Skip to content

Commit

Permalink
Added Windows & macOS Codesigning to Snapshot Build (#258)
Browse files Browse the repository at this point in the history
* Added Windows & macOS Codesigning & notarization to Snapshot Build

Co-Authored-By: Nazar Mokrynskyi <[email protected]>
  • Loading branch information
ImmaZoni and nazar-pc authored Mar 8, 2022
1 parent 729d274 commit 042302e
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 22 deletions.
2 changes: 0 additions & 2 deletions .github/workflows/rust.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@ jobs:
os:
- ubuntu-20.04
- macos-11
- windows-2019
- windows-2022

runs-on: ${{ matrix.os }}
Expand Down Expand Up @@ -116,7 +115,6 @@ jobs:
os:
- ubuntu-20.04
- macos-11
- windows-2019
- windows-2022

runs-on: ${{ matrix.os }}
Expand Down
100 changes: 80 additions & 20 deletions .github/workflows/snapshot-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,17 +49,17 @@ jobs:
- name: Generate testnet chain specifications
run: |
docker run --rm -u root ${{ steps.build.outputs.digest }} build-spec --chain testnet > chain-spec.json
docker run --rm -u root ${{ steps.build.outputs.digest }} build-spec --chain testnet --raw > chain-spec-raw.json
docker run --rm -u root ${{ steps.build.outputs.digest }} build-spec --chain testnet > chain-spec-${{ github.ref_name }}.json
docker run --rm -u root ${{ steps.build.outputs.digest }} build-spec --chain testnet --raw > chain-spec-raw-${{ github.ref_name }}.json
if: matrix.image == 'node'

- name: Upload testnet chain specifications to artifacts
uses: actions/upload-artifact@v2
with:
name: chain-specifications
path: |
chain-spec.json
chain-spec-raw.json
chain-spec-${{ github.ref_name }}.json
chain-spec-raw-${{ github.ref_name }}.json
if-no-files-found: error
if: matrix.image == 'node'

Expand All @@ -68,7 +68,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ github.token }}
with:
asset_paths: '["chain-spec.json", "chain-spec-raw.json"]'
asset_paths: '["chain-spec-${{ github.ref_name }}.json", "chain-spec-raw-${{ github.ref_name }}.json"]'
if: matrix.image == 'node'

executables:
Expand All @@ -77,13 +77,15 @@ jobs:

strategy:
matrix:
os:
- ubuntu-20.04
- macos-11
- windows-2019
- windows-2022
build:
- os: ubuntu-20.04
suffix: ubuntu-x86_64-${{ github.ref_name }}
- os: macos-11
suffix: macos-x86_64-${{ github.ref_name }}
- os: windows-2022
suffix: windows-x86_64-${{ github.ref_name }}

runs-on: ${{ matrix.os }}
runs-on: ${{ matrix.build.os }}

steps:
- name: Checkout
Expand All @@ -94,14 +96,24 @@ jobs:
uses: ilammy/msvc-dev-cmd@v1
with:
toolset: 14.29
if: matrix.os == 'windows-2022'
if: matrix.build.os == 'windows-2022'

- name: Download testnet chain specifications from artifacts
uses: actions/download-artifact@v2
with:
name: chain-specifications
path: .

- name: Rename chain spec file (Linux or macOS)
run: |
mv chain-spec-${{ github.ref_name }}.json chain-spec.json
if: runner.os == 'Linux' || runner.os == 'macOS'

- name: Rename chain spec file (Windows)
run: |
move chain-spec-${{ github.ref_name }}.json chain-spec.json
if: runner.os == 'Windows'

- name: Rust toolchain
uses: actions-rs/toolchain@v1
# TODO: Below can be removed when https://github.com/actions-rs/toolchain/issues/126 is resolved
Expand All @@ -123,28 +135,76 @@ jobs:
uses: actions-rs/cargo@v1
with:
command: build
args: --profile production --bins --features=subspace-node/json-chain-spec,subspace-farmer/cuda
args: --profile production --bin subspace-node --bin subspace-farmer --features=subspace-node/json-chain-spec,subspace-farmer/cuda
if: runner.os == 'Linux' || runner.os == 'Windows'

