Merge pull request #31 from github/vdye/sign-macos-artifacts

Add MacOS signing & notarization to release workflow

Author: vdye

.github/workflows/release.yml

@@ -31,16 +31,19 @@ jobs:
             goarch: amd64
             pool: macos-latest
             artifact: _dist/*.pkg
+            environment: release
           - jobname: Create MacOS .pkg (ARM64)
             goarch: arm64
             pool: macos-latest
             artifact: _dist/*.pkg
+            environment: release
           - jobname: Create binary Debian package (x86_64)
             goarch: amd64
             pool: ubuntu-latest
             artifact: _dist/*.deb
     env:
       GOARCH: ${{matrix.jobs.goarch}}
+    environment: ${{matrix.jobs.environment}}
     runs-on: ${{matrix.jobs.pool}}
     steps:
       - name: Setup Go
@@ -53,8 +56,82 @@ jobs:
       - run: gem install asciidoctor
       - name: Clone repository
         uses: actions/checkout@v3
+      - name: Configure MacOS signing
+        if: ${{ matrix.jobs.pool == 'macos-latest' }}
+        env:
+          A1: ${{ secrets.APPLICATION_CERTIFICATE_BASE64 }}
+          A2: ${{ secrets.APPLICATION_CERTIFICATE_PASSWORD }}
+          A3: ${{ secrets.APPLE_APPLICATION_SIGNING_IDENTITY }}
+          I1: ${{ secrets.INSTALLER_CERTIFICATE_BASE64 }}
+          I2: ${{ secrets.INSTALLER_CERTIFICATE_PASSWORD }}
+          I3: ${{ secrets.APPLE_INSTALLER_SIGNING_IDENTITY }}
+          N1: ${{ secrets.APPLE_TEAM_ID }}
+          N2: ${{ secrets.APPLE_DEVELOPER_ID }}
+          N3: ${{ secrets.APPLE_DEVELOPER_PASSWORD }}
+          N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
+        run: |
+          # Environment configured for signing?
+          if [[ -n "$A1" && -n "$A2" && -n "$A3" && -n "$I1" && -n "$I2" && -n "$I3" ]]
+          then
+            echo "DO_SIGN=1" >> $GITHUB_ENV
+          else
+            echo "::warning::MacOS signing environment is not fully specified. Skipping configuration."
+            exit 0
+          fi
+
+          # Signing
+          echo "Setting up signing certificates"
+          security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
+          security default-keychain -s $RUNNER_TEMP/buildagent.keychain
+          security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
+
+          echo $A1 | base64 -D > $RUNNER_TEMP/cert.p12
+          security import $RUNNER_TEMP/cert.p12 \
+            -k $RUNNER_TEMP/buildagent.keychain \
+            -P $A2 \
+            -T /usr/bin/codesign
+          security set-key-partition-list \
+            -S apple-tool:,apple:,codesign: \
+            -s -k pwd \
+            $RUNNER_TEMP/buildagent.keychain
+
+          echo $I1 | base64 -D > $RUNNER_TEMP/cert.p12
+          security import $RUNNER_TEMP/cert.p12 \
+            -k $RUNNER_TEMP/buildagent.keychain \
+            -P $I2 \
+            -T /usr/bin/productbuild
+          security set-key-partition-list \
+            -S apple-tool:,apple:,productbuild: \
+            -s -k pwd \
+            $RUNNER_TEMP/buildagent.keychain
+
+          # Environment configured for notarization?
+          if [[ -n "$N1" && -n "$N2" && -n "$N3" && -n "$N4" ]]
+          then
+            echo "DO_NOTARIZE=1" >> $GITHUB_ENV
+          else
+            echo "::warning::Successfully configured MacOS signing, but cannot set up notarization. Skipping configuration."
+            exit 0
+          fi
+
+          # Notarizing
+          echo "Setting up notarytool"
+          xcrun notarytool store-credentials \
+            --team-id $N1 \
+            --apple-id $N2 \
+            --password $N3 \
+            "$N4"
       - name: Build the release artifact
-        run: make package VERSION=${{ needs.prereqs.outputs.tag_version }}
+        env:
+          A3: ${{ secrets.APPLE_APPLICATION_SIGNING_IDENTITY }}
+          I3: ${{ secrets.APPLE_INSTALLER_SIGNING_IDENTITY }}
+          N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
+        shell: bash
+        run: |
+          make package VERSION=${{ needs.prereqs.outputs.tag_version }} \
+                       APPLE_APP_IDENTITY="$([[ -n "$DO_SIGN" ]] && echo "$A3" || echo '')" \
+                       APPLE_INST_IDENTITY="$([[ -n "$DO_SIGN" ]] && echo "$I3" || echo '')" \
+                       APPLE_KEYCHAIN_PROFILE="$([[ -n "$DO_NOTARIZE" ]] && echo "$N4" || echo '')"
       - name: Get the release artifact
         shell: bash
         run: |

