 
-	hosts := strings.Split(host, ",")
-	for _, h := range hosts {
-		if ip := net.ParseIP(h); ip != nil {
-			template.IPAddresses = append(template.IPAddresses, ip)
-		} else {
-			template.DNSNames = append(template.DNSNames, h)
-		}
-	}
+	template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))
+	template.DNSNames = append(template.DNSNames, "localhost")
 
 	if isCa {
 		template.IsCA = true
@@ -133,10 +139,10 @@ func generateSingleCertificate(isCa bool) (*x509.Certificate, error) {
 	return &template, nil
 }
 
-// migrateCertificatesGeneratedWithOldAgentVersions checks if certificates generated
+// MigrateCertificatesGeneratedWithOldAgentVersions checks if certificates generated
 // with an old version of the Agent needs to be migrated to the current certificates
 // directory, and performs the migration if needed.
-func migrateCertificatesGeneratedWithOldAgentVersions(certsDir *paths.Path) {
+func MigrateCertificatesGeneratedWithOldAgentVersions(certsDir *paths.Path) {
 	if certsDir.Join("ca.cert.pem").Exist() {
 		// The new certificates are already set-up, nothing to do
 		return
@@ -160,11 +166,8 @@ func migrateCertificatesGeneratedWithOldAgentVersions(certsDir *paths.Path) {
 	}
 }
 
-func generateCertificates(certsDir *paths.Path) {
-	certsDir.Join("ca.cert.pem").Remove()
-	certsDir.Join("ca.key.pem").Remove()
-	certsDir.Join("cert.pem").Remove()
-	certsDir.Join("key.pem").Remove()
+// GenerateCertificates will generate the required certificates useful for a HTTPS connection on localhost
+func GenerateCertificates(certsDir *paths.Path) {
 
 	// Create the key for the certification authority
 	caKey, err := generateKey("P256")
@@ -259,7 +262,8 @@ func generateCertificates(certsDir *paths.Path) {
 	}
 }
 
-func certHandler(c *gin.Context) {
+// CertHandler will expone the certificate (we do not know why this was required)
+func CertHandler(c *gin.Context) {
 	if strings.Contains(c.Request.UserAgent(), "Firefox") {
 		c.Header("content-type", "application/x-x509-ca-cert")
 		c.File("ca.cert.cer")
@@ -270,15 +274,19 @@ func certHandler(c *gin.Context) {
 	})
 }
 
-func deleteCertHandler(c *gin.Context) {
-	DeleteCertificates(getCertificatesDir())
+// DeleteCertHandler will delete the certificates
+func DeleteCertHandler(c *gin.Context) {
+	DeleteCertificates(config.GetCertificatesDir())
 }
 
 // DeleteCertificates will delete the certificates
 func DeleteCertificates(certDir *paths.Path) {
+	certDir.Join("ca.key.pem").Remove()
 	certDir.Join("ca.cert.pem").Remove()
 	certDir.Join("ca.cert.cer").Remove()
-	certDir.Join("ca.key.pem").Remove()
+	certDir.Join("key.pem").Remove()
+	certDir.Join("cert.pem").Remove()
+	certDir.Join("cert.cer").Remove()
 }
 
 const noFirefoxTemplateHTML = `<!DOCTYPE html>