- name: Build (macOS without CUDA)
uses: actions-rs/cargo@v1
with:
command: build
args: --profile production --bins --features=subspace-node/json-chain-spec
args: --profile production --bin subspace-node --bin subspace-farmer --features=subspace-node/json-chain-spec
if: runner.os == 'macOS'

- name: Prepare executables for uploading (Linux or macOS)
- name: Sign Application (macOS)
run: |
echo "Importing certificate"
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
security create-keychain -p "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain
security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERTIFICATE_PW }}" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain
echo "Signing farmer"
codesign --force --options=runtime -s "${{ secrets.MACOS_IDENTITY }}" --timestamp target/production/subspace-farmer
echo "Signing node"
codesign --force --options=runtime -s "${{ secrets.MACOS_IDENTITY }}" --timestamp target/production/subspace-node
echo "Creating an archive"
mkdir target/production/macos-binaries
cp target/production/subspace-farmer target/production/subspace-node target/production/macos-binaries
ditto -c -k --rsrc target/production/macos-binaries subspace-binaries.zip
echo "Notarizing"
xcrun altool --notarize-app --primary-bundle-id binaries-${{ github.ref_name }} --username "${{ secrets.MACOS_APPLE_ID}}" --password "${{ secrets.MACOS_APP_PW }}" --file subspace-binaries.zip
# TODO: Wait for notarization before stapling
# echo "Stapling farmer"
# xcrun stapler staple target/production/subspace-farmer
# echo "Stapling node"
# xcrun stapler staple target/production/subspace-node
echo "Done!"
if: runner.os == 'macOS'

- name: Sign Application (Windows)
uses: skymatic/[email protected]
with:
certificate: '${{ secrets.WINDOWS_CERTIFICATE }}'
password: '${{ secrets.WINDOWS_CERTIFICATE_PW }}'
certificatesha1: '00A427587B911908F59B6C42BA2863109C599C1C'
folder: 'target/production'
if: runner.os == 'Windows'

- name: Prepare executables for uploading Linux
run: |
mkdir executables
mv target/production/subspace-node executables/subspace-node-x86_64-${{ matrix.os }}-${{ github.ref_name }}
mv target/production/subspace-farmer executables/subspace-farmer-x86_64-${{ matrix.os }}-${{ github.ref_name }}
if: runner.os == 'Linux' || runner.os == 'macOS'
mv target/production/subspace-farmer executables/subspace-farmer-${{ matrix.build.suffix }}
mv target/production/subspace-node executables/subspace-node-${{ matrix.build.suffix }}
if: runner.os == 'Linux'

- name: Prepare executables for uploading macOS
run: |
mkdir executables
mv target/production/subspace-farmer executables/subspace-farmer-${{ matrix.build.suffix }}
mv target/production/subspace-node executables/subspace-node-${{ matrix.build.suffix }}
# Zip it so that signature is not lost
ditto -c -k --rsrc executables/subspace-farmer-${{ matrix.build.suffix }} executables/subspace-farmer-${{ matrix.build.suffix }}.zip
ditto -c -k --rsrc executables/subspace-node-${{ matrix.build.suffix }} executables/subspace-node-${{ matrix.build.suffix }}.zip
rm executables/subspace-farmer-${{ matrix.build.suffix }}
rm executables/subspace-node-${{ matrix.build.suffix }}
if: runner.os == 'macOS'

- name: Prepare executables for uploading (Windows)
run: |
mkdir executables
move target/production/subspace-node.exe executables/subspace-node-x86_64-${{ matrix.os }}-${{ github.ref_name }}.exe
move target/production/subspace-farmer.exe executables/subspace-farmer-x86_64-${{ matrix.os }}-${{ github.ref_name }}.exe
move target/production/subspace-farmer.exe executables/subspace-farmer-${{ matrix.build.suffix }}.exe
move target/production/subspace-node.exe executables/subspace-node-${{ matrix.build.suffix }}.exe
if: runner.os == 'Windows'

- name: Upload node and farmer executables to assets
Expand Down

0 comments on commit 042302e

Please sign in to comment.