lunny/git-lfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
bbdcbca83a
git-lfs/script/macos/manifest.json

11 lines
168 B
JSON
Raw Normal View History

workflows/release: sign and notarize macOS binaries On macOS, Gatekeeper requires binaries that are signed with a trusted code-signing certificate and notarized by Apple in order for them to run. To ease the burden for Mac users, let's start providing signed binaries. The macOS codesign tool can only read certificates from a keychain. However, setting keychains up to work in a non-interactive way is complex and error prone. We create a target to import the certificates from a PKCS #12 file and pull them into a temporary keychain which has been specially set up to work in CI. This requires multiple complex and poorly documented incantations to work correctly, but it does currently work. These incantations are not to be meant run on a user system because they modify various keychain properties, such as the default keychain, so add a comment to that effect. We sign both the binary and the zip file, since we cannot notarize the binary alone but would like to have a signed binary. Only zip files, pkg files, and disk images can be notarized; this is why we have switched to a zip file for macOS. Note that the notarization process requires a particular developer to submit the binary for notarization using their Apple account. That developer's ID and their app password are specified from the environment and can be read from the secret store. This is so that this can easily be rotated to reflect a new user without needing to involve code changes. Similarly, the cert ID, although not secret, is passed in in a similar way. When we perform the notarization, we do it in a loop, since Apple's servers can sometimes "forget" the fact that we submitted a request and therefore cause gon, the notarization tool we use, to spuriously fail when it checks on the status of our request. We don't use seq to count in our loop because it is not portable to non-Linux systems. Finally, we use "darwin" in the Makefile because everything else in the Makefile already uses that, but we use "MACOS" for secrets for consistency with the GitHub Actions workflow, which uses that. We translate in the workflow file.
2020-04-10 19:39:23 +00:00
{
"apple_id": {
"password": "@env:DARWIN_DEV_PASS"
},
"notarize": {
"path": ["git-lfs"],
"bundle_id": "com.github.git-lfs",
"staple": false
}
}
Reference in New Issue Copy Permalink