Merge pull request #222 from id/0801-build-on-apple-silicon-and-sign-…

…macos-package

feat: release package for apple silicon and sign macos package

.github/workflows/build.yaml

@@ -21,9 +21,9 @@ jobs:
       fail-fast: false
       matrix:
         otp:
-          - "24.3.4.2-2"
+          - 25.3.2-1
         elixir:
-          - "1.13.4"
+          - 1.14.5
     steps:
       - uses: actions/checkout@v3
         with:
@@ -54,17 +54,17 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
-            FROM=ghcr.io/emqx/emqx-builder/5.0-31:${{ matrix.elixir }}-${{ matrix.otp }}-debian11
+            FROM=ghcr.io/emqx/emqx-builder/5.1-3:${{ matrix.elixir }}-${{ matrix.otp }}-debian11
 
   linux:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         otp:
-          - "24.3.4.2-2"
+          - 25.3.2-1
         elixir:
-          - "1.13.4"
+          - 1.14.5
         quic_support:
           - true
           - false
@@ -73,15 +73,17 @@ jobs:
           - ubuntu20.04
           - ubuntu18.04
           - ubuntu16.04
+          - debian12
           - debian11
           - debian10
           - debian9
           - el9
           - el8
           - el7
           - amzn2
+          - amzn2023
     container:
-      image: ghcr.io/emqx/emqx-builder/5.0-31:${{ matrix.elixir }}-${{ matrix.otp }}-${{ matrix.os }}
+      image: ghcr.io/emqx/emqx-builder/5.1-3:${{ matrix.elixir }}-${{ matrix.otp }}-${{ matrix.os }}
 
     steps:
       - uses: actions/checkout@v3
@@ -106,10 +108,10 @@ jobs:
       fail-fast: false
       matrix:
         macos:
+          - macos-12-arm64
           - macos-12
-          - macos-11
         otp:
-          - "24.3.4.2-2"
+          - 25.3.2-1
 
     runs-on: ${{ matrix.macos }}
 
@@ -131,11 +133,22 @@ jobs:
       - name: build erlang
         if: steps.cache.outputs.cache-hit != 'true'
         timeout-minutes: 60
+        env:
+          OTP: ${{ matrix.otp }}
         run: |
-          kerl build git https://github.com/emqx/otp.git OTP-${{ matrix.otp }} ${{ matrix.otp }}
-          kerl install ${{ matrix.otp }} $HOME/.kerl/${{ matrix.otp }}
+          set -eux
+          if [ ! -d $HOME/.kerl/$OTP ]; then
+            kerl build git https://github.com/emqx/otp.git OTP-$OTP $OTP
+            kerl install $OTP $HOME/.kerl/$OTP
+          fi
       - name: Make
-        shell: bash
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
+          APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
+          APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
         run: |
           . $HOME/.kerl/${{ matrix.otp }}/activate
           make
@@ -146,7 +159,7 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/') || inputs.publish_release_artifacts
         with:
           name: packages
-          path: ./*.tar.gz
+          path: ./*.zip
 
   release:
     runs-on: ubuntu-latest

Makefile

@@ -1,5 +1,5 @@
 REBAR ?= $(CURDIR)/rebar3
-REBAR_VERSION ?= 3.19.0-emqx-1
+REBAR_VERSION ?= 3.19.0-emqx-5
 
 .PHONY: all
 all: release

rebar.config.script

@@ -11,7 +11,7 @@ IsWin32 = fun() ->
                 win32 =:= element(1, os:type())
           end,
 
-Quicer = {quicer, {git, "https://github.com/emqx/quic.git", {tag, "0.0.111"}}},
+Quicer = {quicer, {git, "https://github.com/emqx/quic.git", {tag, "0.0.114"}}},
 
 IsQuicSupp = not (IsCentos6() orelse IsWin32() orelse
                   false =/= os:getenv("BUILD_WITHOUT_QUIC")
@@ -36,6 +36,8 @@ Profiles = {profiles,[ {escript, []}
                                             , {copy, "bin/emqtt_bench","bin/emqtt_bench"}
                                             , {template,"bin/emqtt_bench","bin/emqtt_bench"}
                                             ]}
+                                , {tar_hooks, [ "scripts/macos-sign-binaries.sh",
+                                                "scripts/macos-notarize-package.sh"]}
                                 , {include_src, false}
                                 , {include_erts, true}
                                 , {extended_start_script, false}

