-
Notifications
You must be signed in to change notification settings - Fork 0
Sign and notarize MacOS binaries #92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Vladyslav-Kuksiuk
wants to merge
6
commits into
master
Choose a base branch
from
sign-binaries
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
9a1fc99
Provide macOs binary signing and notarization.
Vladyslav-Kuksiuk 3e6b272
Extract bash scripts.
Vladyslav-Kuksiuk 50d2f68
Merge remote-tracking branch 'refs/remotes/origin/master' into sign-b…
Vladyslav-Kuksiuk ebcdf8c
Test signing.
Vladyslav-Kuksiuk 4df8cb2
Remove test.
Vladyslav-Kuksiuk b548579
Merge branch 'master' into sign-binaries
Vladyslav-Kuksiuk File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 1.2.3 | ||
| 1.2.4 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # Release Scripts | ||
|
|
||
| These scripts support the `release-binaries` GitHub workflow. | ||
| They are intended for the macOS release job. | ||
|
|
||
| ## Signing | ||
|
|
||
| Use `sign-macos-binary.sh` to import the Developer ID certificate into a | ||
| temporary keychain and sign the macOS binary. | ||
|
|
||
| Required environment variables: | ||
|
|
||
| - `MACOS_CERTIFICATE_P12_BASE64`: base64-encoded `.p12` export of the Developer | ||
| ID Application certificate and private key. | ||
| - `MACOS_CERTIFICATE_PASSWORD`: password used when exporting the `.p12` file. | ||
| - `MACOS_CODESIGN_IDENTITY`: full Developer ID Application identity, such as | ||
| `Developer ID Application: Company Name (TEAMID)`. | ||
|
|
||
| Optional environment variable: | ||
|
|
||
| - `MACOS_KEYCHAIN_PASSWORD`: password for the temporary keychain. When omitted, | ||
| the script generates one. | ||
|
|
||
| Example: | ||
|
|
||
| ```bash | ||
| scripts/release/sign-macos-binary.sh dist/embed-code-macos | ||
| ``` | ||
|
|
||
| ## Notarization | ||
|
|
||
| Use `notarize-macos-zip.sh` to package the signed CLI binary as a ZIP archive | ||
| and submit that archive to Apple notarization. | ||
|
|
||
| Required environment variables: | ||
|
|
||
| - `APPLE_ID`: Apple Account email used for notarization. | ||
| - `APPLE_TEAM_ID`: 10-character Apple Developer Team ID. | ||
| - `APPLE_APP_SPECIFIC_PASSWORD`: app-specific password for the Apple Account. | ||
|
|
||
| Example: | ||
|
|
||
| ```bash | ||
| scripts/release/notarize-macos-zip.sh \ | ||
| dist/embed-code-macos \ | ||
| dist/embed-code-macos.zip | ||
| ``` |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| # Packages and notarizes the signed macOS CLI binary. | ||
| # | ||
| # Usage: | ||
| # scripts/release/notarize-macos-zip.sh \ | ||
| # dist/embed-code-macos \ | ||
| # dist/embed-code-macos.zip | ||
| # | ||
| # The script expects these environment variables: | ||
| # APPLE_ID | ||
| # APPLE_TEAM_ID | ||
| # APPLE_APP_SPECIFIC_PASSWORD | ||
| # | ||
| # Apple notarization accepts an archive/package submission, so the CLI binary is | ||
| # wrapped in a ZIP instead of being uploaded as a loose executable. | ||
| # | ||
| # The script writes the ZIP path passed as its second argument and waits for | ||
| # Apple to accept or reject the notarization submission. | ||
| set -euo pipefail | ||
|
|
||
| # Verifies, that secrets are set. | ||
| required_vars=( | ||
| APPLE_ID | ||
| APPLE_TEAM_ID | ||
| APPLE_APP_SPECIFIC_PASSWORD | ||
| ) | ||
|
|
||
| missing=() | ||
| for var_name in "${required_vars[@]}"; do | ||
| if [[ -z "${!var_name:-}" ]]; then | ||
| missing+=("$var_name") | ||
| fi | ||
| done | ||
| if (( ${#missing[@]} > 0 )); then | ||
| printf 'Missing required environment variable: %s\n' "${missing[@]}" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| if (( $# != 2 )); then | ||
| echo "Usage: $0 <signed-macos-binary-path> <zip-output-path>" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| binary_path="$1" | ||
| zip_path="$2" | ||
|
|
||
| if [[ ! -f "$binary_path" ]]; then | ||
| echo "Signed macOS binary does not exist: $binary_path" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| binary_dir="$(cd "$(dirname "$binary_path")" && pwd)" | ||
| binary_name="$(basename "$binary_path")" | ||
| zip_dir="$(dirname "$zip_path")" | ||
| zip_name="$(basename "$zip_path")" | ||
|
|
||
| # Resolve the ZIP path before changing directories. | ||
| mkdir -p "$zip_dir" | ||
| zip_dir="$(cd "$zip_dir" && pwd)" | ||
| zip_path="$zip_dir/$zip_name" | ||
|
|
||
| pushd "$binary_dir" >/dev/null | ||
| ditto -c -k --keepParent "$binary_name" "$zip_path" | ||
| popd >/dev/null | ||
|
|
||
| # Wait for the notarization result before publishing. | ||
| # ZIP archives do not support stapling, so the release publishes the accepted archive as-is. | ||
| xcrun notarytool submit "$zip_path" \ | ||
| --apple-id "$APPLE_ID" \ | ||
| --team-id "$APPLE_TEAM_ID" \ | ||
| --password "$APPLE_APP_SPECIFIC_PASSWORD" \ | ||
| --wait |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| # Signs the macOS CLI binary with a Developer ID Application certificate. | ||
| # | ||
| # Usage: | ||
| # scripts/release/sign-macos-binary.sh dist/embed-code-macos | ||
| # | ||
| # The script expects these environment variables: | ||
| # MACOS_CERTIFICATE_P12_BASE64 | ||
| # MACOS_CERTIFICATE_PASSWORD | ||
| # MACOS_CODESIGN_IDENTITY | ||
| # | ||
| # The certificate value must be a base64-encoded `.p12` export that contains the | ||
| # Developer ID Application certificate and private key. | ||
| # `MACOS_CODESIGN_IDENTITY` is the full identity printed by | ||
| # `security find-identity`, such as: | ||
| # | ||
| # Developer ID Application: Company Name (TEAMID) | ||
| # | ||
| # For local diagnostics, `MACOS_KEYCHAIN_PASSWORD` can be set to reuse a known | ||
| # temporary keychain password. | ||
| # | ||
| # The script writes temporary certificate and keychain files under RUNNER_TEMP, | ||
| # or TMPDIR when RUNNER_TEMP is not set. It signs the binary in place and verifies | ||
| # the resulting signature. | ||
| set -euo pipefail | ||
|
|
||
| # Verifies, that secrets are set. | ||
| required_vars=( | ||
| MACOS_CERTIFICATE_P12_BASE64 | ||
| MACOS_CERTIFICATE_PASSWORD | ||
| MACOS_CODESIGN_IDENTITY | ||
| ) | ||
|
|
||
| missing=() | ||
| for var_name in "${required_vars[@]}"; do | ||
| if [[ -z "${!var_name:-}" ]]; then | ||
| missing+=("$var_name") | ||
| fi | ||
| done | ||
| if (( ${#missing[@]} > 0 )); then | ||
| printf 'Missing required environment variable: %s\n' "${missing[@]}" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| if (( $# != 1 )); then | ||
| echo "Usage: $0 <macos-binary-path>" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| binary_path="$1" | ||
| if [[ ! -f "$binary_path" ]]; then | ||
| echo "macOS binary does not exist: $binary_path" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| temp_dir="${RUNNER_TEMP:-${TMPDIR:-/tmp}}" | ||
| keychain_path="$temp_dir/embed-code-signing.keychain-db" | ||
| certificate_path="$temp_dir/embed-code-signing-certificate.p12" | ||
| keychain_password="${MACOS_KEYCHAIN_PASSWORD:-$(uuidgen)}" | ||
|
|
||
| # Decode the certificate at runtime so only the temporary runner filesystem ever | ||
| # contains the `.p12`. | ||
| if printf '%s' "$MACOS_CERTIFICATE_P12_BASE64" | base64 --decode > "$certificate_path" 2>/dev/null; then | ||
| : | ||
| else | ||
| printf '%s' "$MACOS_CERTIFICATE_P12_BASE64" | base64 -D > "$certificate_path" | ||
| fi | ||
|
|
||
| security create-keychain -p "$keychain_password" "$keychain_path" | ||
| security set-keychain-settings -lut 21600 "$keychain_path" | ||
| security unlock-keychain -p "$keychain_password" "$keychain_path" | ||
|
|
||
| # Import Apple's public certificate chain into the temporary keychain. | ||
| # Some runners do not have the current Developer ID intermediate certificates. | ||
| curl -fsSL https://www.apple.com/certificateauthority/AppleRootCA-G3.cer \ | ||
| -o "$temp_dir/AppleRootCA-G3.cer" | ||
| curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer \ | ||
| -o "$temp_dir/AppleWWDRCAG6.cer" | ||
| curl -fsSL https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer \ | ||
| -o "$temp_dir/DeveloperIDG2CA.cer" | ||
|
|
||
| security import "$temp_dir/AppleRootCA-G3.cer" -k "$keychain_path" | ||
| security import "$temp_dir/AppleWWDRCAG6.cer" -k "$keychain_path" | ||
| security import "$temp_dir/DeveloperIDG2CA.cer" -k "$keychain_path" | ||
|
|
||
| # Import the private signing identity and allow Apple signing tools to access | ||
| # the key non-interactively. | ||
| security import "$certificate_path" \ | ||
| -P "$MACOS_CERTIFICATE_PASSWORD" \ | ||
| -A \ | ||
| -t cert \ | ||
| -f pkcs12 \ | ||
| -k "$keychain_path" | ||
| security list-keychains -d user -s "$keychain_path" | ||
| security set-key-partition-list \ | ||
| -S apple-tool:,apple: \ | ||
| -s \ | ||
| -k "$keychain_password" \ | ||
| "$keychain_path" | ||
| security find-identity -v -p codesigning "$keychain_path" | ||
|
|
||
| # Use the hardened runtime and a trusted timestamp so Gatekeeper can evaluate | ||
| # the signature after the Developer ID certificate eventually expires. | ||
| codesign \ | ||
| --force \ | ||
| --options runtime \ | ||
| --timestamp \ | ||
| --sign "$MACOS_CODESIGN_IDENTITY" \ | ||
| "$binary_path" | ||
| codesign --verify --verbose=4 "$binary_path" |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have to use our self-hosted macOS runners. See 1DAM configuration for details. Ask Alex Tymchenko to allow the runners to be used in the project.