From 6f50cb723e30abde02292c6aa9958b585c82f566 Mon Sep 17 00:00:00 2001 From: Jacob Heider Date: Tue, 6 Dec 2022 12:18:20 -0500 Subject: [PATCH] codesigning (#35) * codesign mac bins/libs * test bin * fix codesign checker --- .github/workflows/build.yml | 37 +++++++++++++++++++++++++++++++++++++ projects/go.dev/package.yml | 2 +- 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b6eee13c..b526d289 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,6 +91,43 @@ jobs: GITHUB_TOKEN: ${{ github.token }} FORCE_UNSAFE_CONFIGURE: 1 # some configure scripts refuse to run as root + # the next three steps bless our code for Apple. It might be the case they should be + # encapulated separately. + # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years + # ago, and we need bugfixes. + # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions + # github has a doc with similar content, but it's not returning to me atm. + - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494 + if: matrix.tag == 'darwin-aarch64' || matrix.os == 'macos-11' + with: + p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }} + p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} + + # Codesign libs and bins + - name: Codesign package + if: matrix.tag == 'darwin-aarch64' || matrix.os == 'macos-11' + run: | + for PKG in ${{ steps.build.outputs.relative-paths }}; do + find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \ + xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true + codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true + done + + # This isn't very informative, but even a no-op is safer than none + - name: Check codesigning + if: matrix.tag == 'darwin-aarch64' || matrix.os == 'macos-11' + run: | + for PKG in ${{ steps.build.outputs.relative-paths }}; do + for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do + codesign -vvv --deep --strict "$SIG" + done + done + + # Needed for self-hosted runner, since it doesn't destroy itself automatically. + - name: Delete keychain + if: always() && matrix.tag == 'darwin-aarch64' + run: security delete-keychain signing_temp.keychain + # tarring ourselves ∵ GHA-artifacts (ludicrously) lose permissions # /ref https://github.com/actions/upload-artifact/issues/38 - run: diff --git a/projects/go.dev/package.yml b/projects/go.dev/package.yml index a38f631f..e8f21d7c 100644 --- a/projects/go.dev/package.yml +++ b/projects/go.dev/package.yml @@ -1,5 +1,5 @@ distributable: - url: https://go.dev/dl/go{{ version.raw }}.src.tar.gz + url: https://go.dev/dl/go{{version.raw}}.src.tar.gz strip-components: 1 versions: