From 2b82f74d9110f025cd152be645a292b910072ad4 Mon Sep 17 00:00:00 2001 From: Nate Maninger Date: Thu, 30 Mar 2023 21:06:17 -0600 Subject: [PATCH] ci: enable notarization for macOS builds --- .github/workflows/publish.yml | 66 +++++++++++++-------------- .github/workflows/publish_testnet.yml | 66 +++++++++++++-------------- 2 files changed, 66 insertions(+), 66 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 56da952c..5b88ee34 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -109,35 +109,35 @@ jobs: go-version: 'stable' - name: Build Version uses: ./.github/actions/version -# - name: Setup notarization -# env: -# APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }} -# APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} -# APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} -# APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }} -# APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }} -# APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} -# APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} -# run: | -# # extract apple cert -# APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12 -# KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db -# echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH -# -# # extract apple key -# mkdir -p ~/private_keys -# APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8 -# echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH -# -# # create temp keychain -# security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH -# security set-keychain-settings -lut 21600 $KEYCHAIN_PATH -# security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH -# -# # import keychain -# security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -# security list-keychain -d user -s $KEYCHAIN_PATH -# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH + - name: Setup notarization + env: + APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }} + APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} + APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} + APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }} + APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }} + APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} + APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} + run: | + # extract apple cert + APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH + + # extract apple key + mkdir -p ~/private_keys + APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8 + echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH + + # create temp keychain + security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import keychain + security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH - name: Build amd64 env: CGO_ENABLED: 1 @@ -149,9 +149,9 @@ jobs: mkdir -p release go build -tags='netgo' -trimpath -o bin/ -a -ldflags '-s -w' ./cmd/hostd cp README.md LICENSE api/openapi.yml bin/ - # codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd + codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd ditto -ck bin $ZIP_OUTPUT - # xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT + xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT - name: Build arm64 env: CGO_ENABLED: 1 @@ -163,9 +163,9 @@ jobs: mkdir -p release go build -tags='netgo' -trimpath -o bin/ -a -ldflags '-s -w' ./cmd/hostd cp README.md LICENSE api/openapi.yml bin/ - # codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd + codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd ditto -ck bin $ZIP_OUTPUT - # xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT + xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT - uses: actions/upload-artifact@v3 with: name: hostd diff --git a/.github/workflows/publish_testnet.yml b/.github/workflows/publish_testnet.yml index 80139b4a..ba3bbe4c 100644 --- a/.github/workflows/publish_testnet.yml +++ b/.github/workflows/publish_testnet.yml @@ -111,35 +111,35 @@ jobs: go-version: 'stable' - name: Build Version uses: ./.github/actions/version -# - name: Setup notarization -# env: -# APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }} -# APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} -# APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} -# APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }} -# APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }} -# APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} -# APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} -# run: | -# # extract apple cert -# APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12 -# KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db -# echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH -# -# # extract apple key -# mkdir -p ~/private_keys -# APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8 -# echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH -# -# # create temp keychain -# security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH -# security set-keychain-settings -lut 21600 $KEYCHAIN_PATH -# security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH -# -# # import keychain -# security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -# security list-keychain -d user -s $KEYCHAIN_PATH -# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH + - name: Setup notarization + env: + APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }} + APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} + APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} + APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }} + APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }} + APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} + APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} + run: | + # extract apple cert + APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH + + # extract apple key + mkdir -p ~/private_keys + APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8 + echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH + + # create temp keychain + security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import keychain + security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH - name: Build amd64 env: CGO_ENABLED: 1 @@ -151,9 +151,9 @@ jobs: mkdir -p release go build -tags='testnet netgo' -trimpath -o bin/ -a -ldflags '-s -w' ./cmd/hostd cp README.md LICENSE api/openapi.yml bin/ - # codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd + codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd ditto -ck bin $ZIP_OUTPUT - # xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT + xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT - name: Build arm64 env: CGO_ENABLED: 1 @@ -165,9 +165,9 @@ jobs: mkdir -p release go build -tags='testnet netgo' -trimpath -o bin/ -a -ldflags '-s -w' ./cmd/hostd cp README.md LICENSE api/openapi.yml bin/ - # codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd + codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/hostd ditto -ck bin $ZIP_OUTPUT - # xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT + xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT - uses: actions/upload-artifact@v3 with: name: hostd