From b61f069878f44234102efe9313217dfa260292bc Mon Sep 17 00:00:00 2001 From: Ryan Lopopolo Date: Sun, 4 Sep 2022 12:53:41 -0700 Subject: [PATCH] Add Apple codesigning and notarization to nightly builder --- .github/workflows/nightly.yaml | 61 +++++++++++++++++++++++++++++++--- macos_sign_and_notarize.py | 13 ++++---- 2 files changed, 64 insertions(+), 10 deletions(-) diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 75c0b37..5f5ca27 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -150,7 +150,7 @@ jobs: with: artichoke_ref: ${{ steps.release_info.outputs.commit }} target_triple: ${{ matrix.target }} - output_file: ${{ github.workspace }}/THIRDPARTY + output_file: ${{ github.workspace }}/THIRDPARTY.txt - name: Clone Artichoke uses: actions/checkout@v3 @@ -208,14 +208,65 @@ jobs: working-directory: artichoke run: cargo build --verbose --release --target ${{ matrix.target }} + # This will codesign binaries in place which means that the tarballed + # binaries will be codesigned as well. + - name: Run Apple Codesigning and Notarization + id: apple_codesigning + if: runner.os == 'macOS' + run: | + python3 macos_sign_and_notarize.py "artichoke-nightly-${{ matrix.target }}" \ + --binary artichoke/target/release/artichoke \ + --binary artichoke/target/release/airb \ + --resource artichoke/LICENSE \ + --resource artichoke/README.md \ + --resource THIRDPARTY.txt + env: + MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }} + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} + MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }} + + - name: GPG sign Apple DMG + id: apple_codesigning_gpg + if: runner.os == 'macOS' + run: | + python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" \ + --artifact "${{ steps.apple_codesigning.outputs.asset }}" + + - name: Upload release archive + uses: ncipollo/release-action@v1 + if: runner.os == 'macOS' + with: + token: ${{ secrets.GITHUB_TOKEN }} + tag: ${{ steps.release_info.outputs.version }} + draft: true + allowUpdates: true + omitBodyDuringUpdate: true + omitNameDuringUpdate: true + omitPrereleaseDuringUpdate: true + artifacts: ${{ steps.apple_codesigning.outputs.asset }} + artifactContentType: ${{ steps.apple_codesigning.outputs.content_type }} + + - name: Upload release signature + uses: ncipollo/release-action@v1 + if: runner.os == 'macOS' + with: + token: ${{ secrets.GITHUB_TOKEN }} + tag: ${{ steps.release_info.outputs.version }} + draft: true + allowUpdates: true + omitBodyDuringUpdate: true + omitNameDuringUpdate: true + omitPrereleaseDuringUpdate: true + artifacts: ${{ steps.apple_codesigning_gpg.outputs.signature }} + artifactContentType: "text/plain" + - name: Build archive shell: bash id: build run: | staging="artichoke-nightly-${{ matrix.target }}" mkdir -p "$staging"/ - cp artichoke/{README.md,LICENSE} "$staging/" - cp THIRDPARTY "$staging/THIRDPARTY.txt" + cp artichoke/{README.md,LICENSE} THIRDPARTY.txt "$staging/" if [ "${{ runner.os }}" = "Windows" ]; then cp "artichoke/target/${{ matrix.target }}/release/artichoke.exe" "$staging/" cp "artichoke/target/${{ matrix.target }}/release/airb.exe" "$staging/" @@ -232,7 +283,9 @@ jobs: - name: GPG sign archive id: gpg_signing - run: python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" --artifact "${{ steps.build.outputs.asset }}" + run: | + python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" \ + --artifact "${{ steps.build.outputs.asset }}" - name: Upload release archive uses: ncipollo/release-action@v1 diff --git a/macos_sign_and_notarize.py b/macos_sign_and_notarize.py index 418c1ac..fc60076 100755 --- a/macos_sign_and_notarize.py +++ b/macos_sign_and_notarize.py @@ -176,9 +176,9 @@ def notarization_app_specific_password(): codesigning identity's Apple ID. """ - if app_specific_password := os.getenv("APPLE_ID_APP_PASSWORD"): + if app_specific_password := os.getenv("MACOS_NOTARIZE_APP_PASSWORD"): return app_specific_password - raise Exception("APPLE_ID_APP_PASSWORD environment variable is required") + raise Exception("MACOS_NOTARIZE_APP_PASSWORD environment variable is required") def notarization_team_id(): @@ -281,7 +281,7 @@ def import_notarization_credentials(): # xcrun notarytool store-credentials \ # "$notarytool_credentials_profile" \ # --apple-id "apple-codesign@artichokeruby.org" \ - # --password "$APPLE_ID_APP_PASSWORD" \ + # --password "$MACOS_NOTARIZE_APP_PASSWORD" \ # --team-id "VDKP67932G" \ # --keychain "$keychain_path" subprocess.run( @@ -326,10 +326,10 @@ def import_codesigning_certificate(): except binascii.Error: raise Exception("MACOS_CERTIFICATE must be base64 encoded") - certificate_password = os.getenv("MACOS_CERTIFICATE_PWD") + certificate_password = os.getenv("MACOS_CERTIFICATE_PASSPHRASE") if not certificate_password: raise Exception( - "MACOS_CERTIFICATE_PASSWORD environment variable is required" + "MACOS_CERTIFICATE_PASSPHRASE environment variable is required" ) with tempfile.TemporaryDirectory() as tempdirname: @@ -754,7 +754,8 @@ def main(args): staple_bundle(bundle=bundle) validate(bundle=bundle, binary_names=[binary.name for binary in binaries]) - set_output(name="bundle", value=bundle) + set_output(name="asset", value=bundle) + set_output(name="content_type", value="application/x-apple-diskimage") return 0 except subprocess.CalledProcessError as e: