From 61426ebcb160dbf6ae0a34ebc09f9e4ec1b9a5f8 Mon Sep 17 00:00:00 2001 From: Jacob Heider Date: Sun, 12 Feb 2023 02:07:11 -0500 Subject: [PATCH] extract signing action ref https://github.com/teaxyz/cli/issues/376 --- .github/actions/apple-signing/action.yml | 76 ++++++++++++++++++++++++ .github/workflows/bottle.yml | 42 +++---------- 2 files changed, 85 insertions(+), 33 deletions(-) create mode 100644 .github/actions/apple-signing/action.yml diff --git a/.github/actions/apple-signing/action.yml b/.github/actions/apple-signing/action.yml new file mode 100644 index 00000000..f96fbbda --- /dev/null +++ b/.github/actions/apple-signing/action.yml @@ -0,0 +1,76 @@ +name: Apple signing +description: signs binaries for macOS +inputs: + p12-file-base64: + description: Base64 encoded p12 file + required: true + p12-password: + description: Password for p12 file + required: true + identity: + description: Identity to use for signing + required: true + paths: + description: Paths to search for libs/bins sign + required: true + +runs: + using: "composite" + steps: + # Only runs on macOS + - name: Check platform + shell: sh + run: | + if [[ "$RUNNER_OS" != "macOS" ]]; then + echo "This action only runs on macOS" + exit 1 + fi + + # the next three steps bless our code for Apple. It might be the case they should be + # encapulated separately. + # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years + # ago, and we need bugfixes. + # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions + # github has a doc with similar content, but it's not returning to me atm. + - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494 + with: + p12-file-base64: ${{ inputs.p12-file-base64 }} + p12-password: ${{ inputs.p12-password }} + + # Codesign libs and bins + - name: Codesign package + shell: bash + run: | + for PATH in $PATHS; do + /usr/bin/find $PATH -name '*.so' -or -name '*.dylib' -print0 | \ + /usr/bin/xargs -0 /usr/bin/codesign -s "$IDENTITY" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime + if test -d $PATH/bin; then + /usr/bin/find $PATH/bin -type f -print0 | \ + /usr/bin/xargs -0 /usr/bin/codesign -s "$IDENTITY" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime + fi + done + env: + PATHS: ${{ inputs.paths }} + IDENTITY: ${{ inputs.identity }} + + # This isn't very informative, but even a no-op is safer than none + - name: Check codesigning + shell: bash + run: | + for PATH in $PATHS; do + LIBS="$(/usr/bin/find $PATH -name '*.so' -or -name '*.dylib')" + if test -d $PATH/bin; then + BINS="$(/usr/bin/find $PATH/bin -type f)" + fi + for SIGNED in $LIBS $BINS; do + /usr/bin/codesign -vvv --deep --strict "$SIGNED" + done + done + env: + PATHS: ${{ inputs.paths }} + + # Needed for self-hosted runner, since it doesn't destroy itself automatically. + - name: Delete keychain + if: always() + shell: bash + run: /usr/bin/security delete-keychain signing_temp.keychain \ No newline at end of file diff --git a/.github/workflows/bottle.yml b/.github/workflows/bottle.yml index 1a0fdd46..4c31ad09 100644 --- a/.github/workflows/bottle.yml +++ b/.github/workflows/bottle.yml @@ -77,42 +77,18 @@ jobs: echo "$file=$(cat $file)" >>$GITHUB_ENV done - # the next three steps bless our code for Apple. It might be the case they should be - # encapulated separately. - # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years - # ago, and we need bugfixes. - # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions - # github has a doc with similar content, but it's not returning to me atm. - - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494 + - uses: actions/checkout@v3 if: startsWith(inputs.platform, 'darwin+') with: - p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }} - p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} - - # Codesign libs and bins - - name: Codesign package + path: pantry + repository: teaxyz/pantry.core + - uses: ./pantry/.github/actions/apple-signing if: startsWith(inputs.platform, 'darwin+') - run: | - for PKG in ${{ env.relative-paths }}; do - find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \ - xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true - codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true - done - - # This isn't very informative, but even a no-op is safer than none - - name: Check codesigning - if: startsWith(inputs.platform, 'darwin+') - run: | - for PKG in ${{ env.relative-paths }}; do - for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do - codesign -vvv --deep --strict "$SIG" - done - done - - # Needed for self-hosted runner, since it doesn't destroy itself automatically. - - name: Delete keychain - if: always() && inputs.platform == 'darwin+aarch64' - run: security delete-keychain signing_temp.keychain + with: + p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }} + p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} + identity: "Developer ID Application: Tea Inc. (7WV56FL599)" + paths: ${{ env.relative-paths}} - run: | tea +gnupg.org gpg-agent --daemon || true