Document or automate macOS release machine setup

[rvagg]

/cc @mhdawson

We removed the macOS setup docs in b804f76 but I don't believe we're fully automated for release machines so we need to retain this documentation somewhere but it also needs updating because this seems to change with each new macOS version (specifically the signing cert stuff) and whenever I do it my notes from previous attempts never seem to fully get me over the line. So it might be good to have someone go through the steps and document it themselves.

This is in the doc that we deleted in the above commit:

---

• For release machines:
  • Install PackageMaker, download "Auxiliary Tools for Xcode - Late July 2012" from the Apple Developer site to get it, put it in ~iojs/PackageMaker.app (RV: need to check whether Node 6 needs this any more, possibly that died with Node 4?)
  • Install Packages from http://s.sudre.free.fr/Software/Packages/about.html
  • Install xz utilities from http://macpkg.sourceforge.net/
  • Install Node.js Foundation code signing and package signing certificates
    • Available from either the secrets repository under "release" as a passwordless .p12 file
    • OS X 10.10: In Keychain Access, "Import Items" and add both the Installer and Application certificates to the "System" (not "login" which is default)
    • OS X 10.10: Find the private key for Node.js Foundation under System in Keychain Access, "Get Info" for it, switch to "Access Control" and allow access by all applications. This step requires a physical keyboard under El Capitan and onward.
    • Command line alternative (all OS X?): sudo security import /path/to/id.p12 -k /Library/Keychains/System.keychain -T /usr/bin/codesign -T /usr/bin/productsign
  • Add ssh_config as ~iojs/.ssh/config
  • Install the staging key as ~/.ssh/id_rsa

[mhdawson]

Installed on the new release machine EXCEPT for Packagemaker as it sounded like this would not be required for 10.X and above and I think the plan would be for the new machine only to be used to build later versions (current master, and possibly 10.X depending on what we decide is ok).

[maclover7]

Ah, my bad. Is this mostly covered with #1391? Or do more things need to be added to the Ansible scripts?

[mhdawson]

@rvagg looks like things build ok on master, does that line up with what you expected? ie Packagemaker not being needed for recent versions?

[mhdawson]

These

• 2 Install Packages from http://s.sudre.free.fr/Software/Packages/about.html
• Install xz utilities from http://macpkg.sourceforge.net/

Should be able to be added to the ansible scripts. Installing them on the test machines as well as the release machines should be fine (even though they are not necessary on the test machines).

I suggest that we should be the downloads on the ci machine under downloads like we do with some binaries needed for other platforms.

The last step

• Install Node.js Foundation code signing and package signing certificates

cannot be added to the ansible scripts as the signing keys must have limited access.

[github-actions]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

[mhdawson]

@AshCripps can you see if this part is automated or not and comment on whether there is anything left to do?

[AshCripps]

@rvagg Did you have to do any of these steps in the recent release machine setup?

[rvagg]

rolled into #2199, it even mentions this issue in the new docs as being the old version