Sign and notarize macOS binaries

[ldennington]

Update macOS portion of build-git-installers workflow to add signing and notarization. A few notes reviewers may find helpful:

1. This change removes our dependency on the derrickstolee/git_osx_installer repo by migrating the Makefile and scripts we need into Microsoft Git's .github directory (or a subdirectory, if applicable). The following are notes on each of these files:

   1. .github/Makefile: This file was changed substantially (i.e. TODO comments, unneeded variables, and unneeded tasks were removed). Accordingly, it merits a robust review.
   2. The following files were taken as-is from the git_osx_installer repo and should not require a detailed review:
      • .github/macos-installer/assets/etc/gitconfig.default
      • .github/macos-installer/assets/etc/gitconfig.osxkeychain
      • .github/macos-installer/assets/git-components.plist
      • .github/macos-installer/assets/uninstall.sh
      • .github/macos-installer/assets/scripts/postinstall
      • .github/scripts/symlink-git-hardlinks.rb

2. The ubuntu_build task was updated to also use the signing scripts added for the macOS workflow, allowing for removal of the sign-debian-packages.py script (which had hard-coded Linux values rather than OS-specific values passed as parameters).

3. Compilation of contrib/credential/osxkeychain failed without the small change I made in contrib/credential/osxkeychain/git-credential-osxkeychain.c.

Finally, here is the latest workflow run in my fork testing these changes.

[derrickstolee]

1. This change removes our dependency on the derrickstolee/git_osx_installer repo by migrating the Makefile and scripts we need into Microsoft Git's .github directory (or a subdirectory, if applicable). The following are notes on each of these files:

Love it! Great idea.

[derrickstolee]

Before I approve, do you have an example run of this action so I can see what the signed install flow looks like on macOS?

Edit: Of course, you already supplied a link. Thanks! https://github.com/ldennington/git/actions/runs/2580040902

[derrickstolee]

Hm... I don't know how this happened:

$ git version
git version 2.32.1 (Apple Git-133)
$ which git
/usr/bin/git
$ /usr/local/bin/git
-bash: /usr/local/bin/git: Permission denied
$ ls -al /usr/local/bin/git
-rw-r--r--  1 root  wheel  4301248 Jun 28 21:13 /usr/local/bin/git

So... I've lost execute privileges on the Git binary! So the /usr/local/bin copy is skipped in favor of the Apple-installed one in /usr/bin.

[ldennington]

Hm... I don't know how this happened:

$ git version
git version 2.32.1 (Apple Git-133)
$ which git
/usr/bin/git
$ /usr/local/bin/git
-bash: /usr/local/bin/git: Permission denied
$ ls -al /usr/local/bin/git
-rw-r--r--  1 root  wheel  4301248 Jun 28 21:13 /usr/local/bin/git

So... I've lost execute privileges on the Git binary! So the /usr/local/bin copy is skipped in favor of the Apple-installed one in /usr/bin.

This was a great catch, thank you (and also a good reminder to me that simply making it through the install process is not enough)! I will investigate ASAP.

[ldennington]

@dscho @derrickstolee - I think we are good to go. Here is my latest successful run, and I'm currently running the version of microsoft/git I installed from the .dmg published by that run without issue.

Edit: Now we should be good - had to fix some whitespace and newline issues 😬.

[derrickstolee]

Looking good. Sorry to bother you about it, but could you rebase onto vfs-2.37.1?

[derrickstolee]

Are you working on an upstream fix for this? ;)

[ldennington]

Yes! Today 😆.

[dscho]

Maybe we could add a step that mounts the .dmg, unpacks the .pkg and verifies that its git version works and shows the expected output? That would catch issues similar to the lost executable bit in the future.

[dscho]

Do we have any code to handle core.legacyHeaders at all anymore? I do not see any, it seems that this has been removed in v1.5.3-rc0~218^2...

[ldennington]

I actually removed this file based on your comment here.

[ldennington]

So I don't think we'll need to worry about the legacy headers...apologies if I'm overlooking something though.

[ldennington]

Looking good. Sorry to bother you about it, but could you rebase onto vfs-2.37.1?

Will do - it's no problem.

[ldennington]

Maybe we could add a step that mounts the .dmg, unpacks the .pkg and verifies that its git version works and shows the expected output? That would catch issues similar to the lost executable bit in the future.

I think this is a good idea. However, it seems like we should add this type of validation for all the installers we produce. I've opened a separate work item for this: https://github.com/github/git-fundamentals/issues/965.