Makefile

@@ -22,6 +22,11 @@ GOARCH := $(shell go env GOARCH)
 SUPPORTED_PACKAGE_GOARCHES := amd64 arm64
 PACKAGE_ARCH := $(GOARCH)
 
+# Guard against environment variables
+APPLE_APP_IDENTITY =
+APPLE_INST_IDENTITY =
+APPLE_KEYCHAIN_PROFILE =
+
 # Build targets
 .PHONY: build
 build:
@@ -95,7 +100,8 @@ else ifeq ($(GOOS),darwin)
 # Steps:
 #   1. Layout files in _dist/pkg/payload/ as they'll be installed (including
 #      uninstall.sh script).
-#   2. Create the product archive in _dist/.
+#   2. (Optional) Codesign the package contents in place.
+#   3. Create the product archive in _dist/.
 
 # Platform-specific variables
 PKGDIR := $(DISTDIR)/pkg
@@ -110,13 +116,42 @@ $(PKGDIR)/payload: check-arch build doc
 			    --uninstaller="$(CURDIR)/scripts/uninstall.sh" \
 			    --install-root="$(PKGDIR)/payload"
 
+ifdef APPLE_APP_IDENTITY
+.PHONY: codesign
+codesign: $(PKGDIR)/payload
+	@echo
+	@echo "======== Codesigning package contents ========"
+	@build/package/pkg/codesign.sh --payload="$(PKGDIR)/payload" \
+				       --identity="$(APPLE_APP_IDENTITY)" \
+				       --entitlements="$(CURDIR)/build/package/pkg/entitlements.xml"
+
+$(PKG_FILENAME): codesign
+endif
+
 $(PKG_FILENAME): check-version $(PKGDIR)/payload
 	@echo
 	@echo "======== Creating product archive package ========"
 	@build/package/pkg/pack.sh --version="$(VERSION)" \
 				   --payload="$(PKGDIR)/payload" \
+				   --identity="$(APPLE_INST_IDENTITY)" \
 				   --output="$(PKG_FILENAME)"
 
+# Notarization can only happen if the package is fully signed
+ifdef APPLE_APP_IDENTITY
+ifdef APPLE_INST_IDENTITY
+ifdef APPLE_KEYCHAIN_PROFILE
+.PHONY: notarize
+notarize: $(PKG_FILENAME)
+	@echo
+	@echo "======== Notarizing package ========"
+	@build/package/pkg/notarize.sh --package="$(PKG_FILENAME)" \
+				       --keychain-profile="$(APPLE_KEYCHAIN_PROFILE)"
+
+package: notarize
+endif
+endif
+endif
+
 .PHONY: package
 package: $(PKG_FILENAME)
 

build/package/pkg/codesign.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+sign_directory () {
+	(
+	cd $1
+	for f in *
+	do
+		macho=$(file --mime $f | grep mach)
+		# Runtime sign dylibs and Mach-O binaries
+		if [[ $f == *.dylib ]] || [ ! -z "$macho" ];
+		then
+			echo "Runtime Signing $f"
+			codesign -s "$IDENTITY" $f --timestamp --force --options=runtime --entitlements $ENTITLEMENTS_FILE
+		elif [ -d "$f" ];
+		then
+			echo "Signing files in subdirectory $f"
+			sign_directory $f
+
+		else
+			echo "Signing $f"
+			codesign -s "$IDENTITY" $f  --timestamp --force
+		fi
+	done
+	)
+}
+
+for i in "$@"
+do
+case "$i" in
+	--payload=*)
+	SIGN_DIR="${i#*=}"
+	shift # past argument=value
+	;;
+	--identity=*)
+	IDENTITY="${i#*=}"
+	shift # past argument=value
+	;;
+	--entitlements=*)
+	ENTITLEMENTS_FILE="${i#*=}"
+	shift # past argument=value
+	;;
+	*)
+	die "unknown option '$i'"
+	;;
+esac
+done
+
+if [ -z "$SIGN_DIR" ]; then
+    echo "error: missing directory argument"
+    exit 1
+elif [ -z "$IDENTITY" ]; then
+    echo "error: missing signing identity argument"
+    exit 1
+elif [ -z "$ENTITLEMENTS_FILE" ]; then
+    echo "error: missing entitlements file argument"
+    exit 1
+fi
+
+echo "======== INPUTS ========"
+echo "Directory: $SIGN_DIR"
+echo "Signing identity: $IDENTITY"
+echo "Entitlements: $ENTITLEMENTS_FILE"
+echo "======== END INPUTS ========"
+
+sign_directory "$SIGN_DIR"

build/package/pkg/notarize.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+for i in "$@"
+do
+case "$i" in
+	--package=*)
+	PACKAGE="${i#*=}"
+	shift # past argument=value
+	;;
+	--keychain-profile=*)
+	KEYCHAIN_PROFILE="${i#*=}"
+	shift # past argument=value
+	;;
+	*)
+	die "unknown option '$i'"
+	;;
+esac
+done
+
+if [ -z "$PACKAGE" ]; then
+    echo "error: missing package argument"
+    exit 1
+elif [ -z "$KEYCHAIN_PROFILE" ]; then
+    echo "error: missing keychain profile argument"
+    exit 1
+fi
+
+# Exit as soon as any line fails
+set -e
+
+# Send the notarization request
+xcrun notarytool submit -v "$PACKAGE" -p "$KEYCHAIN_PROFILE" --wait
+
+# Staple the notarization ticket (to allow offline installation)
+xcrun stapler staple -v "$PACKAGE"

build/package/pkg/pack.sh

@@ -11,6 +11,9 @@ THISDIR="$( cd "$(dirname "$0")" ; pwd -P )"
 IDENTIFIER="com.github.gitbundleserver"
 INSTALL_LOCATION="/usr/local/git-bundle-server"
 
+# Defaults
+IDENTITY=
+
 # Parse script arguments
 for i in "$@"
 do
@@ -23,6 +26,10 @@ case "$i" in
 	PAYLOAD="${i#*=}"
 	shift # past argument=value
 	;;
+	--identity=*)
+	IDENTITY="${i#*=}"
+	shift # past argument=value
+	;;
 	--output=*)
 	PKGOUT="${i#*=}"
 	shift # past argument=value
@@ -59,7 +66,7 @@ fi
 mkdir -p "$(dirname "$PKGOUT")"
 
 # Build the component package
-PKGTMP="$PKGOUT.tmp"
+PKGTMP="$PKGOUT.component"
 
 # Remove any unwanted .DS_Store files
 echo "Removing unnecessary files..."
@@ -91,6 +98,7 @@ echo "Building product package..."
 	--package "$PKGTMP" \
 	--identifier "$IDENTIFIER" \
 	--version "$VERSION" \
+	${IDENTITY:+"--sign"} ${IDENTITY:+"$IDENTITY"} \
 	"$PKGOUT"
 
 echo "Product build complete."