chore(ci): osx arm64 code sign with entitlements and include diag-uti…

…ls (#6147)

Description
Add OSX arm64 entitlements - com.apple.security.cs.allow-jit
Improve code signing for OSX binaries, including randomx diag utils
Move list of binaries processed into single env
Use easier to read env for binaries location
Use runner temp folder over hard coded tmp folder

Motivation and Context
Fix OSX arm64 segfault on randomx blocks
Easier future maintenance 

How Has This Been Tested?
Builds without any errors in local fork

What process can a PR reviewer use to test or verify this change?
---

<!-- Checklist -->
<!-- 1. Is the title of your PR in the form that would make nice release
notes? The title, excluding the conventional commit
tag, will be included exactly as is in the CHANGELOG, so please think
about it carefully. -->


Breaking Changes
---

- [x] None
- [ ] Requires data directory on base node to be deleted
- [ ] Requires hard fork
- [ ] Other - Please specify

<!-- Does this include a breaking change? If so, include this line as a
footer -->
<!-- BREAKING CHANGE: Description what the user should do, e.g. delete a
database, resync the chain -->

.github/workflows/base_node_binaries.yml

@@ -18,8 +18,11 @@ name: Build Matrix of Binaries
 
 env:
   TBN_FILENAME: "tari_suite"
-  TBN_BUNDLE_ID_BASE: "com.tarilabs.pkg"
+  TBN_BUNDLE_ID_BASE: "com.tarilabs"
   TBN_SIG_FN: "sha256-unsigned.txt"
+  ## Must be a JSon string
+  TBN_FILES: '["minotari_node","minotari_console_wallet","minotari_miner","minotari_merge_mining_proxy"]'
+  TARI_NETWORK_DIR: testnet
   toolchain: nightly-2023-06-04
   matrix-json-file: ".github/workflows/base_node_binaries.json"
   CARGO_HTTP_MULTIPLEXING: false
@@ -191,7 +194,7 @@ jobs:
         # if: ${{ startsWith(runner.os,'macOS') && matrix.builds.name == 'macos-arm64' }}
         run: |
           xcrun --show-sdk-path
-          ls -la "/Library/Developer/CommandLineTools/SDKs/"
+          ls -alhtR "/Library/Developer/CommandLineTools/SDKs/"
           echo "RANDOMX_RS_CMAKE_OSX_SYSROOT=/Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk" >> $GITHUB_ENV
 
       - name: Set environment variables - Ubuntu
@@ -266,22 +269,18 @@ jobs:
           echo "BINFILE=${BINFILE}" >> $GITHUB_ENV
           echo "Copying files for ${BINFILE} to $(pwd)"
           echo "MTS_SOURCE=$(pwd)" >> $GITHUB_ENV
-          ls -la "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/"
-          FILES=(
-            "minotari_node"
-            "minotari_console_wallet"
-            "minotari_miner"
-            "minotari_merge_mining_proxy"
-          )
-          for FILE in "${FILES[@]}"; do
+          ls -alhtR "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/"
+          ARRAY_FILES=( $(echo ${TBN_FILES} | jq --raw-output '.[]' | awk '{ print $1 }') )
+          for FILE in "${ARRAY_FILES[@]}"; do
+            echo "checking for file - ${FILE}${TBN_EXT}"
             if [ -f "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/${FILE}${TBN_EXT}" ]; then
-              cp -v "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/${FILE}${TBN_EXT}" .
+              cp -vf "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/${FILE}${TBN_EXT}" .
             fi
           done
           if [ -f "$GITHUB_WORKSPACE/applications/minotari_node/${PLATFORM_SPECIFIC_DIR}/runtime/start_tor${SHELL_EXT}" ]; then
-            cp -v "$GITHUB_WORKSPACE/applications/minotari_node/${PLATFORM_SPECIFIC_DIR}/runtime/start_tor${SHELL_EXT}" .
+            cp -vf "$GITHUB_WORKSPACE/applications/minotari_node/${PLATFORM_SPECIFIC_DIR}/runtime/start_tor${SHELL_EXT}" .
           fi
-          ls -la ${{ env.MTS_SOURCE }}
+          ls -alhtR ${{ env.MTS_SOURCE }}
 
       - name: Build minotari_node metrics release binary for linux-x86_64
         if: ${{ startsWith(runner.os,'Linux') && ( ! matrix.builds.cross ) && matrix.builds.name == 'linux-x86_64' }}
@@ -292,8 +291,7 @@ jobs:
             --features "${{ matrix.builds.features }}, metrics" \
             --bin minotari_node \
             ${{ matrix.builds.flags }} --locked
-          cp -v "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/minotari_node" "${{ env.MTS_SOURCE }}/minotari_node-metrics"
-          ls -la ${{ env.MTS_SOURCE }}
+          cp -vf "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/minotari_node" "${{ env.MTS_SOURCE }}/minotari_node-metrics"
 
       - name: Pre/unsigned OSX Artifact upload for Archive
         # Debug
@@ -328,22 +326,36 @@ jobs:
           security import application.p12 -k build.keychain -P $MACOS_APPLICATION_PASS -T /usr/bin/codesign
           security import installer.p12 -k build.keychain -P $MACOS_INSTALLER_PASS -T /usr/bin/pkgbuild
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_KEYCHAIN_PASS build.keychain
+          if [[ "${{ matrix.builds.name }}" == "macos-arm64" ]]; then
+            echo "Add codesign extra args for ${{ matrix.builds.name }}"
+            OSX_CODESIGN_EXTRAS="--entitlements ${GITHUB_WORKSPACE}/applications/minotari_node/osx-pkg/entitlements.xml"
+          fi
           cd buildtools
           export target_release="target/${{ matrix.builds.target }}/release"
+          mkdir -p "${{ runner.temp }}/osxpkg"
+          export tarball_parent="${{ runner.temp }}/osxpkg"
+          export tarball_source="${{ env.TARI_NETWORK_DIR }}"
           ./create_osx_install_zip.sh unused nozip
-          FILES=(
-            "minotari_node"
-            "minotari_console_wallet"
-            "minotari_miner"
-            "minotari_merge_mining_proxy"
+          ARRAY_FILES=( $(echo ${TBN_FILES} | jq --raw-output '.[]' | awk '{ print $1 }') )
+          find "${GITHUB_WORKSPACE}/${target_release}" \
+            -name "randomx-*" -type f -perm -+x \
+            -exec cp -vf {} "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/" \;
+          FILES_DIAG_UTILS=( \
+            $(find "${GITHUB_WORKSPACE}/${target_release}" \
+                -name "randomx-*" -type f -perm -+x \
+                  -exec sh -c 'echo "$(basename "{}")"' \; \
+              ) \
           )
-          for FILE in "${FILES[@]}"; do
-            codesign --options runtime --force --verify --verbose --timestamp \
+          ARRAY_FILES+=(${FILES_DIAG_UTILS[@]})
+          for FILE in "${ARRAY_FILES[@]}"; do
+            codesign --options runtime --force --verify --verbose --timestamp ${OSX_CODESIGN_EXTRAS} \
+              --prefix "${{ env.TBN_BUNDLE_ID_BASE }}.${{ env.TBN_FILENAME }}." \
               --sign "Developer ID Application: $MACOS_APPLICATION_ID" \
-              "/tmp/tari_testnet/runtime/$FILE"
+              "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE"
             codesign --verify --deep --display --verbose=4 \
-              "/tmp/tari_testnet/runtime/$FILE"
-            cp -vf "/tmp/tari_testnet/runtime/$FILE" "$GITHUB_WORKSPACE${{ env.TBN_DIST }}"
+              "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE"
+            cp -vf "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/runtime/$FILE" \
+              "${{ env.MTS_SOURCE }}"
           done
           distDirPKG=$(mktemp -d -t ${{ env.TBN_FILENAME }})
           echo "${distDirPKG}"
@@ -352,16 +364,16 @@ jobs:
           TBN_BUNDLE_ID_VALID_NAME=$(echo "${TBN_Temp//_/-}")
           # Strip apple-darwin
           TBN_ARCH=$(echo "${${{ matrix.builds.target }}//-apple-darwin/}")
-          pkgbuild --root /tmp/tari_testnet \
-            --identifier "${{ env.TBN_BUNDLE_ID_BASE }}.${TBN_BUNDLE_ID_VALID_NAME}" \
+          pkgbuild --root "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}" \
+            --identifier "${{ env.TBN_BUNDLE_ID_BASE }}.pkg.${TBN_BUNDLE_ID_VALID_NAME}" \
             --version "${TARI_VERSION}" \
             --install-location "/tmp/tari" \
-            --scripts "/tmp/tari_testnet/scripts" \
+            --scripts "${{ runner.temp }}/osxpkg/${{ env.TARI_NETWORK_DIR }}/scripts" \
             --sign "Developer ID Installer: ${MACOS_INSTALLER_ID}" \
             "${distDirPKG}/${{ env.TBN_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg"
           echo -e "Submitting to Apple...\n\n"
           xcrun altool --notarize-app \
-            --primary-bundle-id "${{ env.TBN_BUNDLE_ID_BASE }}.${TBN_BUNDLE_ID_VALID_NAME}" \
+            --primary-bundle-id "${{ env.TBN_BUNDLE_ID_BASE }}.pkg.${TBN_BUNDLE_ID_VALID_NAME}" \
             --username "${MACOS_NOTARIZE_USERNAME}" --password "${MACOS_NOTARIZE_PASSWORD}" \
             --asc-provider "${MACOS_ASC_PROVIDER}" \
             --file "${distDirPKG}/${{ env.TBN_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg" &> notarisation.result
@@ -392,7 +404,6 @@ jobs:
             xcrun stapler staple -v "${distDirPKG}/${{ env.TBN_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg"
           fi
           cd ${distDirPKG}
-          ls -la
           echo "Compute pkg shasum"
           ${SHARUN} "${{ env.TBN_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg" \
             >> "${{ env.TBN_FILENAME }}-${{ matrix.builds.name }}-${{ env.TARI_VERSION }}.pkg.sha256"
@@ -433,7 +444,7 @@ jobs:
         shell: bash
         run: |
           echo "Archive ${{ env.BINFILE }} too ${{ env.BINFILE }}.zip"
-          cd "$GITHUB_WORKSPACE${{ env.TBN_DIST }}"
+          cd "${{ env.MTS_SOURCE }}"
           echo "Compute files shasum"
           ${SHARUN} * >> "${{ env.BINFILE }}.sha256"
           echo "Show the shasum"
@@ -458,11 +469,11 @@ jobs:
         continue-on-error: true
         shell: bash
         run: |
-          mkdir "${{ github.workspace }}${{ env.TBN_DIST }}/diag-utils"
-          cd "${{ github.workspace }}${{ env.TBN_DIST }}/diag-utils"
+          mkdir -p "${{ env.MTS_SOURCE }}-diag-utils"
+          cd "${{ env.MTS_SOURCE }}-diag-utils"
           # Find RandomX built tools for testing
           find "$GITHUB_WORKSPACE/target/${{ matrix.builds.target }}/release/" \
-            -name "randomx-*${{ env.TBN_EXT}}" -type f -perm -+x -exec cp -v {} . \;
+            -name "randomx-*${{ env.TBN_EXT}}" -type f -perm -+x -exec cp -vf {} . \;
           echo "Compute diag utils shasum"
           ${SHARUN} * \
             >> "${{ env.TBN_FILENAME }}_archive-diag-utils-${{ matrix.builds.name }}.sha256"
@@ -482,7 +493,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: ${{ env.TBN_FILENAME }}_archive-diag-utils-${{ matrix.builds.name }}
-          path: "${{ github.workspace }}${{ env.TBN_DIST }}/diag-utils/*.zip*"
+          path: "${{ github.workspace }}${{ env.TBN_DIST }}-diag-utils/*.zip*"
 
   create-release:
     if: ${{ startsWith(github.ref, 'refs/tags/v') }}

.github/workflows/ci.yml

@@ -226,7 +226,7 @@ jobs:
           name: pr_num
           path: ./pr_num.txt
 
-# needed for test results
+  # needed for test results
   event_file:
     name: "Upload Event File for Test Results"
     runs-on: ubuntu-latest

.license.ignore

@@ -1,5 +1,6 @@
 ./applications/minotari_node/assets/tari_banner.rs
 ./applications/minotari_node/assets/tari_logo.rs
+./applications/minotari_node/osx-pkg/entitlements.xml
 ./base_layer/contacts/src/schema.rs
 ./base_layer/key_manager/src/schema.rs
 ./base_layer/p2p/src/dns/roots/tls.rs

applications/minotari_node/osx-pkg/entitlements.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+    </dict>
+</plist>

buildtools/windows_inno_installer.iss

@@ -69,7 +69,7 @@ OutputBaseFilename={#MinotariSuite}-{#MyAppVersion}
 SetupIconFile=.\tari_logo_black.ico
 Compression=lzma
 SolidCompression=yes
-MinVersion=0,6.1
+MinVersion=0,6.1sp1
 VersionInfoCompany=The Tari Developer Community
 VersionInfoProductName=minotari_suite
 InfoAfterFile="..\applications\minotari_node\windows\README.md"