workflows/release: sign and notarize macOS binaries
On macOS, Gatekeeper requires binaries that are signed with a trusted code-signing certificate and notarized by Apple in order for them to run. To ease the burden for Mac users, let's start providing signed binaries. The macOS codesign tool can only read certificates from a keychain. However, setting keychains up to work in a non-interactive way is complex and error prone. We create a target to import the certificates from a PKCS #12 file and pull them into a temporary keychain which has been specially set up to work in CI. This requires multiple complex and poorly documented incantations to work correctly, but it does currently work. These incantations are not to be meant run on a user system because they modify various keychain properties, such as the default keychain, so add a comment to that effect. We sign both the binary and the zip file, since we cannot notarize the binary alone but would like to have a signed binary. Only zip files, pkg files, and disk images can be notarized; this is why we have switched to a zip file for macOS. Note that the notarization process requires a particular developer to submit the binary for notarization using their Apple account. That developer's ID and their app password are specified from the environment and can be read from the secret store. This is so that this can easily be rotated to reflect a new user without needing to involve code changes. Similarly, the cert ID, although not secret, is passed in in a similar way. When we perform the notarization, we do it in a loop, since Apple's servers can sometimes "forget" the fact that we submitted a request and therefore cause gon, the notarization tool we use, to spuriously fail when it checks on the status of our request. We don't use seq to count in our loop because it is not portable to non-Linux systems. Finally, we use "darwin" in the Makefile because everything else in the Makefile already uses that, but we use "MACOS" for secrets for consistency with the GitHub Actions workflow, which uses that. We translate in the workflow file.
This commit is contained in:
parent
269a41cef7
commit
bfc5304edf
12
.github/workflows/release.yml
vendored
12
.github/workflows/release.yml
vendored
@ -51,7 +51,19 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
- uses: actions/setup-ruby@v1
|
||||
- run: brew install mitchellh/gon/gon
|
||||
- run: make release
|
||||
- run: CERT_FILE="$HOME/cert.p12" make release-write-certificate
|
||||
env:
|
||||
CERT_CONTENTS: ${{secrets.MACOS_CERT_BASE64}}
|
||||
- run: CERT_FILE="$HOME/cert.p12" make release-import-certificate
|
||||
env:
|
||||
CERT_PASS: ${{secrets.MACOS_CERT_PASS}}
|
||||
- run: make release-darwin
|
||||
env:
|
||||
DARWIN_DEV_USER: ${{secrets.MACOS_DEV_USER}}
|
||||
DARWIN_DEV_PASS: ${{secrets.MACOS_DEV_PASS}}
|
||||
DARWIN_CERT_ID: ${{secrets.MACOS_CERT_ID}}
|
||||
- uses: actions/upload-artifact@v1
|
||||
with:
|
||||
name: macos-assets
|
||||
|
51
Makefile
51
Makefile
@ -90,6 +90,13 @@ else
|
||||
CERT_ARGS ?= -sha1 $(CERT_SHA1)
|
||||
endif
|
||||
|
||||
# DARWIN_CERT_ID is a portion of the common name of the signing certificatee.
|
||||
DARWIN_CERT_ID ?=
|
||||
|
||||
# DARWIN_KEYCHAIN_ID is the name of the keychain (with suffix) where the
|
||||
# certificate is located.
|
||||
DARWIN_KEYCHAIN_ID ?= CI.keychain
|
||||
|
||||
# SOURCES is a listing of all .go files in this and child directories, excluding
|
||||
# that in vendor.
|
||||
SOURCES = $(shell find . -type f -name '*.go' | grep -v vendor)
|
||||
@ -341,7 +348,7 @@ release-linux:
