extract signing action

ref https://github.com/teaxyz/cli/issues/376
This commit is contained in:
Jacob Heider 2023-02-12 02:07:11 -05:00 committed by Jacob Heider
parent 4ab112c592
commit 61426ebcb1
2 changed files with 85 additions and 33 deletions

View file

@ -0,0 +1,76 @@
name: Apple signing
description: signs binaries for macOS
inputs:
p12-file-base64:
description: Base64 encoded p12 file
required: true
p12-password:
description: Password for p12 file
required: true
identity:
description: Identity to use for signing
required: true
paths:
description: Paths to search for libs/bins sign
required: true
runs:
using: "composite"
steps:
# Only runs on macOS
- name: Check platform
shell: sh
run: |
if [[ "$RUNNER_OS" != "macOS" ]]; then
echo "This action only runs on macOS"
exit 1
fi
# the next three steps bless our code for Apple. It might be the case they should be
# encapulated separately.
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
# ago, and we need bugfixes.
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
# github has a doc with similar content, but it's not returning to me atm.
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
with:
p12-file-base64: ${{ inputs.p12-file-base64 }}
p12-password: ${{ inputs.p12-password }}
# Codesign libs and bins
- name: Codesign package
shell: bash
run: |
for PATH in $PATHS; do
/usr/bin/find $PATH -name '*.so' -or -name '*.dylib' -print0 | \
/usr/bin/xargs -0 /usr/bin/codesign -s "$IDENTITY" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime
if test -d $PATH/bin; then
/usr/bin/find $PATH/bin -type f -print0 | \
/usr/bin/xargs -0 /usr/bin/codesign -s "$IDENTITY" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime
fi
done
env:
PATHS: ${{ inputs.paths }}
IDENTITY: ${{ inputs.identity }}
# This isn't very informative, but even a no-op is safer than none
- name: Check codesigning
shell: bash
run: |
for PATH in $PATHS; do
LIBS="$(/usr/bin/find $PATH -name '*.so' -or -name '*.dylib')"
if test -d $PATH/bin; then
BINS="$(/usr/bin/find $PATH/bin -type f)"
fi
for SIGNED in $LIBS $BINS; do
/usr/bin/codesign -vvv --deep --strict "$SIGNED"
done
done
env:
PATHS: ${{ inputs.paths }}
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
- name: Delete keychain
if: always()
shell: bash
run: /usr/bin/security delete-keychain signing_temp.keychain

View file

@ -77,42 +77,18 @@ jobs:
echo "$file=$(cat $file)" >>$GITHUB_ENV echo "$file=$(cat $file)" >>$GITHUB_ENV
done done
# the next three steps bless our code for Apple. It might be the case they should be - uses: actions/checkout@v3
# encapulated separately. if: startsWith(inputs.platform, 'darwin+')
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years with:
# ago, and we need bugfixes. path: pantry
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions repository: teaxyz/pantry.core
# github has a doc with similar content, but it's not returning to me atm. - uses: ./pantry/.github/actions/apple-signing
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
if: startsWith(inputs.platform, 'darwin+') if: startsWith(inputs.platform, 'darwin+')
with: with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }} p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
identity: "Developer ID Application: Tea Inc. (7WV56FL599)"
# Codesign libs and bins paths: ${{ env.relative-paths}}
- name: Codesign package
if: startsWith(inputs.platform, 'darwin+')
run: |
for PKG in ${{ env.relative-paths }}; do
find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \
xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true
codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true
done
# This isn't very informative, but even a no-op is safer than none
- name: Check codesigning
if: startsWith(inputs.platform, 'darwin+')
run: |
for PKG in ${{ env.relative-paths }}; do
for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do
codesign -vvv --deep --strict "$SIG"
done
done
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
- name: Delete keychain
if: always() && inputs.platform == 'darwin+aarch64'
run: security delete-keychain signing_temp.keychain
- run: | - run: |
tea +gnupg.org gpg-agent --daemon || true tea +gnupg.org gpg-agent --daemon || true