feat: sign and notarize the binary (prefix-dev#137)

.github/workflows/rust.yml

@@ -1,11 +1,11 @@
 on:
   push:
     tags:
-      - 'v*.*.*'
+      - "v*.*.*"
     branches:
       - main
     paths-ignore:
-      - 'docs/**'
+      - "docs/**"
   workflow_dispatch:
   pull_request:
 
@@ -76,7 +76,7 @@ jobs:
   build:
     name: ${{ matrix.job.name }}
     runs-on: ${{ matrix.job.os }}
-    needs: [ crate_metadata, clippy ]
+    needs: [crate_metadata, clippy]
     strategy:
       fail-fast: false
       matrix:
@@ -91,7 +91,7 @@ jobs:
           - os: windows-latest
             rustflags: -C target-feature=+crt-static
     env:
-      BUILD_CMD: cargo  # The build and test command to use if not overwritten
+      BUILD_CMD: cargo # The build and test command to use if not overwritten
       RUSTFLAGS: ${{ matrix.rustflags || '' }} -D warnings
     steps:
       - name: Checkout source code
@@ -231,12 +231,70 @@ jobs:
 
       - name: Build Installer
         continue-on-error: true
-        if: matrix.os == 'windows-latest' && matrix.target != 'aarch64-pc-windows-msvc'
+        if: matrix.job.os == 'windows-latest' && matrix.job.target != 'aarch64-pc-windows-msvc'
         run: >
           cargo wix -v --no-build --nocapture -I install/windows/main.wxs
           --target ${{ matrix.job.target }}
           --output target/wix/pixi-${{ matrix.job.target }}.msi
 
+      # Here we notarize the binary with a certificate from Apple
+      # To get a certificate, go to XCode and request a Developer ID certificate for the right team.
+      # Then export the certificate from XCode and copy it as base64 into the secrets.
+      # Using e.g. `openssl base64 -in ~/Desktop/DeveloperID.p12 | tr -d '\n' | pbcopy` (to copy to clipboard).
+      # The password is the password you used to export the certificate.
+      # The ident is the ident of the certificate, which you can find in the keychain.
+      # The apple id password is a app specific password that you can get on the apple website (https://support.apple.com/en-us/HT204397) (usually a UUID looking string)
+      # The team id is the team id of the Apple Developer Team.
+      - name: Notarize binary
+        # only execute this step when on main branch and on macOS
+        if: matrix.job.os == 'macOS-latest' && github.ref == 'refs/heads/main'
+        env:
+          APPLEID_TEAMID: ${{ secrets.APPLEID_TEAMID }}
+          APPLEID_USERNAME: ${{ secrets.APPLEID_USERNAME }}
+          APPLEID_PASSWORD: ${{ secrets.APPLEID_PASSWORD }}
+          DEVELOPER_ID_CERTIFICATE: ${{ secrets.DEVELOPER_ID_CERTIFICATE }}
+          DEVELOPER_ID_PASSWORD: ${{ secrets.DEVELOPER_ID_PASSWORD }}
+          DEVELOPER_ID_IDENT: ${{ secrets.DEVELOPER_ID_IDENT }}
+          KEYCHAIN_FILENAME: app-signing.keychain-db
+          BIN_PATH: ${{ steps.bin.outputs.BIN_PATH }}
+        run: |
+          export KEYCHAIN_ENTRY="AC_PASSWORD"
+          INSTALL_CERTIFICATE_PATH="$RUNNER_TEMP/install_certificate.p12"
+          KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_FILENAME"
+
+          # create temporary keychain
+          export KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          echo -n "$DEVELOPER_ID_CERTIFICATE" | base64 --decode --output $INSTALL_CERTIFICATE_PATH
+          security import $INSTALL_CERTIFICATE_PATH -P "$DEVELOPER_ID_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          echo "Successfully imported Developer ID certificate into keychain"
+
+          # Add Apple Developer ID credentials to keychain
+          xcrun notarytool store-credentials "$KEYCHAIN_ENTRY" \
+              --team-id "$APPLEID_TEAMID" \
+              --apple-id "$APPLEID_USERNAME" \
+              --password "$APPLEID_PASSWORD" \
+              --keychain "$KEYCHAIN_PATH"
+
+          echo "Successfully added Apple Developer ID credentials to keychain"
+          echo "Now signing binary..."
+
+          # codesign binary
+          xcrun codesign --force --options=runtime --keychain "$KEYCHAIN_PATH" \
+            --timestamp --sign "$DEVELOPER_ID_IDENT" --verbose "$BIN_PATH" \
+            --identifier "dev.prefix.pixi"
+
+          zip pixi.zip ${BIN_PATH}
+
+          # notarize binary
+          xcrun notarytool submit pixi.zip --keychain-profile "$KEYCHAIN_ENTRY" --wait
+
+
       - name: Create tarball
         id: package
         shell: bash