|
||||
# release-windows is a target that builds and signs Windows binaries. It must
|
||||
# be run on a Windows machine under Git Bash.
|
||||
#
|
||||
# You may sign with a different certificate by specifying CERT_SHA1.
|
||||
# You may sign with a different certificate by specifying CERT_ID.
|
||||
.PHONY : release-windows
|
||||
release-windows: bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz
|
||||
|
||||
@ -384,12 +391,54 @@ release-windows-rebuild: bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz
|
||||
); \
|
||||
status="$$?"; [ -n "$$temp" ] && $(RM) -r "$$temp"; exit "$$status"
|
||||
|
||||
# release-darwin is a target that builds and signs Darwin (macOS) binaries. It must
|
||||
# be run on a macOS machine with a suitable version of XCode.
|
||||
#
|
||||
# You may sign with a different certificate by specifying DARWIN_CERT_ID.
|
||||
.PHONY : release-darwin
|
||||
release-darwin: bin/releases/git-lfs-darwin-amd64-$(VERSION).zip
|
||||
for i in $^; do \
|
||||
temp=$$(mktemp -d) && \
|
||||
( \
|
||||
unzip -d "$$temp" $^ && \
|
||||
codesign --keychain $(DARWIN_KEYCHAIN_ID) -s "$(DARWIN_CERT_ID)" --force --timestamp -vvvv --options runtime "$$temp/git-lfs" && \
|
||||
codesign -dvvv "$$temp/git-lfs" && \
|
||||
zip -j $$i "$$temp/git-lfs" && \
|
||||
codesign --keychain $(DARWIN_KEYCHAIN_ID) -s "$(DARWIN_CERT_ID)" --force --timestamp -vvvv --options runtime "$$i" && \
|
||||
codesign -dvvv "$$i" && \
|
||||
jq -e ".notarize.path = \"$$i\" | .apple_id.username = \"$(DARWIN_DEV_USER)\"" script/macos/manifest.json > "$$temp/manifest.json"; \
|
||||
for j in 1 2 3; \
|
||||
do \
|
||||
gon "$$temp/manifest.json" && break; \
|
||||
done; \
|
||||
); \
|
||||
status="$$?"; [ -n "$$temp" ] && $(RM) -r "$$temp"; [ "$$status" -eq 0 ] || exit "$$status"; \
|
||||
done
|
||||
|
||||
.PHONY : release-write-certificate
|
||||
release-write-certificate:
|
||||
@echo "Writing certificate to $(CERT_FILE)"
|
||||
@echo "$$CERT_CONTENTS" | base64 --decode >"$$CERT_FILE"
|
||||
@printf 'Wrote %d bytes (SHA256 %s) to certificate file\n' $$(wc -c <"$$CERT_FILE") $$(shasum -ba 256 "$$CERT_FILE" | cut -d' ' -f1)
|
||||
|
||||
# release-import-certificate imports the given certificate into the macOS
|
||||
# keychain "CI". It is not generally recommended to run this on a user system,
|
||||
# since it creates a new keychain and modifies the keychain search path.
|
||||
.PHONY : release-import-certificate
|
||||
release-import-certificate:
|
||||
@[ -n "$(CI)" ] || { echo "Don't run this target by hand." >&2; false; }
|
||||
@echo "Creating CI keychain"
|
||||
security create-keychain -p default CI.keychain
|
||||
security set-keychain-settings CI.keychain
|
||||
security unlock-keychain -p default CI.keychain
|
||||
@echo "Importing certificate from $(CERT_FILE)"
|
||||
@security import "$$CERT_FILE" -f pkcs12 -k CI.keychain -P "$$CERT_PASS" -A
|
||||
@echo "Verifying import and setting permissions"
|
||||
security list-keychains -s CI.keychain
|
||||
security default-keychain -s CI.keychain
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k default CI.keychain
|
||||
security find-identity -vp codesigning CI.keychain
|
||||
|
||||
# TEST_TARGETS is a list of all phony test targets. Each one of them corresponds
|
||||
# to a specific kind or subset of tests to run.
|
||||
TEST_TARGETS := test-bench test-verbose test-race
|
||||
|
10
script/macos/manifest.json
Normal file
10
script/macos/manifest.json
Normal file
@ -0,0 +1,10 @@
|
||||
{
|
||||
"apple_id": {
|
||||
"password": "@env:DARWIN_DEV_PASS"
|
||||
},
|
||||
"notarize": {
|
||||
"path": ["git-lfs"],
|
||||
"bundle_id": "com.github.git-lfs",
|
||||
"staple": false
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user