scripts/macos-notarize-package.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# intended to run on MacOS only
+if [ $(uname) != 'Darwin' ]; then
+    echo 'Not macOS, exiting';
+    exit 0;
+fi
+
+pushd "${RELX_TEMP_DIR}"
+
+ZIP_PACKAGE_PATH="${1:-${RELX_OUTPUT_DIR}/${RELX_RELEASE_NAME}-${RELX_RELEASE_VSN}.zip}"
+zip -qr "${ZIP_PACKAGE_PATH}" .
+
+popd
+
+if [[ "${APPLE_ID:-0}" == 0 || "${APPLE_ID_PASSWORD:-0}" == 0 || "${APPLE_TEAM_ID:-0}" == 0 ]]; then
+    echo "Apple ID is not configured, skipping notarization."
+    exit 0
+fi
+
+# notarize the package
+# if fails, check what went wrong with this command:
+# xcrun notarytool log \
+    #   --apple-id "${APPLE_ID}" \
+    #   --password "${APPLE_ID_PASSWORD}" \
+    #   --team-id "${APPLE_TEAM_ID}" <submission-id>
+echo 'Submitting the package for notarization to Apple (normally takes about a minute)'
+notarytool_output="$(xcrun notarytool submit \
+                                           --apple-id "${APPLE_ID}" \
+                                           --password "${APPLE_ID_PASSWORD}" \
+                                           --team-id "${APPLE_TEAM_ID}" "${ZIP_PACKAGE_PATH}" \
+                                           --no-progress \
+                                           --wait)"
+echo "$notarytool_output"
+echo "$notarytool_output" | grep -q 'status: Accepted' || {
+    echo 'Notarization failed';
+    exit 1;
+}
+

scripts/macos-sign-binaries.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# intended to run on MacOS only
+# signs runtime libraries found in $RELX_TEMP_DIR
+
+# required variables:
+# APPLE_DEVELOPER_IDENTITY: "Developer ID Application: <company name> (<hex id>)"
+# APPLE_DEVELOPER_ID_BUNDLE: base64-encoded content of apple developer id certificate bundle in pksc12 format
+# APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: password used when exporting the bundle
+
+# note: 'bundle' in apple terminology is 'identity'
+
+set -euo pipefail
+
+if [ $(uname) != 'Darwin' ]; then
+    echo 'Not macOS, exiting';
+    exit 0;
+fi
+
+if [[ "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ]]; then
+    echo "Apple developer certificate is not configured, skip signing"
+    exit 0
+fi
+
+PKSC12_FILE="$HOME/developer-id-application.p12"
+base64 --decode > "${PKSC12_FILE}" <<<"${APPLE_DEVELOPER_ID_BUNDLE}"
+
+KEYCHAIN="emqtt-bench-$(date +%s).keychain-db"
+KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
+
+trap cleanup EXIT
+
+function cleanup {
+    set +e
+    security delete-keychain "${KEYCHAIN}" 2>/dev/null
+}
+
+security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security set-keychain-settings "${KEYCHAIN}"
+security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security import "${PKSC12_FILE}" -P "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD}" -t cert -f pkcs12 -k "${KEYCHAIN}" -T /usr/bin/codesign
+security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security verify-cert -k "${KEYCHAIN}" -c "${PKSC12_FILE}"
+security find-identity -p codesigning "${KEYCHAIN}"
+
+# add new keychain into the search path for codesign, otherwise the stuff does not work
+keychains=$(security list-keychains -d user)
+keychain_names=();
+for keychain in ${keychains}; do
+    basename=$(basename "${keychain}")
+    keychain_name=${basename::${#basename}-4}
+    keychain_names+=("${keychain_name}")
+done
+security -v list-keychains -s "${keychain_names[@]}" "${KEYCHAIN}"
+
+for f in \
+    asn1rt_nif.so \
+    beam.smp \
+    crypto.so \
+    crypto_callback.so \
+    dyn_erl \
+    epmd \
+    erl \
+    erl_call \
+    erl_child_setup \
+    erlexec \
+    escript \
+    heart \
+    inet_gethost \
+    libquicer_nif.dylib \
+    libquicer_nif.so \
+    otp_test_engine.so \
+    run_erl \
+    to_erl \
+    ; do
+    find "${RELX_TEMP_DIR}" -name "$f" -exec codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime {} \;
+done
+
+cleanup

scripts/rename-package.sh

@@ -10,6 +10,7 @@ case "$UNAME" in
         DIST='macos'
         VERSION_ID="$(sw_vers | grep 'ProductVersion' | cut -d':' -f 2 | cut -d'.' -f1 | tr -d ' \t')"
         SYSTEM="${DIST}${VERSION_ID}"
+        EXT='zip'
         ;;
     Linux)
         # /etc/os-release on amazon linux 2 contains both rhel and centos strings
@@ -24,6 +25,7 @@ case "$UNAME" in
             VERSION_ID="$(sed -n '/^VERSION_ID=/p' /etc/os-release | sed -r 's/VERSION_ID=(.*)/\1/g' | sed 's/"//g')"
         fi
         SYSTEM="$(echo "${DIST}${VERSION_ID}" | sed -r 's/([a-zA-Z]*)-.*/\1/g')"
+        EXT='tar.gz'
         ;;
 esac
 
@@ -47,5 +49,5 @@ else
 fi
 
 VSN="$(grep -E ".+vsn.+" _build/emqtt_bench/lib/emqtt_bench/ebin/emqtt_bench.app | cut -d '"' -f2)"
-BASE=$(find ./_build/emqtt_bench/rel/emqtt_bench -name "*.tar.gz" | tail -1)
-cp "$BASE" "./emqtt-bench-${VSN}-${SYSTEM}-${ARCH}${QUIC}.tar.gz"
+BASE=$(find ./_build/emqtt_bench/rel/emqtt_bench -name "*.${EXT}" | tail -1)
+cp "$BASE" "./emqtt-bench-${VSN}-${SYSTEM}-${ARCH}${QUIC}.${EXT}"