Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Apple codesigning and notarization to nightly builder #88

Merged
merged 12 commits into from
Sep 5, 2022
Merged

Add Apple codesigning and notarization to nightly builder #88

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
f6d8c1c
Add Apple codesigning and notarization to nightly builder
lopopolo Sep 4, 2022
db57e98
Improve error reporting in codesigning scripts
lopopolo Sep 4, 2022
635b576
Use correct binary path for macOS codesigning
lopopolo Sep 4, 2022
d3bb414
Raise if GPG signing fails
lopopolo Sep 4, 2022
9fdaf73
Improve logging in macOS codesigning script
lopopolo Sep 4, 2022
72b44e7
Ignore keychain files
lopopolo Sep 4, 2022
e129855
Use hash code as codesigning identity
lopopolo Sep 4, 2022
879f0fa
Add more verbose error logging for subprocess.CalledProcessError
lopopolo Sep 4, 2022
40a8d3b
Add intermediate certs and provisioning profile to build keychain
lopopolo Sep 4, 2022
655e8df
Add build keychain to search path
lopopolo Sep 5, 2022
87c578d
Factor out merging stdout and stderr into a function
lopopolo Sep 5, 2022
1c69739
Fix du handling on old macOS
lopopolo Sep 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 54 additions & 3 deletions .github/workflows/nightly.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ jobs:
with:
artichoke_ref: ${{ steps.release_info.outputs.commit }}
target_triple: ${{ matrix.target }}
output_file: ${{ github.workspace }}/THIRDPARTY
output_file: ${{ github.workspace }}/THIRDPARTY.txt

- name: Clone Artichoke
uses: actions/checkout@v3
Expand Down Expand Up @@ -208,14 +208,65 @@ jobs:
working-directory: artichoke
run: cargo build --verbose --release --target ${{ matrix.target }}

# This will codesign binaries in place which means that the tarballed
# binaries will be codesigned as well.
- name: Run Apple Codesigning and Notarization
id: apple_codesigning
if: runner.os == 'macOS'
run: |
python3 macos_sign_and_notarize.py "artichoke-nightly-${{ matrix.target }}" \
--binary "artichoke/target/${{ matrix.target }}/release/artichoke" \
--binary "artichoke/target/${{ matrix.target }}/release/airb" \
--resource artichoke/LICENSE \
--resource artichoke/README.md \
--resource THIRDPARTY.txt
env:
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}

- name: GPG sign Apple DMG
id: apple_codesigning_gpg
if: runner.os == 'macOS'
run: |
python3 gpg_sign.py "artichoke-nightly-${{ matrix.target }}" \
--artifact "${{ steps.apple_codesigning.outputs.asset }}"

- name: Upload release archive
uses: ncipollo/release-action@v1
if: runner.os == 'macOS'
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_info.outputs.version }}
draft: true
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
artifacts: ${{ steps.apple_codesigning.outputs.asset }}
artifactContentType: ${{ steps.apple_codesigning.outputs.content_type }}

- name: Upload release signature
uses: ncipollo/release-action@v1
if: runner.os == 'macOS'
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_info.outputs.version }}
draft: true
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
artifacts: ${{ steps.apple_codesigning_gpg.outputs.signature }}
artifactContentType: "text/plain"

- name: Build archive
shell: bash
id: build
run: |
staging="artichoke-nightly-${{ matrix.target }}"
mkdir -p "$staging"/
cp artichoke/{README.md,LICENSE} "$staging/"
cp THIRDPARTY "$staging/THIRDPARTY.txt"
cp artichoke/{README.md,LICENSE} THIRDPARTY.txt "$staging/"
if [ "${{ runner.os }}" = "Windows" ]; then
cp "artichoke/target/${{ matrix.target }}/release/artichoke.exe" "$staging/"
cp "artichoke/target/${{ matrix.target }}/release/airb.exe" "$staging/"
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,3 +225,4 @@ build-iPhoneSimulator/

*.dmg
/dist/*
*.keychain-db
Binary file added apple-certs/DeveloperIDG2CA.cer
View file
Open in desktop
Binary file not shown.
22 changes: 22 additions & 0 deletions apple-certs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Apple Certificates

Several certificates are required by the build keychain used in the codesigning
process.

## Certificate Chain

The build keychain must include the all intermediate certificates for the
codesigning certificate.

All of Apple's CAs can be found at:
<https://www.apple.com/certificateauthority/>.

The Developer ID Application certificate used for codesigning has "Developer
ID - G2 (Expiring 09/17/2031 00:00:00 UTC)" as an intermediate in its
certificate chain.

## Provisioning Profile

`artichoke-provisioning-profile-signing.cer` contains a provisioning profile
which is associated with the Developer ID application and is required for
signing.
Binary file added apple-certs/artichoke-provisioning-profile-signing.cer
View file
Open in desktop
Binary file not shown.
27 changes: 19 additions & 8 deletions gpg_sign.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ def gpg_sign_artifact(*, artifact_path, release_name):
str(asc),
str(artifact_path),
],
check=True,
# capture output because `gpg --detatch-sign` writes to stderr which
# prevents the GitHub Actions log group from working correctly.
stdout=subprocess.PIPE,
Expand Down Expand Up @@ -120,6 +121,7 @@ def validate(*, artifact_name, asc):
str(asc),
str(artifact_name),
],
check=True,
# capture output because `gpg --verify` writes to stderr which
# prevents the GitHub Actions log group from working correctly.
stdout=subprocess.PIPE,
Expand Down Expand Up @@ -160,7 +162,7 @@ def main(args):

for artifact in artifacts:
if not artifact.is_file():
print("Error: {artifact} does not exist", file=sys.stderr)
print(f"Error: artifact file {artifact} does not exist", file=sys.stderr)
return 1

if len(artifacts) > 1:
Expand All @@ -185,16 +187,25 @@ def main(args):

return 0
except subprocess.CalledProcessError as e:
print(
f"""Error: failed to invoke command.
\tCommand: {e.cmd}
\tReturn Code: {e.returncode}""",
file=sys.stderr,
)
print("Error: failed to invoke command", file=sys.stderr)
print(f" Command: {e.cmd}", file=sys.stderr)
print(f" Return Code: {e.returncode}", file=sys.stderr)
if e.stdout:
print()
print("Output:", file=sys.stderr)
for line in e.stdout.splitlines():
print(f" {line}", file=sys.stderr)
if e.stderr:
print()
print("Error Output:", file=sys.stderr)
for line in e.stderr.splitlines():
print(f" {line}", file=sys.stderr)
print()
print(traceback.format_exc(), file=sys.stderr)
return e.returncode
except Exception as e:
print(f"Error: {e}", file=sys.stderr)
print(traceback.format_exc())
print(traceback.format_exc(), file=sys.stderr)
return 1


Expand Down
Loading