Add Apple codesigning and notarization to nightly builder

artichoke · Sep 4, 2022 · b61f069 · b61f069
1 parent 231644d
commit b61f069
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 10 deletions.
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -150,7 +150,7 @@ jobs:
         with:
           artichoke_ref: ${{ steps.release_info.outputs.commit }}
           target_triple: ${{ matrix.target }}
-          output_file: ${{ github.workspace }}/THIRDPARTY
+          output_file: ${{ github.workspace }}/THIRDPARTY.txt
 
       - name: Clone Artichoke
         uses: actions/checkout@v3
@@ -208,14 +208,65 @@ jobs:
         working-directory: artichoke
         run: cargo build --verbose --release --target ${{ matrix.target }}
 
+      # This will codesign binaries in place which means that the tarballed
+      # binaries will be codesigned as well.
+      - name: Run Apple Codesigning and Notarization
+        id: apple_codesigning
+        if: runner.os == 'macOS'
+        run: |
+          python3 macos_sign_and_notarize.py "artichoke-nightly-${{ matrix.target }}" \
+            --binary artichoke/target/release/artichoke \
+            --binary artichoke/target/release/airb \
+            --resource artichoke/LICENSE \
+            --resource artichoke/README.md \
+            --resource THIRDPARTY.txt
+        env:
+          MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}
+
+      - name: GPG sign Apple DMG
+        id: apple_codesigning_gpg
+        if: runner.os == 'macOS'
+        run: |
+          python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" \
+            --artifact "${{ steps.apple_codesigning.outputs.asset }}"
+
+      - name: Upload release archive
+        uses: ncipollo/release-action@v1
+        if: runner.os == 'macOS'
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.release_info.outputs.version }}
+          draft: true
+          allowUpdates: true
+          omitBodyDuringUpdate: true
+          omitNameDuringUpdate: true
+          omitPrereleaseDuringUpdate: true
+          artifacts: ${{ steps.apple_codesigning.outputs.asset }}
+          artifactContentType: ${{ steps.apple_codesigning.outputs.content_type }}
+
+      - name: Upload release signature
+        uses: ncipollo/release-action@v1
+        if: runner.os == 'macOS'
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ steps.release_info.outputs.version }}
+          draft: true
+          allowUpdates: true
+          omitBodyDuringUpdate: true
+          omitNameDuringUpdate: true
+          omitPrereleaseDuringUpdate: true
+          artifacts: ${{ steps.apple_codesigning_gpg.outputs.signature }}
+          artifactContentType: "text/plain"
+
       - name: Build archive
         shell: bash
         id: build
         run: |
           staging="artichoke-nightly-${{ matrix.target }}"
           mkdir -p "$staging"/
-          cp artichoke/{README.md,LICENSE} "$staging/"
-          cp THIRDPARTY "$staging/THIRDPARTY.txt"
+          cp artichoke/{README.md,LICENSE} THIRDPARTY.txt "$staging/"
           if [ "${{ runner.os }}" = "Windows" ]; then
             cp "artichoke/target/${{ matrix.target }}/release/artichoke.exe" "$staging/"
             cp "artichoke/target/${{ matrix.target }}/release/airb.exe" "$staging/"
@@ -232,7 +283,9 @@ jobs:
 
       - name: GPG sign archive
         id: gpg_signing
-        run: python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" --artifact "${{ steps.build.outputs.asset }}"
+        run: |
+          python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" \
+            --artifact "${{ steps.build.outputs.asset }}"
 
       - name: Upload release archive
         uses: ncipollo/release-action@v1

diff --git a/macos_sign_and_notarize.py b/macos_sign_and_notarize.py
@@ -176,9 +176,9 @@ def notarization_app_specific_password():
     codesigning identity's Apple ID.
     """
 
-    if app_specific_password := os.getenv("APPLE_ID_APP_PASSWORD"):
+    if app_specific_password := os.getenv("MACOS_NOTARIZE_APP_PASSWORD"):
         return app_specific_password
-    raise Exception("APPLE_ID_APP_PASSWORD environment variable is required")
+    raise Exception("MACOS_NOTARIZE_APP_PASSWORD environment variable is required")
 
 
 def notarization_team_id():
@@ -281,7 +281,7 @@ def import_notarization_credentials():
         # xcrun notarytool store-credentials \
         #   "$notarytool_credentials_profile" \
         #   --apple-id "[email protected]" \
-        #   --password "$APPLE_ID_APP_PASSWORD" \
+        #   --password "$MACOS_NOTARIZE_APP_PASSWORD" \
         #   --team-id "VDKP67932G" \
         #   --keychain "$keychain_path"
         subprocess.run(
@@ -326,10 +326,10 @@ def import_codesigning_certificate():
         except binascii.Error:
             raise Exception("MACOS_CERTIFICATE must be base64 encoded")
 
-        certificate_password = os.getenv("MACOS_CERTIFICATE_PWD")
+        certificate_password = os.getenv("MACOS_CERTIFICATE_PASSPHRASE")
         if not certificate_password:
             raise Exception(
-                "MACOS_CERTIFICATE_PASSWORD environment variable is required"
+                "MACOS_CERTIFICATE_PASSPHRASE environment variable is required"
             )
 
         with tempfile.TemporaryDirectory() as tempdirname:
@@ -754,7 +754,8 @@ def main(args):
         staple_bundle(bundle=bundle)
 
         validate(bundle=bundle, binary_names=[binary.name for binary in binaries])
-        set_output(name="bundle", value=bundle)
+        set_output(name="asset", value=bundle)
+        set_output(name="content_type", value="application/x-apple-diskimage")
 
         return 0
     except subprocess.CalledProcessError as e: