wip: switch to macos, and try notarytool

this hybrid approach aims to allow us to sign using existing legacy secrets on existing macos worker. we replace gon with rcodesign for signing, but do notarization with notarytool from apple
ipfs · Apr 9, 2024 · a89d599 · a89d599
1 parent 900727c
commit a89d599
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 34 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -7,7 +7,6 @@ on:
   pull_request:
     branches:
       - master
-      - fix/osx-notarization
   workflow_dispatch:
     inputs:
       dist_root:
@@ -55,7 +54,7 @@ jobs:
       - run: npm run lint
 
   sign-macos:
-    runs-on: "ubuntu-latest"
+    runs-on: "macos-latest"
     needs: build
     steps:
       - uses: actions/checkout@v4
@@ -67,24 +66,42 @@ jobs:
         continue-on-error: true # skip if no releases
       - name: List ./releases before
         run: ls -Rhl ./releases || echo "No ./releases"
-      - name: Kubo init
-        run: ipfs init --profile test # needed for calculating NEW_CID later
       - name: Set up rcodesign rust tool for OSX code signing and app notarization
         run: |
+          brew install ipfs coreutils gawk gnu-sed jq
           cargo install apple-codesign
-      - name: Decode p12 file
+      - name: Import Keychain Certs
+        uses: apple-actions/import-codesign-certs@8f3fb608891dd2244cdab3d69cd68c0d37a7fe93 # v2
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CERTS_P12 }}
+          p12-password: ${{ secrets.APPLE_CERTS_PASS }}
+      - name: Verify identity used for signing
+        run: security find-identity -v
+      - name: Secrets for signing with rcodesign
         run: |
           echo -n "${{ secrets.APPLE_CERTS_P12 }}" | base64 --decode > ~/.apple-certs.p12
           echo -n "{{ secrets.APPLE_CERTS_PASS }}" > ~/.apple-certs-pass
+      - name: Secrets for notarization with rcodesign (new, wip)
+        if: false
+        run: |
+          # TODO: we dont use this yet, we use notarytool from Apple and run on macOS
+          # because (afaik) rcodesign does not support App-specific password mode
+          # we use for legacy reasons
+          # We will switch to rcodesign once we have to switch mode due to move to new org
           rcodesign encode-app-store-connect-api-key \
             "${{ secrets.APPLE_APIKEY_ISSUER_ID }}" \
             "${{ secrets.APPLE_APIKEY_ID }}" \
             "${{ secrets.APPLE_APIKEY_FILE }}" \
             > ~/.apple-api-key
+      - name: Kubo init
+        run: ipfs init --profile test # needed for calculating NEW_CID in sign-new-macos-releases.sh
       - name: Sign any new releases
         run: ./scripts/ci/sign-new-macos-releases.sh
         env:
           WORK_DIR: ${{ github.workspace }}
+          APPLE_AC_USERNAME: ${{ secrets.APPLE_AC_USERNAME }}
+          APPLE_AC_PASSWORD: ${{ secrets.APPLE_AC_PASSWORD }}
+          APPLE_AC_TEAM_ID: ${{ secrets.APPLE_AC_TEAM_ID }}
       - name: List ./releases after
         run: ls -Rhl ./releases || echo "No ./releases"
       - name: Temporarily save notarized artifacts
@@ -94,9 +111,6 @@ jobs:
           path: releases
           retention-days: 3
         continue-on-error: true # skip if no releases
-    post:
-      - name: Cleanup secrets
-        run: shred -u -z -n 10 ~/.apple-certs.p12 ~/.apple-certs-pass ~/.apple-api-key
 
   persist:
     runs-on: ${{ fromJSON(vars.CI_BUILD_RUNS_ON || '"ubuntu-latest"') }}

diff --git a/scripts/ci/sign-new-macos-releases.sh b/scripts/ci/sign-new-macos-releases.sh
@@ -8,7 +8,7 @@ echo "::group::Unpack any new darwin arm64 and amd64 binaries to ./tmp"
         (! test -d "$NEW_DIR") && continue
         DIST_VERSION=$(basename "$NEW_DIR")
         DIST_NAME=$(basename $(dirname "$NEW_DIR"))
-        DIST_MAC_ARCHS=$(awk '{ print $2; }' <(grep darwin "./dists/${DIST_NAME}/build_matrix"))
+        DIST_MAC_ARCHS=$(gawk '{ print $2; }' <(grep darwin "./dists/${DIST_NAME}/build_matrix"))
         for arch in $DIST_MAC_ARCHS; do
             echo "-> Unpacking unsigned darwin_${arch}.tar.gz for name='${DIST_NAME}' and version='${DIST_VERSION}' to ./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-unsigned/"
             mkdir -p "./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-unsigned"
@@ -25,7 +25,7 @@ echo "::group::Sign and notarize the mac binaries"
         (! test -d "$NEW_DIR") && continue
         DIST_VERSION=$(basename "$NEW_DIR")
         DIST_NAME=$(basename $(dirname "$NEW_DIR"))
-        DIST_MAC_ARCHS=$(awk '{ print $2; }' <(grep darwin "./dists/${DIST_NAME}/build_matrix"))
+        DIST_MAC_ARCHS=$(gawk '{ print $2; }' <(grep darwin "./dists/${DIST_NAME}/build_matrix"))
         for arch in $DIST_MAC_ARCHS; do
             # find executable files, and process each one
             find "./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-unsigned/" -perm /111 -type f -print | while read -r file; do
@@ -40,23 +40,25 @@ echo "::group::Sign and notarize the mac binaries"
 
                 echo "-> Notarizing ${file}"
                 # TODO:  ugh, rcodesign uses different secrets than old tooling, and we can' generate them easily
-                # TODO rcodesign notary-submit --api-key-path ~/.apple-api-key --wait "${file}"
-            done
+                # rcodesign notary-submit --api-key-path ~/.apple-api-key --wait "${file}"
+
+                # Store credentials to disable GUI prompt for password later
+                xcrun notarytool store-credentials "notarytool-profile" \
+                    --apple-id "${APPLE_AC_USERNAME}" --team-id "${APPLE_AC_TEAM_ID}" --password "${APPLE_AC_PASSWORD}"
+
+                # Notarize with Apples notarytool for now (only reason we use macOS runner)
+                xcrun notarytool submit --keychain-profile "notarytool-profile" --wait "${file}"
 
-            echo "{
-                \"source\" : $EXECUTABLES,
-                \"bundle_id\" : \"io.ipfs.dist.${DIST_NAME}\",
-                \"apple_id\": {
-                \"password\":  \"@env:AC_PASSWORD\"
-                },
-                \"sign\" :{
-                \"application_identity\" : \"Developer ID Application: Protocol Labs, Inc. (7Y229E2YRL)\"
-                },
-                \"zip\" :{
-                    \"output_path\" : \"./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed.zip\"
-                }
-            }" | tee | jq > "./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-gon.json"
-            # TODO gon -log-level=info -log-json "./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-gon.json"
+                # Verify produced blob is a-ok
+                if ! xcrun spctl --assess --type install --context context:primary-signature --ignore-cache --verbose=2 "${file}"; then
+                    echo "error: Signature of ${file} will not be accepted by Apple Gatekeeper!" 1>&2
+                    exit 1
+                fi
+
+                # Move signed binaries to a directory matching .tar.gz structure
+                mkdir -p "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/${DIST_NAME}"
+                mv "${file}" "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/${DIST_NAME}/"
+            done
         done
     done
 echo "::endgroup::"
@@ -70,16 +72,13 @@ echo "::group::Update changed binaries in ./releases"
         (! test -d "$NEW_DIR") && continue
         DIST_VERSION=$(basename "$NEW_DIR")
         DIST_NAME=$(basename $(dirname "$NEW_DIR"))
-        DIST_MAC_ARCHS=$(awk '{ print $2; }' <(grep darwin "./dists/${DIST_NAME}/build_matrix"))
+        DIST_MAC_ARCHS=$(gawk '{ print $2; }' <(grep darwin "./dists/${DIST_NAME}/build_matrix"))
         for arch in $DIST_MAC_ARCHS; do
             echo "-> Starting the update of darwin_${arch}.tar.gz for name='${DIST_NAME}' and version='${DIST_VERSION}'"
-            # unzip signed binaries to a directory matching .tar.gz structure
             cd "${WORK_DIR}"
             mkdir -p "./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/${DIST_NAME}"
             cd "./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/${DIST_NAME}/"
-            echo "-> Unpacking gon .zip for ${arch}"
-            unzip "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed.zip"
-            echo "-> Unpacked contents"
+            echo "-> Signed contents"
             ls -Rhl "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/"
             # replace .tar.gz with one that has the same structure, but signed binaries
             PKG_NAME="${DIST_NAME}_${DIST_VERSION}_darwin-${arch}.tar.gz"
@@ -97,15 +96,15 @@ echo "::group::Update changed binaries in ./releases"
             tar -czvf "${WORK_DIR}/releases/${DIST_NAME}/${DIST_VERSION}/$PKG_NAME" -C "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/" "${DIST_NAME}"
             # calculate new hashes
             NEW_CID=$(ipfs add -Qn "$PKG_PATH")
-            NEW_SHA512_LINE=$(sha512sum "$PKG_PATH")
-            NEW_SHA512=$(echo "$NEW_SHA512_LINE" | awk '{ print $1; }')
+            NEW_SHA512_LINE=$(gsha512sum "$PKG_PATH")
+            NEW_SHA512=$(echo "$NEW_SHA512_LINE" | gawk '{ print $1; }')
             echo "-> New $PKG_NAME"
             echo "   new CID:    $NEW_CID"
             echo "   new SHA512: $NEW_SHA512"
             # update metadata to use new hashes
             echo "$NEW_CID" > "${PKG_PATH}.cid"
             echo "$NEW_SHA512_LINE" > "${PKG_PATH}.sha512"
-            sed -i "s/${OLD_CID}/${NEW_CID}/g; s/${OLD_SHA512}/${NEW_SHA512}/g" "${PKG_ROOT}/dist.json"
+            gsed -i "s/${OLD_CID}/${NEW_CID}/g; s/${OLD_SHA512}/${NEW_SHA512}/g" "${PKG_ROOT}/dist.json"
             echo "-> Completed the update of ${arch}.tar.gz for ${DIST_NAME} ${DIST_VERSION}"
         done
     done