Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Darwin signing, notarizing, and universal binaries #571

Merged
merged 1 commit into from
Nov 9, 2021
Merged

Darwin signing, notarizing, and universal binaries #571

merged 1 commit into from
Nov 9, 2021

Conversation

nbrownus
Copy link
Collaborator

@nbrownus nbrownus commented Nov 8, 2021
edited
Loading

This PR does a few things:

  1. Creates universal binaries that work on both amd64 and arm64 for darwin.
  2. Signs the binaries using key material owned by defined.net
  3. Notarizes the resulting zip file using an Apple account owned by defined.net
  4. Modernizes the action plugins used in the github release action

This will break existing automations as we no longer publish architecture specific binaries for darwin, only a single nebula-darwin.zip will be available going forward.

Interestingly, you still can not execute these binaries in Finder.app but it should not complain if you execute them in a terminal.

Closes #24, closes #29

@nbrownus nbrownus added this to the v1.5.0 milestone Nov 8, 2021
@nbrownus nbrownus force-pushed the darwin-signing branch 4 times, most recently from 81945cb to a762f29 Compare November 9, 2021 16:37
wadey
wadey approved these changes Nov 9, 2021
View reviewed changes
Copy link
Member

@wadey wadey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is will break some scripts for downloading the latest version. But I think that is worth it to get signed fat binaries 👍

@nbrownus nbrownus merged commit 7801b58 into slackhq:master Nov 9, 2021
@ilyaluk
Copy link
Contributor

ilyaluk commented Nov 9, 2021

Hey there,

Thanks for adding notarisation support!

I worked on a similar issue of signing Mac binaries. Even though for some reason zipping is required before uploading the binary for notarisation, it could actually be distributed as a binary (not archived). It seems that Apple stores all binaries from .zip separately and Gatekeeper correctly validates signature in this case.

@nbrownus nbrownus deleted the darwin-signing branch November 9, 2021 19:25
@nbrownus
Copy link
Collaborator Author

nbrownus commented Nov 9, 2021

That's good to know but since we ship 2 binaries per os and architecture (nebula and nebula-cert) we need some way to package them. Previously we used tar.gz and it felt silly to move between that and zip, certainly given that the use of universal binaries changed the name of the package we ship for Darwin (nebula-darwin-$arch.tar.gz -> nebula-darwin.zip).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wadey wadey wadey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

macOS Release Binaries Aren't Signed
3 participants
@nbrownus @ilyaluk @wadey