codesigning (#35)

* codesign mac bins/libs

* test bin

* fix codesign checker
This commit is contained in:
Jacob Heider 2022-12-06 12:18:20 -05:00 committed by GitHub
parent c73c34df95
commit 6f50cb723e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 38 additions and 1 deletions

View file

@ -91,6 +91,43 @@ jobs:
GITHUB_TOKEN: ${{ github.token }}
FORCE_UNSAFE_CONFIGURE: 1 # some configure scripts refuse to run as root
# the next three steps bless our code for Apple. It might be the case they should be
# encapulated separately.
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
# ago, and we need bugfixes.
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
# github has a doc with similar content, but it's not returning to me atm.
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
if: matrix.tag == 'darwin-aarch64' || matrix.os == 'macos-11'
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
# Codesign libs and bins
- name: Codesign package
if: matrix.tag == 'darwin-aarch64' || matrix.os == 'macos-11'
run: |
for PKG in ${{ steps.build.outputs.relative-paths }}; do
find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \
xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true
codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true
done
# This isn't very informative, but even a no-op is safer than none
- name: Check codesigning
if: matrix.tag == 'darwin-aarch64' || matrix.os == 'macos-11'
run: |
for PKG in ${{ steps.build.outputs.relative-paths }}; do
for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do
codesign -vvv --deep --strict "$SIG"
done
done
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
- name: Delete keychain
if: always() && matrix.tag == 'darwin-aarch64'
run: security delete-keychain signing_temp.keychain
# tarring ourselves ∵ GHA-artifacts (ludicrously) lose permissions
# /ref https://github.com/actions/upload-artifact/issues/38
- run: